Privacy Policies and other legal documentation are occasionally viewed as an afterthought of the mobile development process—something to be hastily included after all of the conceptual design and development work is complete. This legal safeguarding may seem like a last-minute addition that doesn’t merit much thought, but it may be the most important component of your entire business.
Privacy Policies are not all alike, and there are numerous ways that a missing clause or a mismatch between your legal documents and your app itself can cause catastrophic problems. Quite a few ubiquitous and successful mobile apps have run into massive legal headaches and astronomical fines due to flaws in their privacy policy and a failure to integrate and unify their legal protection with the “private parts” of their app architecture.
Only a few weeks ago, social app Path was fined nearly 1 million dollars by the FTC (Federal Trade Commission) for privacy violations. The $800,000 penalty stemmed from two lethal mistakes made by the app:
- storing third-party names and numbers from their users’ address books, without proper disclosure;
- failing to comply with the provisions of COPPA, a law that applies to every app that knowingly collects information from children.
This means that if you extract phone contacts from your users, not only must you notify them, you must also explain within the app’s privacy policy how any why the information is used. If you collect users’ birth dates, you can likely figure out if children are using your app and do something about it. You essentially have two legal avenues: comply with COPPA or make sure users represent that they’re over 13.
But there’s more. The FTC published a long document with recommendations for app developers and even platform-specific advisement for big platforms like Android and iOS.
Privacy by Design
The FTC wants app developers to use a (relatively) new approach called “Privacy by Design.” “Companies should build in privacy at every stage in developing their products.” This means a number of things:
- before building an app or a feature, think of the privacy implications;
- if you collect information, protect it. Follow the security recommendations of the FTC (with special attention to the third-party software you used) and be careful not to overpromise or make generic reassuring statements;
- keep your policy updated! Every time you roll out a new update to the app store, stop for a second and think if you added something that has an impact on your privacy statements. Added a new analytic script? It should go in there. Added “find friends via Facebook”? Go and edit your privacy policy.
What Does It Mean for App Developers?
There are known best practices—some of them coming from the California Attorney General—to give you some legal protection and prevent problems, privacy breaches, and lawsuits. But this is what the FTC actually says that developers should do.
You should have a privacy policy and it must be accessible from the app store.
The simple way to accomplish this is to simply link the policy when you submit the app. But, this means the privacy policy should live on your website. You could also provide the full text of the policy within the app, or a short statement describing the app’s privacy practices. Need a privacy policy from scratch? There are many options: Docracy’s open source standard, a privacy policy generator, and many other free resources you can find on Google.
You should provide “just-in-time disclosures” and obtain affirmative express consent when collecting sensitive information from outside the platform’s API.
You already know that iOS pops up a notification that a certain app is requesting access to the user’s location or other private data. In this case, the disclosure and the consent are taken care by Apple. But, your app might as well collect other important stuff, and a pop-up notification is the best way to make sure the users know. FTC names financial, health, or children’s data, but also a generic “sharing sensitive data with third parties” as sensitive private information, so it’s best to err on the side of caution.
Know the legal implications of the code you’re using.
It’s normal for app developers to use third-party packages, SDK, and the like. You should make sure this code is secure and fully understand exactly what information it pulls, because you’re ultimately legally responsible for it. There’s a long list of questions to ask yourself, including:
- Does this library or SDK have known security vulnerabilities?
- Has it been tested in real-world settings?
- Have other developers reported problems?
Conclusion
Path was fined $800,000. While this is was in connection with COPPA violations, it’s the start of broader policing of privacy practices, even against non-American developers. If you cater to the American mobile market, you can still be fined by U.S. Authorities. It’s time for app developers to lawyer up and get a properly-written, constantly-curated privacy policy. The FTC is encouraging the adoption of public standards and suggests tightened integration among app developers, trade associations, ad networks, and mobile platforms, so this is definitely a topic to keep under the radar. You wouldn’t want a legal problem to cripple your app right as it’s starting to soar.
Veronica PicciafuocoVeronica Picciafuoco is the Director of Content for Docracy.com, the home for free, open source legal documents. She has a legal background and works closely with tech startups and freelance designers in Brooklyn, NY.
