Distinction in travel journalism
Is independent travel journalism important to you?
Click here to keep it independent

11 Sep, 2014

Ensuring privacy will build both trust and business, survey of mobile apps developers shows

Canbera, Office of the Australian Information Commissioner, 10 September 2014 – Clear, concise information about privacy practices builds customer trust and is good for business, according to privacy authorities that took part in this year’s global sweep of more than 1200 mobile apps.

As mobile apps increase in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants in the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found.

The Sweep, which took place from 12 to 18 May 2014, involved 26 privacy enforcement authorities from around the world, including the Office of the Australian Information Commissioner (OAIC). The OAIC examined 53 popular free iOS apps, with a focus on apps produced by or on behalf of Australian businesses and Australian Government agencies.

Sweep participants looked at the types of permissions apps were seeking, whether those permissions exceeded what would be expected based on the apps’ functionality, and how the apps explained to consumers why they wanted the personal information and what they planned to do with it.

The Australian Privacy Commissioner, Timothy Pilgrim, said that many popular and successful apps are demonstrating good privacy practice. However, the sweep results also identified a number of concerns that businesses, government agencies and app developers should take note of to improve their privacy performance. These concerns were consistent with trends identified in the Global Sweep.

‘Of particular concern was that almost 70% of the apps we looked at failed to provide the user with a privacy policy or terms and conditions that addressed privacy prior to the app being downloaded’, Mr Pilgrim said.

‘This is not good privacy practice. Organisations must have a clearly expressed and up to date privacy policy that tells people how their personal information will be managed. A user can’t make an informed decision about whether they should download an app if they aren’t told up front what personal information that app will collect and how it will use, store and protect that information.’

The OAIC also found that almost 25% of the apps examined did not appear to have privacy communications that were tailored for a small screen.

‘Many apps link out to lengthy and complex privacy policies that require users to scroll or click through multiple pages,’ Mr Pilgrim said.

‘I would encourage mobile app developers to put their users’ privacy first when designing apps by incorporating a ‘privacy by design’ approach.  This can help to improve the levels of trust and confidence customers have in dealing with an organisation. Make the app’s privacy policy easy to find and, as a general rule, don’t collect more personal information than is needed.

Our Mobile privacy: a better practice guide for mobile app developers recommends that developers use short form notices for privacy policies that are no longer than a single screen if possible, and draw users attention particularly to any collection, use or disclosure of information that they would not otherwise reasonably expect,’ Mr Pilgrim said.

The annual GPEN sweep is an example of growing international cooperation that is occurring in the area of privacy. The OAIC is currently considering the results for further follow up action.

‘Cross-border privacy compliance and regulation is a growing issue in the connected environment, and cooperative exercises like the GPEN sweep give regulators around the world the opportunity to compare issues and share strategies to address common problems’, Mr Pilgrim said.

Background

App developers are encouraged to consider the OAIC’s Mobile privacy: a better practice guide for mobile app developers.

The Sweep, which took place from 12 to 18 May 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.

The Sweep did not involve an in-depth analysis of the privacy practices of each mobile app, but the exercise sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. The GPEN initiative is aimed at encouraging organisations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities.

2014 Sweep highlights — Global and Australian results

  • Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlights the need for apps to be more transparent.
  • Some 59% (Global result) and 67.9% (Australian result) of apps left sweepers scrambling to find pre-installation privacy communications. Many offered little information about why the data was being collected or how it was being used prior to download, or provided links to webpages with privacy policies that were not tailored to the app itself. In other cases, the links led to social media pages that didn’t work or required the user to log in. Sometimes it was difficult to determine who the developer or data controller was.
  • For 31% (Global result) and 11.3% (Australian result), of the apps, sweepers expressed concern about the nature of the permissions being sought. Sweepers felt the apps requested access to information that exceeded their functionality, at least based on the sweepers’ own understanding of the app and the associated privacy policy.
  • Some 43% (Global result) and 22.6% (Australian result) of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.
  • Just a fraction of apps examined, 15% (Global result) and 15% (Australian result), provided a clear explanation of how it would collect, use and disclose personal information. The most ‘privacy friendly’ apps offered brief, easy to understand explanations of what the app would and would not collect and use pursuant to each permission.

About the Global Privacy Enforcement Network (GPEN)

The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 51 privacy enforcement authorities in 39 jurisdictions around the world.