The mobile app business has become a massive industry since the introduction of the smartphone. If you are a business that develops mobile apps, your app needs to consider how to safeguard your users’ privacy. That process starts the moment you design the app. The Office of the Australian Information Commissioner (OAIC) refers to this process as ‘privacy by design’. This article will explain how you can implement privacy by design in your mobile apps.
Do You Have To Consider Privacy by Design for Mobile Apps?
Not all businesses are required by law to follow privacy by design for mobile apps. Only businesses who are Australian Privacy Principle (APP) entities must comply with the Privacy Act. You are an APP entity if you meet criteria such as:
- having an annual turnover of $3 million or more;
- handling health-related personal information; and
- selling data as part of your business model.
However, even if you are not an APP entity, you should still consider privacy by design to gain the loyalty and trust of users who have concerns about the unwarranted collection of personal information.
How Do I Implement Privacy by Design?
During the design and development of a mobile app, your business should:
- carry out a privacy impact assessment;
- appoint a privacy officer; and
1. Carry Out a Privacy Impact Assessment
Your privacy impact assessment must cover the following areas such as:
- how the app will carry business data the personal information;
- any vulnerabilities associated with the data; and
- how a data breach could occur.
Your app should restrict any collected to what is necessary for your app to function. However, if you have to collect personal information, you should justify how you can secure the data and minimise any risk of a data breach.
2. Appoint a Privacy Officer
You should appoint a privacy officer to evaluate the privacy implications of commercial decisions and advocate for privacy-friendly decisions. The privacy officer should be a serious role within your business, as they will give you valuable input as to whether your app may breach any privacy laws. Otherwise, your app may fail to meet privacy by design standards.
3. Adopt a Mobile-Friendly Privacy Notice
You should tailor your privacy notice to the screensize of the mobile phone. Users are unlikely to read long chunks of text on a small screen. At the same time, you want to ensure your users have informed consent to how you will collect and use their personal information. Mobile developers who want to create mobile-friendly privacy notices could address this issue by:
- displaying in-context notices within the app; or
- taking into account other considerations, such as designing for people with disabilities.
How Can You Create Mobile-Friendly Privacy Notices?
- what personal information you collect;
- the collection and storage of personal information;
- the use of personal information;
- how you will disclose that information to third parties (including if you disclose the data overseas);
- how the individual may access their personal information;
- who you are and how the individual can contact you;
- information about how you handle complaints; and
- how users can make a complaint.
However, consent at the time of download does not guarantee that your users are aware of when and how you collect personal information within the app. The OAIC suggests that your mobile app should use in-context notices to flag when you collect personal information.
These notices are particularly useful if your app collects sensitive information such as:
- health information;
- sexual preference;
- professional affiliation; or
In those cases, you want to include a collection or pop-up bubble that explains the reasons for collection and use of data.
In-context notices are also useful where your mobile app collects personal information for purposes that may be unexpected to a reasonable person.
Your in-context notice must give users a choice. Ideally, your users should be able to click ‘accept’ or ‘decline’. Otherwise, your app should allow your users to turn off location data collection.
The data collection must be necessary for the app to function. Many apps use location-based video filters which are fun additions not always essential for the app to function. However, if you make an app that requires heavy use of Global Positioning System (GPS), you could justify the collection of location data from your users.
Furthermore, the OAIC stresses that mobile apps need to make their privacy-related information as accessible as possible. That means you should design your mobile app to take into account people with disabilities, such as those with vision or hearing impairments.
If you are an APP entity, you must ensure you have designed your mobile app with privacy in mind. That means you should conduct a thorough privacy assessment and appoint a privacy officer to safeguard your users’ privacy needs. In addition, when you design your app, you should consider:
- the use of in-context notices to justify collections of certain types of personal information; and
- the use of sounds, graphics and colours to attract attention.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.