The mobile app business has become a massive industry since the introduction of the smartphone. If you are a business that develops mobile apps, your app needs to consider how to safeguard your users’ privacy. That process starts the moment you design the app. The Office of the Australian Information Commissioner (OAIC) refers to this process as ‘privacy by design’. This article will explain how you can implement privacy by design in your mobile apps.

Do You Have To Consider Privacy by Design for Mobile Apps?

Not all businesses are required by law to follow privacy by design for mobile apps. Only businesses who are Australian Privacy Principle (APP) entities must comply with the Privacy Act. You are an APP entity if you meet criteria such as:

  • having an annual turnover of $3 million or more;
  • handling health-related personal information; and
  • selling data as part of your business model.

However, even if you are not an APP entity, you should still consider privacy by design to gain the loyalty and trust of users who have concerns about the unwarranted collection of personal information.

How Do I Implement Privacy by Design?

During the design and development of a mobile app, your business should:

  1. carry out a privacy impact assessment;
  2. appoint a privacy officer; and
  3. adopt a mobile-friendly privacy policy.

1. Carry Out a Privacy Impact Assessment

Your privacy impact assessment must cover the following areas such as:

  • how the app will carry business data the personal information;
  • any vulnerabilities associated with the data; and
  • how a data breach could occur.

Your app should restrict any collected to what is necessary for your app to function. However, if you have to collect personal information, you should justify how you can secure the data and minimise any risk of a data breach.

2. Appoint a Privacy Officer

You should appoint a privacy officer to evaluate the privacy implications of commercial decisions and advocate for privacy-friendly decisions. The privacy officer should be a serious role within your business, as they will give you valuable input as to whether your app may breach any privacy laws. Otherwise, your app may fail to meet privacy by design standards. 

3. Adopt a Mobile-Friendly Privacy Notice

You should tailor your privacy notice to the screensize of the mobile phone. Users are unlikely to read long chunks of text on a small screen. At the same time, you want to ensure your users have informed consent to how you will collect and use their personal information. Mobile developers who want to create mobile-friendly privacy notices could address this issue by:

  • creating a summary of the privacy policy;
  • displaying in-context notices within the app; or
  • taking into account other considerations, such as designing for people with disabilities.

How Can You Create Mobile-Friendly Privacy Notices?

Privacy Policy Display

Ensure your privacy policy on your mobile app includes details on:

  • what personal information you collect;
  • the collection and storage of personal information;
  • the use of personal information;
  • how you will disclose that information to third parties (including if you disclose the data overseas);
  • how the individual may access their personal information;
  • who you are and how the individual can contact you;
  • information about how you handle complaints; and
  • how users can make a complaint.

You should try to keep your privacy policy as brief as possible within the app. Alternatively, you may have a detailed privacy policy available elsewhere, such as on a website. You can make a summary of the policy available in the app, with a link to the full version accessible outside of the app. You want to balance the need to inform users about privacy with the convenience of the user wanting to stay within the mobile app.

The OAIC recommends you should display the privacy policy when a user downloads the app. The user is more likely to give informed consent when they are alerted to any obligations before they can use the app.

In-Context Notices

However, consent at the time of download does not guarantee that your users are aware of when and how you collect personal information within the app. The OAIC suggests that your mobile app should use in-context notices to flag when you collect personal information.

These notices are particularly useful if your app collects sensitive information such as:

  • health information;
  • sexual preference;
  • professional affiliation; or
  • ethnicity.

In those cases, you want to include a collection or pop-up bubble that explains the reasons for collection and use of data. 

In-context notices are also useful where your mobile app collects personal information for purposes that may be unexpected to a reasonable person. 

For example, your mobile app collects location data when a user uses the video feature within your app. You should have a pop-up notice the first time they use this feature that explains that the app collects location data and the reasons why. In addition, your explanation should reflect that it is reasonably necessary for your app to function. One potential phrase could be: ‘We collect location data so that you can access location specific video filters’.

Your in-context notice must give users a choice. Ideally, your users should be able to click ‘accept’ or ‘decline’. Otherwise, your app should allow your users to turn off location data collection. 

The data collection must be necessary for the app to function. Many apps use location-based video filters which are fun additions not always essential for the app to function. However, if you make an app that requires heavy use of Global Positioning System (GPS), you could justify the collection of location data from your users.

Other Considerations

Mobile users may not always see or read the privacy policy in writing before using apps. You can use sound, graphics and colours to draw user attention to the privacy policy. Additionally, try a combination of these elements, as many users may not switch on the volume on their mobile phone. Graphics can help convey the type of personal information that you are collecting. For example, using a red cross graphic can signal to users that you are collecting medical information.

Furthermore, the OAIC stresses that mobile apps need to make their privacy-related information as accessible as possible. That means you should design your mobile app to take into account people with disabilities, such as those with vision or hearing impairments. 

Key Takeaways

If you are an APP entity, you must ensure you have designed your mobile app with privacy in mind. That means you should conduct a thorough privacy assessment and appoint a privacy officer to safeguard your users’ privacy needs. In addition, when you design your app, you should consider:

  1. how to make your privacy policy accessible within the app;
  2. the use of in-context notices to justify collections of certain types of personal information; and
  3. the use of sounds, graphics and colours to attract attention.

However, if you are not an APP entity, applying some of these tips can reassure your users that you care about the privacy of their personal information. If you have any questions or need help drafting your privacy policy, get in touch with LegalVision’s IT lawyers today on 1300 544 755 or fill out the form on this page.

Jacqueline Gibson
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.