What developers need to know about incorporating privacy protection into mobile apps

Mobile application privacy will get a lot of attention this week when the National Telecommunications and Information Administration convenes the first in a series of meetings to examine how applications use consumers' personal and private information.

The NTIA has been directed by the Obama Administration, under a privacy "blueprint" it issued in February, to bring consumer and industry stakeholders together to establish codes of conduct to protect customers' personal information online. The NTIA has decided to focus on mobile applications in this inaugural meeting and while the long-term impact of this and other expected meetings remains to be seen, the event will shine a spotlight on mobile app privacy, which affects all developers.  

Developers are certainly aware of the need protect the privacy of their consumers for ethical reasons and because it is better for their businesses if they do; however, the issue is complex and evolving. In the last year, many stakeholder groups including advertisers and advertising platforms, privacy advocates, privacy solutions providers, regulatory agencies and organizations like the Mobile Marketing Association have published resources to help inform developers about best practices for incorporating privacy protections into their apps.

Alan Chapell

    Alan Chapell

These various initiatives have all contributed to create an expectation in the marketplace that developers must have mobile app privacy policies if they want to participate in the market, said Alan Chapell, co-chair of the MMA's privacy and advocacy committee and president of Chapell and Associates, a law firm that specializes in privacy.

"If you're a developer and you're looking to derive revenues from advertising, you need to concern yourself with issues of privacy," he said.  

The same goes for any developers who incorporate location-based information into their apps, Chapell added.

There are few legal implications today for developers who do not have privacy policies, but this situation is changing rapidly. Chapell said there are no laws written specifically requiring app developers to have mobile privacy policies; however, he said the Federal Trade Commission could potentially hold developers responsible, under its consumer protection policies, for acting unfairly or deceptively if their applications invade consumer privacy. He expects that Congressional hearings focusing on mobile privacy, similar to hearings held in 2011, will be held in September of this year.

The State of California, which requires companies offering commercial websites or online services that collect personal data to conspicuously post privacy policies under a 2003 Online Privacy Protection Act, has recently decided that mobile apps are covered by that law. California also announced plans to enforce this new interpretation. The state has obtained agreements from Amazon, Apple (NASDAQ:AAPL), Facebook, Google (NASDAQ:GOOG), Hewlett-Packard, Microsoft (NASDAQ:MSFT) and Research In Motion, to agree to its principles to help strengthen the policy.

Developers seeking information about privacy policies and how these issues affect their applications can gain a lot of valuable information from publicly available resources. The MMA, for example, has published a Mobile Application Privacy Policy Framework that developers can use as a starting point for developing mobile app privacy policies. It is also creating a standards document addressing the ethical use of mobile unique device identifiers (UDIs), which many mobile companies use to gather user data and preferences.

CTIA has published best practices and guidelines for location-based service providers on how to protect consumer privacy associated with those types of services. The Center for Democracy and Technology has published a draft version of best practices for mobile app developers. And non-profit organizations such as PrivacyChoice and the Future of Privacy Forum, as well as the for-profit TRUSTe, offer a variety of privacy solutions, including privacy policy generators or other tools that developers can use to create privacy policies that reflect their specific business needs.

In addition to these types of resources, developers can employ some general practices to protect the privacy of their customers and their app businesses as well, according to Lawrence Pingree, a research director at Gartner.

In general, the best approach is to develop privacy policies based on the end-users' requirements, Pingree said. 

Lawrence Pingree

 Lawrence Pingreee

"Always keep in mind the number one principle: that ultimately the user decides," he said.  "As long as that is the case, then you are appropriately addressing the privacy concerns of most people."

Pingree suggested that companies actually survey end users to ask them how they feel about various uses of their information and then provide options in the application software to incorporate the consumers' requirements. The application should include opt-in and opt-out capabilities, employ encryption technologies properly and make it possible for consumers to control how their user-generated data, such as their location information, is shared or disclosed.

He advises developers to make sure they have a clearly defined privacy policy that is written first in layman's terms followed by the necessary legal language.

Most mobile app platforms now require users to authorize the exposure of certain types of data and the platforms provide developers with APIs for accessing information that consumers authorize but consider to be private, such as location data, calendar information or contact lists. 

"Make sure you use the standard APIs," Pingree said.

He advises developers who use services supplied by third-parties to conduct vendor recertification processes regularly, perhaps annually, to make sure each vendor is upholding the developer's privacy policies.

Developers also need to observe policies governing particular industries, such as the healthcare privacy rules established in the Health Insurance Portability and Accountability Act and the privacy provisions in the financial services industry covered by the Gramm-Leach-Bliley Act, Pingree advised.