Mobile application privacy will get a lot of attention this week when the National Telecommunications and Information Administration convenes the first in a series of meetings to examine how applications use consumers' personal and private information.
The NTIA has been directed by the Obama Administration, under a privacy "blueprint" it issued in February, to bring consumer and industry stakeholders together to establish codes of conduct to protect customers' personal information online. The NTIA has decided to focus on mobile applications in this inaugural meeting and while the long-term impact of this and other expected meetings remains to be seen, the event will shine a spotlight on mobile app privacy, which affects all developers.
Developers are certainly aware of the need protect the privacy of their consumers for ethical reasons and because it is better for their businesses if they do; however, the issue is complex and evolving. In the last year, many stakeholder groups including advertisers and advertising platforms, privacy advocates, privacy solutions providers, regulatory agencies and organizations like the Mobile Marketing Association have published resources to help inform developers about best practices for incorporating privacy protections into their apps.
These various initiatives have all contributed to create an expectation in the marketplace that developers must have mobile app privacy policies if they want to participate in the market, said Alan Chapell, co-chair of the MMA's privacy and advocacy committee and president of Chapell and Associates, a law firm that specializes in privacy.
"If you're a developer and you're looking to derive revenues from advertising, you need to concern yourself with issues of privacy," he said.
The same goes for any developers who incorporate location-based information into their apps, Chapell added.
There are few legal implications today for developers who do not have privacy policies, but this situation is changing rapidly. Chapell said there are no laws written specifically requiring app developers to have mobile privacy policies; however, he said the Federal Trade Commission could potentially hold developers responsible, under its consumer protection policies, for acting unfairly or deceptively if their applications invade consumer privacy. He expects that Congressional hearings focusing on mobile privacy, similar to hearings held in 2011, will be held in September of this year.
The State of California, which requires companies offering commercial websites or online services that collect personal data to conspicuously post privacy policies under a 2003 Online Privacy Protection Act, has recently decided that mobile apps are covered by that law. California also announced plans to enforce this new interpretation. The state has obtained agreements from Amazon, Apple (NASDAQ:AAPL), Facebook, Google (NASDAQ:GOOG), Hewlett-Packard, Microsoft (NASDAQ:MSFT) and Research In Motion, to agree to its principles to help strengthen the policy.
In addition to these types of resources, developers can employ some general practices to protect the privacy of their customers and their app businesses as well, according to Lawrence Pingree, a research director at Gartner.
In general, the best approach is to develop privacy policies based on the end-users' requirements, Pingree said.
"Always keep in mind the number one principle: that ultimately the user decides," he said. "As long as that is the case, then you are appropriately addressing the privacy concerns of most people."
Pingree suggested that companies actually survey end users to ask them how they feel about various uses of their information and then provide options in the application software to incorporate the consumers' requirements. The application should include opt-in and opt-out capabilities, employ encryption technologies properly and make it possible for consumers to control how their user-generated data, such as their location information, is shared or disclosed.
Most mobile app platforms now require users to authorize the exposure of certain types of data and the platforms provide developers with APIs for accessing information that consumers authorize but consider to be private, such as location data, calendar information or contact lists.
"Make sure you use the standard APIs," Pingree said.
He advises developers who use services supplied by third-parties to conduct vendor recertification processes regularly, perhaps annually, to make sure each vendor is upholding the developer's privacy policies.
Developers also need to observe policies governing particular industries, such as the healthcare privacy rules established in the Health Insurance Portability and Accountability Act and the privacy provisions in the financial services industry covered by the Gramm-Leach-Bliley Act, Pingree advised.