Bodies including the IAB, Application Developers Alliance, online privacy body TRUSTe among others are looking to adapt US privacy guidelines to better suit EU-based businesses, with smaller mobile developers identified as a key area of interest.
Guidelines currently include: using short-form privacy notifications; letting app users know how their data will be accessed plus firmer guidance on location-based targeting and security (see images).
Saira Nayak, TRUSTe’s policy director, says the US industry is in the process of “sorting out the nitty-gritty of how privacy policies are displayed to users” and from there will adapt these to become relevant to businesses operating in the EU.
Nayak also adds the initiative has been prompted by the growing importance of app developers in the digital economy stressing individual developers – popularly know as “bedroom developers” – are of particular interest given the fragmented nature of the sector.
TRUSTe’s ambitions include possibly holding educational seminars with Apps Alliance and others to remind developers of this profile of their responsibilities as regarding the use and protection of consumers’ personal data.
This comes as further details emerge from the EU’s Article 29 Working Party – an umbrella group of data protection authorities across its members state – over its recently published guidance paper addressing key data protection risks with mobile apps.
The document – officially termed as an “Opinion” – details the body’s views on the obligations of those involved in the development and distribution of apps under European data protection rules but it does not constitute law.
The document classifies “private and public sector organisations that outsource app development [i.e brands]” as app developers, meaning they are equally as responsible for data protection as the agency that built it.
“In that case, he has to comply with the provisions of the entire [EU] Data Protection Directive,” reads the document. It goes on to recommend “the storing of information, or the gaining of access to information already stored in the smart device” is gained prior to or during the installation of an app.
Also included in the document are the data protection guidelines directed towards other parties involved in the mobile app sector including: app store owners (such as Apple), OS providers (such as Google), as well as app-tracking firms (such as Flurry).
In each case the document tries to identify circumstances over who is the “data controller”, below are some key points addressed to:
- OS and device manufacturers
“Apps that require access to geolocation must use the location services of the OS… For this latter purpose, the OS is the data controller.
- App stores
“An app store records login credentials, the history of previously bought apps and credit card number that will be stored… The app store is the data controller for these operations.”
- In-app analytics firms
“A company provides metrics for app owners and advertisers through the use of trackers embedded… to inform app developers what other apps are used by a user… and therefore acts as a data controller.
The full document can be downloaded here.