Remember that line from the Hitchhiker’s Guide to the Galaxy – “Don’t Panic”? Well panic often results from a lack of information and ADMA is trying to make sure its members are in the know about what’s happening in the ‘marketing galaxy’ before it has actually happened. We sat down with ADMA’s Head of Policy & Regulatory Affairs, David Simon, to talk about the Government’s consultation draft of the Mobile privacy – better practice guide for mobile app developers (the “Mobile Privacy Guide”).
The Mobile Privacy Guide is a document that tells app developers how to create apps that are more privacy oriented. It outlines how the Privacy Act may apply to the collection of data through apps, and promotes enhanced privacy as a competitive advantage for app developers. The guide details how app developers must manage data collection and privacy practices. It encourages greater transparency about data collection, mainly through up-front notification and user choice.
ADMA – David, according to the draft Mobile Privacy Guide produced by the Office of the Australian Information Commissioner, apps should only collect the information they require to provide functionality for the app. What are the implications of that?
David Simon – The guide suggests that personal information should not be collected for any other purpose than the app functionality from the perspective of the end-user. The concern is that the ‘functionality’ from an end-users perspective and the ‘functionality’ from the developer and publisher perspective may differ.
ADMA – Under which circumstances are apps likely to be covered by the Privacy Act?
David Simon – The guide states that apps are likely to be covered by the Privacy Act if your business model relies on using personal information to sell advertising. In fact, any app which collects personal information for any purpose is covered by the Privacy Act. The fact that the guide specifically focuses on advertising suggests that the Privacy Commissioner has concerns about app data being used for advertising. We are working with the Privacy Commissioner to get this clarified.
ADMA – What does the guide say regarding opt-out?
David Simon – The guideline recommends that users be allowed to opt-out of data collection that is outside of what the app needs to deliver its intended function to the end user.
Therefore marketers need to think about how and when they will (i) explain the additional ways in which they intend to use the personal information; and (ii) provide the ability for the end user to opt-out of this use.
ADMA – Can app developers be audited by the Commissioner?
David Simon – Yes. The Privacy Commissioner can investigate a company or developer without having received a complaint. In addition, there are new penalties being introduced next year including enforceable undertakings and severe fines for breaches of the Privacy Act – up to $1.7 million dollars for repeated and severe breaches.
ADMA – What are your thoughts about ‘Privacy by Design’ principles?
David Simon – ‘Privacy By Design’ means a lot of different things to a lot of different people. The Information and Privacy Commissioner of Ontario (Canada) is the main promoter of ‘Privacy By Design’, by which she means that privacy and data protection should be central to any technological innovation.
A resolution passed at the 32nd International Conference of Data Protection and Privacy Commissioners in 2010 to uphold this as the guiding concept. Privacy Commissioners and their equivalents around the world are using the idea to promote privacy as something to be part of system design specification, architecture and process. It’s quite vague and high-level, but essentially it is about putting privacy first, making it the default setting, and respecting user privacy by keeping practices for data collection user-centric. For those who are really curious, there’s even an app describing ‘Privacy By Design’ (PbD) in the Google Play store.
The Australian Privacy Commissioner expects app developers to implement these principles throughout the information lifecycle. Privacy by Design principles promote a notion of raising the bar in privacy protection. At a more practical level, developers are building trust and privacy into their apps with a focus on transparency and notification about legitimate data collection.
ADMA – The definition of personal information is now expanded. What does it mean for the marketers?
David Simon – This means that personal information can now include photographs, IP addresses, UDIDs and other unique identifiers in specific circumstances. It also includes contact lists which reveal user’s social connections, location data, voice print and facial recognition biometrics. It means that even if you are not collecting a person’s name it still may be considered ‘personal information’ if you can identify down to a single individual.
It is also important to note that privacy policies for apps should be easily accessible before an app is downloaded and a privacy dashboard should be available for app users to adjust their privacy settings.
ADMA – So what are the key takeaways?
David Simon – ADMA believes that the “Mobile Privacy Practice Guide” will be beneficial to the app developer and design market as it will provide some clarity around how the Privacy Act applies to mobile apps and how data collected through an app can be used. However, it is essential that the guide be updated so that it aligns directly with the provisions of the Privacy Act.
Most importantly the restriction against collecting and using personal information through apps for any purpose other than delivering app functionality to the end user needs to be revised.
The Government has just extended the deadline for submissions to the Office of the Australian Information Commissioner’s (OAIC) consultation on the draft Mobile Privacy: A better practice guide for mobile app developers.
If you would like to contribute to ADMA’s submission (currently being drafted on the basis of the comments above) please contact David Simon (Head of Policy and Regulatory Affairs – ADMA): email@example.com; (02) 9277 5417.
You can also join ADMA’s webinar on Big Data Privacy, that is free to all the members.