Privacy policies for mobile apps come under scrutiny

A new report from the Future of Privacy Forum takes stock of many popular mobile apps, documenting which provide consumers with a privacy policy describing their data collection and use.

FPF has also released a guide to best practices for app developers.

With some 40,000 mHealth apps available across various platforms and the market set to skyrocket – pegged to grow 25 percent annually over the next five years, according to a study by Kalorama – such practices will only grow in importance when it comes to protecting personal health information.

By providing a privacy policy, companies become legally accountable for their practices and provide consumers with an opportunity to make informed decisions about whether to download an app.

In an effort to provide application developers with the tools and resources needed to implement trustworthy data practices, including privacy policies, FPF and the Center for Democracy & Technology have released a publication titled "Best Practices for Mobile Application Developers."

"Developers have access to tremendous amounts of very sensitive data about their customers," said Justin Brookman, CDT's director of consumer privacy. "We're offering these best practices guidelines to help well-meaning developers preserve user privacy without stifling the innovation and convenience offered by new platforms."

The report is generally focused, but does touch on the special challenges faced by health-related apps and the data they traffic in – most importantly, the importance of HIPAA compliance.

As part of its best practices guide, FPF and CDT list seven "Basic Steps Toward Building Privacy into Your App":

1. Practice privacy by design. Be proactive. Ask important questions and embed privacy measures throughout the lifecycle of your product or service.
2. Communicate openly and effectively. Have a comprehensive and transparent privacy policy covering all of your data collection, sharing and use practices. Use clear and simple language.
3. Make your privacy policy easily accessible. Don’t make users search for your privacy policy – make it prominent and easy to find.
4. Use enhanced notice. Don’t surprise users; have respect for context. Use enhanced notice in situations where users might not expect certain data to be collected.
5. Provide users with choices and controls. Empower users. Allow them to choose and control the way their data is collected and used.
6. Secure your users’ data. Always use appropriate and up-to-date security measures to protect user data.
7. Ensure accountability. Make sure someone is in charge. Designate a privacy guru, or make sure to explicitly assume the responsibility yourself.

"The first and most significant step toward respecting your users’ privacy is creating a privacy policy that explains what data you collect, how you use it and with whom you share it," the report states. "Do not just cut and paste a privacy policy from another app or website. Start by understanding your app in your own terms, and then do your best to communicate the same to your users."

The study suggests that developers should know the privacy rules and requirements for various app platforms, including Apple iOS, Android and Facebook. Also, they should "give users choice and control around the unexpected collection, storage or transfer of personal information where feasible. If you are collecting or using data outside the scope of what users would reasonably expect, you should at the very least make sure your users can opt-out of such uses of their data."

The FPF study shows that the percentage of free apps with a privacy policy doubled on the iOS App Store platform, from 40 percent to 84 percent; the percentage of paid apps with privacy policies on the same platform increased by 4 percent, from 60 percent to 64 percent.

On the Google Play platform, the percentage of free apps with a privacy policy started at 70 percent and increased to 76 percent. The percentage of paid apps increased as well, from 30 percent to 48 percent.

The study reveals that almost all of the leading apps that collect precise location information do provide consumers with a privacy policy.

Other findings from FPF's new app privacy policy survey:

• Overall, 61.3 percent of the 150 apps examined had a privacy policy when offered across three app store platforms: iOS App Store, Google Play and Kindle Fire Appstore.
• The free apps analyzed were more likely to have a privacy policy than the paid apps. 69.3 percent of free apps and 53.3 percent of the paid apps had privacy policies.
• To determine whether consumers could review how an app would use their data before downloading the app, the study focused on whether an app provided access to privacy policy information in or from the app store. 22.7 percent of free apps and 20 percent of paid apps in Google Play and the iOS App Store have access to the privacy policy at the app store promotion page.
• 48 percent of free apps and 32 percent of paid apps on all platforms have access to the privacy policy in the app itself or via a link from within the app. If apps don't provide access to a policy from the app, consumers are forced to search the web to try to find the app's policy.
• 12 out of the 50 apps surveyed on the iOS App Store platform requested precise location information and 10 of those had privacy policies. 14 out of the 50 apps surveyed on the Google Play platform requested precise location information and 10 had privacy policies.

"Mobile apps are at the forefront of current consumer privacy concerns," write the authors of the best practices report. "High profile media attention and a series of class action lawsuits have prompted close scrutiny of app developer data practices from federal and state regulators. As a result, the U.S. Federal Trade Commission (FTC) is actively enforcing consumer privacy rights against application developers that surreptitiously access or misuse user data.

The good news, said Jules Polonetsky, director and co-chairman of the Future of Privacy Forum, is that "app developers are starting to get the message that access to consumer data is a privilege not a right."

Ensuring data collection and use practices are well documented "is the first step to showing that you are a responsible company," he added. "Although providing a privacy policy is no silver bullet, the process of documenting data use and making oneself legally accountable is a critical first step to building consumer trust."
 

Mike Miliard

Managing Editor of Healthcare IT News

Follow Mike on Twitter @MikeMiliardHITN