1. The FTC thinks you should
Here’s what the FTC thinks developers should do:
- Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms haven’t already provided such disclosures and obtained such consent)
As a user, you surely have met the pop-up notification that asks permission for push notifications. That’s an example of “just-in-time disclosure” provided by the platform itself. The FTC knows that few people read privacy policies, and wants you to notify your users about important privacy disclosures in the moment it occurs. For example, if your app wants to access the user’s address book to find other friends already playing the game, a pop-up is the best way to tell them in details what information are being collected and why.
- Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers
This is referring to external libraries, SDK and other third-party code that app developers often integrate in the app to facilitate advertising or analytics. The FTC is trying to tell you: it’s ok, but do it responsibly. Check public repositories for bugs, apply some due diligence on the reputation of the companies behind the code you are embedding. In short: use some common sense here, as you’re ultimately responsible for major loss of data from your app, even if due to third-party code.
- Consider participating in self-regulatory programs, trade associations and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures
3. You users will trust you more if you do, and your platform, too
A recent survey found that 57 percent of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons. Instagram is said to have lost something like six million users after the their controversial Terms of Service change: people are starting to care about the legal implications of the apps they use. You can get away from the FTC, but there are crowdsourced policing tools in place now (TOS;DR, PrivacyChoice, etc.) and it only takes one vocal user to spread a bad rumor. There’s also a positive side: good early behavior can help establish a level of trust with your user base that has positive effects on retention, and may even give you a competitive advantage.
Looking at what the competition is doing can also help you figure out what kind of disclosures go in a policy. The important thing, particularly with mobile apps, is to make sure the policy stays true at every update. Every time add or fix something, think if it had an impact on your privacy statements, and edit them if necessary. Added a new analytics script? It should go in there. If you adopt a “privacy by design” approach from the beginning, this process will become automatic and naturally integrated in product development, keeping your legal risks low.