Guest Post: 3 reasons to have a privacy policy for your app

Docracy logo

Docracy logoEditor’s note: Today’s guest post comes from Veronica Picciafuoco, director of content for Docracy, a free repository of open source legal documents. The Federal Trade Commission (FTC) recently released a report, which outlined recommendations (not laws, yet) for mobile platforms and mobile app developers across the country to better inform its users what personal data is being collected and how the data is being used. Picciafuoco explains three reasons why app developers should have a privacy policy that outlines data collection.

1. The FTC thinks you should

In the U.S., a privacy policy isn’t mandatory requirement. But things are changing for mobile apps. The FTC issued a long report this month titled Mobile Privacy Disclosures. This document lays out a long list of recommendations for both platforms and app developers. Simply put, the FTC thinks every mobile app should have a readable, accessible privacy policy to explain users what data are collected, how, and why.

Here’s what the FTC thinks developers should do:

  • Have a privacy policy and make sure it’s easily accessible through the app stores

According to a June 2012 study, only 28 percent of paid apps and 48 percent of free apps available in the Apple App Store include a privacy policy or link to a privacy policy on the app promotion page. If you are on the “dark side”, it’s time to draft a solid privacy policy and make sure it’s accessible from your app, and not just from the privacy link when you submit the app to the various stores. If your app asks users to login via Facebook to find friends, the login screen is a prominent spot to place the policy link, so every user has the chance to check it.

  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms haven’t already provided such disclosures and obtained such consent)

As a user, you surely have met the pop-up notification that asks permission for push notifications. That’s an example of “just-in-time disclosure” provided by the platform itself. The FTC knows that few people read privacy policies, and wants you to notify your users about important privacy disclosures in the moment it occurs. For example, if your app wants to access the user’s address book to find other friends already playing the game, a pop-up is the best way to tell them in details what information are being collected and why.

  • Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers

This is referring to external libraries, SDK and other third-party code that app developers often integrate in the app to facilitate advertising or analytics. The FTC is trying to tell you: it’s ok, but do it responsibly. Check public repositories for bugs, apply some due diligence on the reputation of the companies behind the code you are embedding. In short: use some common sense here, as you’re ultimately responsible for major loss of data from your app, even if due to third-party code.

  • Consider participating in self-regulatory programs, trade associations and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures

The FTC is suggesting shortcuts to make your privacy policy up to industry standards. There are many trade associations in this space, including App Development Alliance (ADA), Future of Privacy Forum (FPF), Mobile Marketing Association (MMA), International Game Developers Association (IGDA), Entertainment Software Association (ESA) and many others. I personally oversee a crowdsourcing effort to open source a standard mobile privacy policy.

2. You can be fined you if you don’t follow or update your privacy policy

The FTC issued Path a whopping $800,000 fine for violations of their own privacy policy. Path said it wasn’t collecting certain information when, in fact, it was. While it’s normal for an app to ask permission to access third-party information on your phone, like address book info, what data you collect (and what do you do with it) is crucial. If you cater to minors, for example, you’re subject to COPPA, a federal law that says you must obtain “verifiable parent consent” if children under 13 use your app. Since Path collected birth dates, they knew for a fact they had kids using the app, and never did much about it. Result: $800,000 to the FTC. If you know that you have kids on your website, call your lawyer and find out how to comply with COPPA. If you don’t really know, make sure users represent they’re over 13.

3. You users will trust you more if you do, and your platform, too

recent survey found that 57 percent of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons. Instagram is said to have lost something like six million users after the their controversial Terms of Service change: people are starting to care about the legal implications of the apps they use. You can get away from the FTC, but there are crowdsourced policing tools in place now (TOS;DRPrivacyChoice, etc.) and it only takes one vocal user to spread a bad rumor. There’s also a positive side: good early behavior can help establish a level of trust with your user base that has positive effects on retention, and may even give you a competitive advantage.

Conclusion: get a privacy policy: it’s not that hard

There are pretty compelling reasons to have a good privacy policy for your mobile applications. It’s not something that only big publisher can afford. You can start with a free online template or a free privacy policy assembler and have a lawyer review it for a small fixed fee.

Looking at what the competition is doing can also help you figure out what kind of disclosures go in a policy. The important thing, particularly with mobile apps, is to make sure the policy stays true at every update. Every time add or fix something, think if it had an impact on your privacy statements, and edit them if necessary. Added a new analytics script? It should go in there. If you adopt a “privacy by design” approach from the beginning, this process will become automatic and naturally integrated in product development, keeping your legal risks low.