privcombermuda
Guest Post: Privacy 101 for (Mobile) App Developers
In this guest post, Lydia Barit, recent MSc Information Security Policy and Management graduate & former Policy Analyst consultant with PrivCom, shares the top six (6) privacy questions for (mobile) app developers...

Now more than ever, data protection and privacy matters are taking global center stage. As more people are becoming increasingly aware of the harmful uses of personal data, conducting privacy due diligence is becoming a key part of consumers’ new technology acquisition processes. Apple and Google understand this, with the former now requiring app developers to fill out privacy labels and the latter following closely behind, in order to provide prospective app users with easy-to-digest privacy information. These labels represent one of myriad ways application (or, "app") developers can present privacy practices to users.
By considering the following questions early on in development, developers can be proactive by embedding privacy practices from the get-go in order to convey this information to customers more seamlessly and transparently.
First, a quick compliance check: does PIPA even apply to me?
Yes! According to Section 3 of PIPA: “this Act applies to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use other than by automated means of personal information which form, or are intended to form, part of a structured filing system.”
Unlike some data protection regulations in other countries, which set income or size thresholds, PIPA applies to every organization using personal data. Diving further in, data processing is considered to be automated if direct human intervention is not required to carry it out. Collecting and/or using a user’s location data to give restaurant recommendations, or credit card information to initiate a transaction, are both examples of automated processing of personal data that commonly occurs on mobile apps.
Who are your users?
Once your app is released into the wild, it’s important to note who will be able to access it. More likely than not, you have visualized a target audience for whom your app’s functionality is tailored through specific features and services. Whether through purposeful design or just by nature of having your app accessible in a store-like environment, you should keep in mind that vulnerable populations may have access to your app.
While definitions of vulnerable populations can differ across contexts, in a recently published book, entitled “Modern Socio-Technical Perspectives on Privacy,” McDonald and Forte define vulnerable individuals as “those who, because of their race, class, gender or sexual identity, religion, or other intersectional characteristics or circumstances, are more susceptible to privacy violations that result in emotional, financial, or physical harm or neglect.” Considering this definition and PIPA requirements regarding sensitive personal information, special attention should be paid when processing such information and any personal data relating to children.
It is also important to note whether your app will be available outside of Bermuda. In some countries, having your app available to their citizens and/or residents could mean you are "targeting" them, a condition that could subject you to the data protection laws in those countries.
What personal information are you collecting and how?
Think about the core functionality of your app and the data you really need from users to make it come to life. Although it is tempting to collect multiple personal data types just in case you might use them later on, minimizing the data you collect (formally called “data minimization”) is a privacy best practice that will undoubtedly save you headaches. Special attention should also be paid if you plan to collect any sensitive personal information. PIPA states that use of this data may not be permitted in specific circumstances and may require an additional user consent or other action.
With your plans to collect personal data in mind, consider the Principles of Privacy by Design. These 7 principles, authored by former Information and Privacy Commissioner of Ontario Ann Cavoukian, outline important categories of privacy considerations best addressed proactively in the engineering process. The second of these principles concerns "Privacy by Default," which is a particularly important consideration for app developers. When a user downloads your app, its default state should be the most privacy-preserving. Think about it this way: if a user downloaded your app and swiftly clicked “OK” on every pop-up presented, would the settings that result represent the most privacy-protecting version of your app?
Now that you've collected personal data, how should you manage it?
Using, storing, and deleting personal data require varying considerations when it comes to security and privacy protections. When using personal data, it is a good general rule to ensure it is only being used for the purposes your users have consented to. If the use of data involves transferring it internationally, a legal process called a data transfer mechanisms must be in place, and as previously mentioned, international data protection laws will need to be taken into account.
Both when using and storing data, you should employ encryption techniques that are current industry best practice. Data storage should involve "pseudonymization" techniques, meaning that data should be de-identified and only re-identifiable when combined with secure and separately stored data. "Access management" is also a very important consideration from an overall security perspective and with respect to subject access requests (SARs). As outlined in Part 3 of PIPA, individuals have access, rectification, blocking, erasure, and destruction rights when it comes to the personal data you hold on them, so creating storage mechanisms that prioritize security and facilitate timely responses to these requests is paramount.
You should also consider data deletion when a user stops using your app unless it is absolutely necessary to retain their data, usually for legal reasons. When kept under these circumstances, this personal data should be stored securely to avoid any unauthorized and unintended use.
Relatedly, what are your Software Developer Kits (SDKs) doing with data?
When creating an app for the first time, many developers choose to start with a set of tools, usually provided by software or hardware companies, to make getting started on a particular platform easier. While these kits may simplify development and subsequently reduce time to market, they are often preprogrammed to include third party data collection and usage that can easily go unnoticed. This means that personal data may be transferred to third parties, possibly in ways that do not allow for appropriate user consent. More likely than not, these will be overseas third parties, and transfers to these entities receive special recognition under PIPA - and once again, bring international data protection laws into play. For more guidance on overseas third party data transfers, check out this previous blog post.
Are you documenting everything?
Great customer service is informed customer service, and letting users know what is happening to their data and how they can control its collection and use are important selling points. Documenting your work from the beginning, including all steps taken to answer the previous questions, will make creating effective privacy labels, policies, and in-app notices more streamlined and lead to more clearly conveyed privacy practices.
In conclusion, taking the time to answer these questions at any stage of the app development process will guide you toward a set of privacy tools and practices that can truly give you a competitive edge. Creating a privacy programme that proactively bakes privacy in will pay off through increased user trust, lessened regulatory or technological headaches, and propelled profits.
Additional Resources (Links here are for reference and are not necessarily endorsements)
Apple: Manage app privacy
Atlassian:
o Data privacy guidelines for developers
o User privacy guide for app developers
Australian Government: Mobile privacy: a better practice guide for mobile app developers
International Association for Privacy Professionals (IAPP): Privacy Design Guidelines for Mobile Application Development
UK Information Commissioner’s Office (ICO): Privacy in mobile apps: Guidance for app developers
OWASP:
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.