Next week I'll be chairing a session at the IAPP's Data Protection Intensive in London on mobile privacy. In advance of my session (and without giving too much away - I highly recommend attending the
Next week I'll be chairing a session at the IAPP's Data Protection Intensive in London on mobile privacy. In advance of my session (and without giving too much away - I highly recommend attending the event!), I thought I'd set out a few key thoughts on the issues mobile operators and developers need to consider when launching mobile apps:
- Why does m-privacy matter? It's simple: if you're anything like me, your mobile device has become your closest, must trusted friend. No one know more about you: your phone knows where you go, who you know, and the passwords to your banking, shopping and social networking accounts. It looks after your diary and has access to all your most treasured and personal photos. This is all very sensitive information - and your phone holds an awful lot of it.
- Why is m-privacy hard (practically)? Because the actors, devices and consumer expectations are so many and so varied. In the course of downloading, installing and running an app, a consumer will share data with or through its device platform, the relevant app marketplace, the application developer, and various ad networks, analytics providers, payment processors and mobile carriers. Consumers can access apps through smartphones, tablets, netbooks or other mobile devices - each with different platforms having their own data access permissions, device unique data types, and screen sizes and resolutions, thereby making efforts to design a simple 'one size fits all' privacy notice a real challenge. Adopting a privacy by design approach is not a nice to have in the mobile environment - it's a necessity.
- Why is m-privacy hard (legally)? From a privacy perspective, data protection, e-privacy, communications interception and data retention laws - both in the EU and beyond - can all apply to data collected from mobile devices. Widen the picture out into general consumer law, and issues arise around applicable law, mandatory consumer terms, liability and enforceability of terms (to name but a few). As a few press reports have highlighted recently, just because you CAN access data, doesn’t mean you should - the recent furore surrounding the Girls Around Me app being a very good case in point (see here). And to make matters more complicated, the data protection laws we have can often apply in surprising and unexpected ways - remember, many of them date back to before any of us even had a mobile. Should device ID data really be considered 'personal data'? Why do 'cookie consent' rules apply to mobile apps? Do SoLoMo applications REALLY need to get opt-in consent to location data use?