Thursday, September 11, 2014

Privacy Commissioner of Canada releases results of second GPEN Privacy Sweep focused on mobile apps

The Privacy Commissioner of Canada has released the results of the second Global Privacy Sweep carried out by the Global Privacy Enforcement Network (GPEN). This sweep focused on mobile apps and the OPC scrutinized 151 of the 1211 examined globally.

The findings are summarized in a blog post, along with ten tips directed to assist developers in being more transparent about how apps collect, use and disclose personal information.

Here's the media release, too:

News Release: Global privacy sweep raises concerns about mobile apps - September 10, 2014

News Release

Global privacy sweep raises concerns about mobile apps

Clear, concise privacy language builds consumer trust and is good for business, Privacy Commissioner says after global sweep of more than 1,200 mobile apps.

OTTAWA, September 10, 2014 – As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found.

“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” says Daniel Therrien, Privacy Commissioner of Canada.

“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”

The privacy sweep results offer insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organizations are informing consumers about their privacy practices. A number of specific examples illustrating these trends can be found in a blog postexternal on the Office of the Privacy Commissioner of Canada’s website. The Commissioner determined it was in the public interest to share specific results from the Sweep in order to help Canadians better understand the observations. Our Office has also prepared a 10 tips guide to help developers better communicate their privacy practices to app users.

In total, 1,211 apps were assessed, 151 of them by the Office of the Privacy Commissioner of Canada.

Participants looked at the types of permissions an app was seeking, whether those permissions exceeded what would be expected based on the app’s functionality, and most importantly, how the app explained to consumers why it wanted the personal information and what it planned to do with it.

“Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it,” Commissioner Therrien says.

“Others are missing that opportunity by failing to provide even the most basic privacy information.”

The Sweep, which took place May 12 to 18, 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. It was not in itself an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Concerns identified during the Sweep, however, will result in follow-up work such as outreach to organizations, deeper analysis of app privacy provisions and/or enforcement action.

Office of the Privacy Commissioner of Canada Sweep highlights:

  • 28 per cent of apps provided a clear explanation of their collection, use and disclosure of personal information policies.
  • More than a quarter of apps examined by the OPC (26%) offered either no privacy policy at all or one that left sweepers with serious concerns regarding how their information would be collected, used and disclosed.
  • Amongst the apps receiving top ratings were very popular apps in the e-marketplace, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads.

Global Sweep highlights:

  • Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlight the need for apps to be more transparent.
  • For nearly one-third of the apps (31%), sweepers could not understand – after reading the app’s various privacy communications and given what they knew about the app’s function – why it needed access to certain information.
  • Some 43 per cent of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using larger font, pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

See also:

Blog post, Backgrounder, Ten Tips for Communicating Privacy Practices to Your App's Users

No comments: