Mobile Apps and Privacy — A Global Issue: Are you in Compliance with Australian Privacy Law?

By Alec Christie

At the end of October, we talked about the California Attorney General’s enforcement of its privacy laws against mobile app providers, noting that the California AG sent letters to numerous mobile app providers alleging that they were in violation of California law by failing to maintain a privacy policy for the app. We emphasized that app providers should be vigilent in their privacy practices. Privacy concerns related to mobile apps, however, are not limited to California, and are garnering information around the globe, including, notably in Australia.

In recent years mobile devices such as internet-connected smartphones and tablet computers (mobile devices) have found a place in the everyday lives of most people. The prevalence of mobile devices is highlighted by a study by the research firm Gartner, which has forecast that by 2013 mobile devices will (a) overtake PCs as the dominant way we access the web and (b) reach over 1.82 billion units. Mobile devices are often on and tethered to their user, transmitting rich data to the sellers, analytic services and/or advertisers of applications (apps), exposing users to a wide variety of potential invasions of privacy. Compliance with existing privacy law and/or the need for new privacy protections is an area currently being investigated in the EU.

The rapid growth in popularity of mobile devices has been harnessed by businesses as a fast and effective method for reaching customers. Many businesses have invested in the development of leading-edge interactive apps and internet sites for mobile devices which provide customised and interactive services based on the information they collect from users. In fact, an estimated 98 billion apps will be downloaded by 2015 and the current US$6.8 billion market for apps is expected to grow to US$25 billion within four years.

However, many businesses are overlooking their obligations under Australian privacy law, which also apply to personal information collected through apps and mobile sites via mobile devices. Regardless of the mode of collection, the Privacy Act 1988 (Cth) (Privacy Act) requires businesses with a turnover of $3 million or greater to ensure that individuals are aware of certain mandatory information prior to or at the time any personal information is collected about them. This mandatory information includes the name and contact details of the business collecting the personal information, the individual’s right to access their personal information and how the personal information will be used and shared. Such mandatory information is usually provided to individuals in a privacy policy or statement, which the individual is required to accept before any personal information is collected.

Despite the well-known requirements imposed by the Privacy Act, most apps and mobile sites that collect personal information from Australians via mobile devices do not post a privacy policy or statement or otherwise ensure that users are aware of how their personal information is being used and/or disclosed to others. On those rare occasions when privacy policies or statements are included, they are difficult to locate on mobile devices and, if located, are difficult to read and understand as they tend to include a lot of text, often in small font. Even if one does struggle through, such policies or statements often do not clearly identify what personal information is collected and how it is used and shared.

In many cases, businesses have policies and procedures in place to ensure compliance with their obligations under the Privacy Act for their online (ie website) presence. However, the pressure to quickly deploy apps and mobile sites into the market has meant that, in practice, businesses are not complying with (or, where required, extending to the mobile device environment) these policies.

Actions under the Australian Consumer Law and future fines Failure to comply with an existing privacy policy can have costly consequences for a business, particularly in light of the likelihood of damages being awarded against non-compliant businesses in an action under the ‘misleading or deceptive conduct’ provisions of the Australian Consumer Law. For a detailed discussion of the application of the Australian Consumer Law to breaches of privacy obligations, please see our previous update.

Additionally, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 currently before the Australian Parliament will, when passed, introduce fines of up to $220,000 for an individual and up to $1.1 million for an organisation for a serious invasion or repeated invasions of privacy. Therefore, businesses should address any shortfalls their apps or mobile sites have now in complying with their privacy policy and the Privacy Act before they are faced with large fines or damages.

Recent spotlight on mobile privacy in the US As noted above, in the last week of October 2012, the Attorney-General of the State of California (AG) sent letters to numerous mobile app developers and companies to formally notify them that they were not complying with Californian privacy law, which requires them to conspicuously post a privacy policy. The companies were required to comply within 30 days of receiving the letter by posting a privacy policy that informs users of what personally identifiable information is being collected about them and how such information will be used. Failure to comply would cost companies up to US$2,500 each time a non-compliant app is downloaded.

The warnings issued by the AG follow an agreement announced in February 2012 committing the leading mobile apps platform providers to a statement of principles (California Principles) designed to promote transparency in privacy practices and facilitate compliance with privacy laws in the mobile device environment, bringing the industry into line with California law (ie requiring mobile apps that collect personal information to conspicuously post a privacy policy). Briefly, the California Principles are:

  1. Where required by applicable law, apps collecting personal information must conspicuously post a privacy policy or statement that describes how the information is collected, used and shared.
  2. Provide a data field when apps are submitted by developers to supply a hyperlink to or the actual text of their privacy policy. The hyperlink or text should be made accessible from the mobile application store.
  3. Implement a means for app users to the platform apps that do not comply with applicable terms of service and/or laws.
  4. Implement a process for responding to reported instances of non-compliance.
  5. Continually work with the AG to develop best practice for mobile device privacy in general and develop model mobile device privacy policies in particular.

Although the California Principles and letters of warning issued by the AG formally only apply to apps made available in California, they coudl set a benchmark for privacy practices across many countries (including Australia), given that most apps, regardless of the country in which they are developed, are likely to be made available in the US. Therefore, in addition to complying with relevant Australian privacy laws, we urge Australian businesses to follow best practice by voluntarily adopting the California Principles and using these as a framework for building privacy into the design of their mobile sites and apps (ie’privacy by design’).

What action should Australian businesses take now? Given the increased focus on privacy in the mobile devices environment internationally, we recommend that Australian businesses review and update their privacy policies and processes to ensure that they adequately cover personal information collected through mobile device apps and mobile sites.

To avoid potential liability, Australian businesses should:

  • Ensure their app and mobile site developers are aware of the legal obligations to protect privacy
  • Ensure all apps and mobile sites contain a functional link to the privacy policy/statement of the business in a conspicuous place
  • Provide a summary of the mandatory information to be provided to users under Australian privacy law at points where personal information is collected
  • Ensure the privacy policy/statement identifies how personal information is collected, reasons/purposes for collection and how such information will be used and shared in a manner that can be easily understood by users
  • Put in place adequate procedures for bringing the privacy policy (and any subsequent changes to it) to the attention of users before they enter the mobile site or download the app and obtain their consent regarding the use and disclosure of their personal information.

Please do not hesitate to contact us if we can assist with the review/audit of your current privacy practices and policies relating to your mobile sites and apps.