Sep 12 - GRA: Global Privacy Sweep Raises Concerns About Mobile Apps
Clear, concise privacy language builds consumer trust and is good for business, according to privacy authorities that took part in this year’s global sweep of more than 1,200 mobile apps.
As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants in the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found.
Last May, the Data Protection Commissioner’s Office in Gibraltar was one of a number of data protection authorities worldwide which took part in the global privacy sweep of mobile apps. A number of locally hosted apps, as well as apps hosted abroad were reviewed as part of the event.
The results of the Internet Sweep offer some insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organizations are informing consumers about their privacy practices.
In total, 1,211 apps were examined. They included a mix of Apple and Android apps, free and paid apps as well as public sector and private sector apps that ranged from games and health/fitness apps, to news and banking apps.
Participants looked at the types of permissions apps were seeking, whether those permissions exceeded what would be expected based on the apps’ functionality, and most importantly, how the apps explained to consumers why they wanted the personal information and what they planned to do with it.
One of the conclusions reached by Data Protection Commissioner’s Office, and which largely reflects the conclusions arrived at by other data protection authorities, was that many of the apps reviewed were requesting permission to access potentially sensitive information, like location or access to camera functions, without necessarily explaining why.
The Sweep, which took place between the 12th and 18th of May, 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.
The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified during the Sweep will result in follow-up work such as outreach to organizations, deeper analysis of app privacy provisions and/or enforcement action.
2014 Sweep Highlights:
- Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlights the need for apps to be more transparent.
- Some 59 per cent of apps left sweepers scrambling to find pre-installation privacy communications. Many offered little information about why the data was being collected or how it was being used prior to download, or provided links to webpages with privacy policies that were not tailored to the app itself. In other cases, the links led to social media pages that didn’t work or required the user to log in. Sometimes it was difficult to determine who the developer or data controller was.
- For nearly one-third of the apps (31%), sweepers expressed concern about the nature of the permissions being sought. Sweepers felt the apps requested access to information that exceeded their functionality, at least based on the sweepers’ own understanding of the app and the associated privacy policy.
- Some 43 per cent of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.
- Just a fraction of apps examined, 15 per cent, provided a clear explanation of how they would collect, use and disclose personal information. The most privacy-friendly apps offered brief, easy-to-understand explanations of what the app would and would not collect and use pursuant to each permission. It is important to note that highly popular apps in the e-marketplace were among those that received top ratings, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads. About the Global Privacy Enforcement Network (GPEN) The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 51 privacy enforcement authorities in 39 jurisdictions around the world.
For further information please contact the Information Rights Division of the Gibraltar Regulatory Authority on 35020074636 or email This email address is being protected from spambots. You need JavaScript enabled to view it.
