Smartphone apps have come under increasing scrutiny in the last year, with a growing body of research and reporting showing that companies provide little information about what -- or how -- user data is collected and shared.
A study by the Future of Privacy Forum this spring found that 22 of the top 30 apps lack even basic privacy policies. The Wall Street Journal found that 45 of the top 101 iPhone or Android apps analyzed did not provide privacy policies on their sites or in their apps.
To help address the issue, the Mobile Marketing Association today released new privacy guidelines for app developers that outline best practices and provide sample language for privacy policies. The policy framework provides advice on ways to inform people about how data is collected and used, and on the security and confidentiality of user information.
One of the first pieces of advice is for developers to consult legal counsel in adapting the guidelines to craft their own policies, since each will have to be customized according to the type of app and jurisdiction where it is available.
The guidelines also address collection of mobile location data, which became a privacy flashpoint earlier this year following much-publicized reports that iPhones, iPads and Android devices collected detailed information about users' locations.
Sens. Al Franken and Richard Blumenthal subsequently introduced legislation that would require that companies obtain users' consent before collecting location data or sharing the information with third parties.
The MMA instructs that if an app provides “precise real-time location information” on a user’s device, it should describe how it’s done, and how the data is used, in language understandable to the average consumer. It should also allow users to opt out from tracking at any time.
The sharing of personal information via apps with ad networks and other third parties has been another controversial topic. The MMA recommends that developers disclose whom data is shared with, and when, including ad networks and analytics companies. They should also be aware of whether ad networks they work with offer an opt-out.
“At a minimum, application developers should take into account whether the app is advertising-supported and whether data is obtained by an ad network or other third party for the purpose of ad targeting,” states the guidelines.
The document also lays out various choices developers should offer for opting out, including uninstalling an app or opting out from providing information for the purpose of receiving targeted advertising. Publishers should also disclose their policies on data retention and explain their security procedures.
Among more than 50 mobile-related companies and groups participating in drafting of the app guidelines was 4INFO, AT&T Adworks, Millennial Media, TRUSTe, Unilever and Velti.
“With this document, even small app developers will have the tools to properly explain to users the basics of how data is being handled,” said Jules Polonetsky, director of the Future of Privacy Forum, which had input on the app privacy recommendations.