Ten tips for communicating privacy practices to your app's users

September 2014

Conveying privacy information to consumers can present unique challenges in the app world, where screens are small and users' attention can be intermittent. That said, users increasingly value and expect transparency, rewarding transparent organizations with their trust and loyalty.

Your app provides an interface between your organization and potentially millions of customers, clients and users. Privacy communications, or a lack thereof, can leave a clear impression on the minds of those individuals; use the tips below to make sure it is a positive one!

This tipsheet serves as an introduction to the effective communication of privacy practices to app users. For more detailed guidance, please see the resources listed at the end of this document.

Be Transparent

1. Make sure privacy information comes from you! You should always assume that your users will, in some way, find out how your app is collecting, using and/or disclosing their personal information. Ask yourself how you want your users to gain this knowledge, be it through: (i) random chance; (ii) analysis of your app by a researcher, the media, or another third party; or, (iii) clear, upfront communications directly from you. Many very popular apps openly and clearly inform consumers of the varied manners in which they collect and use significant amounts of personal information to support their services. On the other hand, issues and complaints can arise when there is a lack of transparency around these practices. Make "no surprises" part of your privacy mantra!
2. Be specific. Generic or overly broad privacy information makes it harder, if not impossible, for a user to give meaningful consent. Your privacy communications don't have to, and shouldn't, come exclusively from a long, legalistic policy. You should provide specific notifications to users at key decision points, such as during registration or at a point of purchase, to inform their consent for the collection, use or disclosure of their personal information. Your goal should be to give users clarity as to how their personal information will be collected, used and disclosed, by whatever means are most appropriate!
3. Speak to your audience. Know your users, and provide privacy information in a manner that is accessible and comprehensible to them. This means that the information should be (i) in the same language(s) in which your app is offered, and (ii) at a level of complexity understandable by your audience. If you can't be understood, have you really said anything?
4. Tailor to the environment. Every platform, app marketplace and device gives developers means and opportunities to communicate with users. Understand the communication channels available to you, and take advantage of them to provide users with information, as they need it, in a manner that addresses that "small screen challenge". And if you feel these channels are insufficient for your needs, be innovative - think about creating ones that are!

Explain the data you are requesting and collecting

5. Describe how your app uses the permissions it seeks. Often in the mobile ecosystem, one of the user's first experiences with an app is to grant (or deny) permissions. To ensure users are comfortable in making this decision, it is important to provide them with specific, contextual information. For instance, our Office has seen apps provide users with a list of permissions that will be requested, and more importantly, what the app will do with that permission if the user grants it. Such practices allow users to enter into a more trusted relationship with your app.
6. Explain the data you gather through social media logins. Many apps ask, or require, users to log-in using a social media account, such as Facebook, Google+, or Twitter. If your app does this, you should explain to your users what, if any, information made available by these services is collected by you, and how it will be used.
7. Permission to access is not necessarily consent to collect, use or disclose! Meaningful consent requires an organization to make a reasonable effort to advise the individual of the purposes for which personal information will be collected, used or disclosed. Often, an app tells users what information it needs access to, but not why that information is needed or how it will be used. Absent additional information, the fact that a user has been notified of the app's ability to access certain personal information would not necessarily constitute his or her meaningful consent for the collection, use or disclosure of that information. Think of permissions as knocking on your user's front door - even if the door is opened, that user retains control of whether you are allowed to come in!

Make, and keep, privacy information accessible

8. Provide privacy information, even if you don't collect any personal information. Users shouldn't be forced to make assumptions about your app's data collection and handling practices. If you're not collecting any personal information, dispel the mystery and highlight that!
9. Include privacy information, and/or a link to it, in your app. Making individuals exit your app to explore your website (or find the app's listing in a marketplace) in order to locate information about the app's personal information handling is onerous for users, both in terms of privacy practice transparency and general usability. It's an unnecessary and cumbersome extra step imposed on your users; so why not include privacy information in the app itself? This can be done through direct integration with the app's functions or an easily found link to a privacy policy, as appropriate. And again, don't forget that "small screen" challenge!
10. Allow individuals to re-visit privacy information. The use of just-in-time notification - presenting information to individuals when it is most relevant, such as at a key decision point - is an excellent way of increasing the transparency of your app's privacy practices. However, this information should not be "one-time-only." For instance, if an explanation is provided in a pop-up, that same explanation should be available in a location that is accessible after the pop-up has been dismissed. Regardless of what mechanism you use to present privacy information to a user, be sure individuals can re-visit that information to enhance their understanding of your privacy practices and become more comfortable with the services you offer!

To Learn More

Our website includes guidelines, fact sheets and other tools to help organizations meet their obligations under PIPEDA. With regard to apps, organization may be particularly interested in:

• Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps
• Guidelines for Online Consent
• Ten Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency