Is privacy a no Go in your mobile app? PokéStop and think

In brief

• During Pokémon Go’s July 2016 launch, privacy groups raised concerns surrounding the scope of the app’s user data permissions request, and the scope of the developer’s rights in the app’s privacy policy.
• The issues and recommendations outlined in guidelines published by the OAIC provide a useful starting point from which to engage with the development of privacy regimes in the context of mobile application development.
• Ultimately, adopting a ‘privacy by design’ approach, in line with the recommendations set out in these guidelines, will assist developers in integrating privacy protections into their apps.

Pokémon Go’s permissions and Privacy Policy

On 6 July 2016, The Pokémon Company and Niantic released Pokémon Go in Australia, New Zealand and the United States. Pokémon Go is a location-based mobile game that makes use of ‘augmented reality’ (AR), by overlaying elements of the original, 20-year old Pokémon game onto a user’s existing environment through the use of a smartphone’s built-in camera, internet and location services. The speed of its adoption has been ground-breaking; within one week, Pokémon Go became the most actively used game in the United States, topped Apple’s App Store charts, and increased Nintendo’s share price by as much as 50%.

However, despite unwavering consumer and market enthusiasm, Pokémon Go is not without its privacy concerns, with concerns raised in respect of both its default data sharing settings and its privacy policy. For Apple iOS users taking advantage of the app’s Google-based single sign-on authentication, the app requested unfettered access to the user’s Google account, including Gmail, Calendar, Drive documents and photos and search and browsing history. In addition, Pokémon Go’s privacy policy has been criticised as overly broad, as (among other things) it allowed Niantic to sell ‘personally identifiable information’ to a third party acquirer. This is a particular concern where personally identifiable information—which is likely to be extensive, and include sensitive data such as location information—is separated from, and sold as a standalone asset to, the remainder of the developer’s business.¹ Further, to facilitate the AR technology, the policy also permitted constant location data access to be shared with Niantic. Ultimately, by 11 July 2016, Niantic amended the requested Google permissions to only require basic information.² Its privacy policy, at the time of writing, remains unchanged.

Although the scale and speed of Pokémon Go’s adoption is unprecedented, it provides a useful opportunity to consider the key privacy concerns that arise in respect of novel mobile apps.

How does the Privacy Act apply to Pokémon Go and other mobile app developers?

The Privacy Act 1988 (Cth) (the Act) and the Office of the Australian Information Commissioner’s ‘Mobile privacy: a better practice guide for mobile app developers’ (the Guide)³ provide useful guidance for developers retailing mobile apps in Australia.

At present, the Act applies to organisations operating in the private sector with an annual turnover of more than $3 million, and to certain businesses with a lower turnover where, relevantly, that business is related to a larger company or collects and discloses personal information about another individual for ‘benefit, service or advantage’.⁴ The Guide specifically notes that this is likely to be the case where a developer ‘use[s] personal information to sell advertising’.⁵ In the current context, a situation where personal information is sold as a separate asset, as contemplated by the Pokémon Go privacy policy, may be another example of a business that would qualify under this provision. Businesses may also elect to opt-in to the Act.⁶

If the Act applies to an app developer, that developer must ensure that it collects, uses, discloses and otherwise deals with individuals’ personal information—that is, information or opinion (regardless of how it is recorded or whether or not it is true) ‘about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’—in accordance with the requirements of the Act and of the Australian Privacy Principles contained within the Act.⁷

The Guide, and its recommendations, constitutes an important reference tool for app developers who are covered by the Act so that they are able to ensure compliance with its provisions. Even if not covered by the Act, app developers are encouraged to follow the practices recommended in the Guide in order to ‘stand out from the crowd and gain user trust and loyalty’.⁸

What privacy practices are recommended for app developers?

Ultimately, developers should be conscious of privacy at all stages of the app development process, and focus on timely, transparent and meaningful privacy practices. Companies involved in app development should consider:

1. conducting a Privacy Impact Assessment, which considers and describes the impact and effect of a project on an individual’s privacy, and how this can be managed;⁹
2. developing a privacy policy, and making it easily accessible through the platform or other location where the app is made available for download, and that users are notified of any relevant updates to the policy in advance of changes being made;
3. ensuring that the app itself only collects and makes use of information that it actually needs in order to function (for example, although AR apps require access to geolocation data in order to operate as intended, they are unlikely to need access to a user’s Google Calendar), and never collects and makes use of sensitive information without the express consent of the user;
4. ensuring that any personal information collected is appropriately secured and, if possible, allowing users a mechanism to delete all data collected (particularly upon their deletion of the app);
5. providing timely, effective and meaningful disclosures to users and obtaining their express consent when collecting personal information or sharing such data with third parties. Some proposed methods for improving such disclosures have included:

• providing information in ‘layers’, where the top layer provides high-level detail that is able to fit on a single screen but includes links or other methods of access to additional detail;
• providing privacy information in a ‘dashboard’ format, where users are allowed to select and later modify their privacy settings;
• creative use of graphics (these might include icons and symbols that are activated when information is being collected or used), colour and sound to better inform consumers; and
• in terms of timely disclosures, providing both advance notice and ‘real time’ or ‘just in time’ notification and allowing users to opt out when each disclosure is made;

6. forming a better understanding of the particular functions of the code provided for use in the app by advertising networks and other third party service providers, in order to ensure that disclosures to consumers are truthful.¹⁰

Lessons learned

Pokémon Go highlights the challenges of managing user expectations, legal requirements under the Act, and the technical and commercial imperatives of mobile apps. In particular, in light of the Act and Guide, Pokémon Go provides a number of key lessons for Australian app developers.

For example, in contrast with the Guide, Pokémon Go’s initial settings requested access to a broad range of data, much of which was not strictly necessary. If a ‘privacy by design’ approach were taken to Pokémon Go, it would have instead adopted the principle of least privilege and not requested access to user data without an identifiable technical or business need. Even then, apps should aim to request an appropriate level of access that it requires that is consistent with these needs. In the case of Pokémon Go, it may have been the case that the developers envisaged an increased need for access to data in future; however, developers should always consider whether a pre-emptively wide request is reasonable and appropriate.

More broadly, developers of Pokémon Go may have benefited from following many of the Guide’s recommendations, combined with an overall ‘privacy by design’ methodology. Incorporating alternative approaches to standard privacy policies—such as layered privacy disclosure, graphical representations and ‘just in time’ notifications—throughout the app design process will help to embed privacy policy development as an integral part of the app’s development, more effectively involve users in key privacy decisions, and increase transparency.

Ultimately, Pokémon Go reflects the tension between the legitimate technical and commercial imperatives to gather data, and application of privacy-conscious principles such as data minimisation. Companies should aim to deeply integrate privacy into app development, and can make valuable use of the Guide to assist with this process.

Endnotes

1. See: Pokémon GO Privacy Policy.
2. Google to change app permissions for 'Pokémon Go' after security concerns
3. Mobile privacy: a better practice guide for mobile app developers.
4. The Act, ss 6C–6E.
5. The Guide, p 3.
6. The Act, s 6EA.
7. The Act, Sch 3.
8. The Guide, p 4.
9. See also Office of the Australian Information Commissioner, Guide to undertaking privacy impact assessments (May 2014).
10. The Guide, pp 5–10, Appendix A.

More information

For information regarding possible implications for your business, contact Kaman Tsoi.