If you’ve developed a mobile app, there’s a good chance that you’ve got at least one user that’s from Silicon Valley or California, which might not seem like a big deal. But if you’re also collecting user data, it can be a big deal because of an existing, but little known state law, called the California Online Privacy Protection Act. According to this law, if a mobile app collects any personal data from a California resident, the app must provide a security policy for users. Read on to understand more about this law, to learn about what data you should collect, and to get hints for keeping user data secure.
As the use of mobile apps becomes a daily part of life, more attention is being paid to how apps collect and use personal data. While some governments have yet to pass laws that require developers to fully disclose when apps collect and transmit data, the State of California has already taken steps to protect app users and will be working with a number of major tech companies to strengthen privacy protection for global app consumers. According to their recent announcement, six of the leading mobile application platforms (including Google) signed an agreement to foster innovation in privacy protection, promote transparency, and facilitate compliance with mobile privacy laws, including the California Online Privacy Protection Act (OPPA).
California mobile app privacy laws
Along with OPPA, mobile app users in California are further protected under California’s Unfair Competition Law or False Advertising Law. Under these regulations, any app that collect personal data from a California resident is required to have a privacy policy that states what information is collected and what that information is used for. Any app that doesn’t adhere to these standards is subject to prosecution. The act has a very broad scope, so whether you’re a developer based out of Korea, Sweden, or Israel, as long as you have someone accessing your app in California, the same rules apply to you. A California resident can simply file a complaint with the Attorney General or take personal legal action through a private attorney.
Only collect the user data that you need
Assuming that you’ve informed your app users and have their permission, what kind of information should you collect? It should be just the basics, and even then, only the information that you really need. If you have a GPS or navigation-based app, of course it makes sense that you’ll need to location details, but it’s not necessary to have access to users’ contacts list. And if you’ve developed something as basic as a flashlight app, you probably don’t need to collect any information at all.
Protect collected and transmitted user data!
If it’s absolutely necessary to collect and transmit data, you need to ensure that the collected data is handled safely. Employ proper file permissions. Encrypt the locally stored data before sending it to the server to help protect the user’s confidential information. When communicating with a server over HTTP, avoid encoding user information in a URL that is used with HTTP. Instead, post it in a message body. Putting information in the URL increased the chances that it will be automatically logged.
Android Developers Blog – Best practices for handling Android user data.
More best practices for handling Android user data
We also would like to share some valuable hints on how to manage Android user data from Nick Kralevich, an engineer with the Android Security Team. In his article, Nick provides several key points to consider when developing your Android applications:
Maintain a privacy policy – Trustworthy applications are up-front about the data they collect and the reasons for collecting it. Users are generally happy to share information via such apps if they believe they will personally benefit. A clear and concise privacy policy, with details about the type of information collected and how it’s used, goes a long way towards generating trust and good will.
Minimise permissions – Android is unique among mobile operating systems for its simple, straightforward, operating-system-enforced permission model. All Android applications must declare the permissions they require, and users must approve these permissions before the application is installed. Users tend to distrust applications that require excessive permissions.
Give your users a choice regarding data collection – Users are often happy to share their information, but they want control over that sharing. Trustworthy applications give users control over their information. For example, the Android Browser has privacy settings which enable users to control how their information is shared.
Don’t collect unnecessary information – Trustworthy applications limit the kinds of data they collect. Collecting unnecessary information, especially if you never use it, just invites suspicion. When in doubt, don’t collect it.
Don’t send data off the device – If you have to handle user data, ensure that the data remains on the device whenever possible. Users are comforted knowing that their private information strictly resides in the phone. Sending data outside the phone, even if done for the user’s benefit, tends to draw suspicion.
… but if you have to, use encryption and data minimization – Sometimes, the collection of data is necessary. In that case, applications need to ensure that it is handled safely. A privacy policy will avoid leading to surprised and irritated users; in some cases, it may be advisable to prompt the user before transmitting data off-device.
Don’t use code you don’t understand – In the open-source Android environment, it’s common (and good) practice to rely heavily on other people’s code, in the form of libraries and frameworks. But if that code is handling your users’ information inappropriately, it’s your problem. So make a point of checking code before you rely on it.
Don’t log device or user specific information – Application developers should be careful about on-device logs. Android makes it easy to write to the phone’s log, and anyone who has looked at “logcat” output knows that it is full of important but seemingly random debugging information from many applications. In Android, logs are a shared resource, and are available to an application with the READ_LOGS permission (only with user consent, of course!). Even though the phone log data is temporary and erased on reboot, inappropriate logging of user information could inadvertently leak user data to other applications.
***
When you create a mobile app, it’s usually with the best intentions for your users – you want them to enjoy your game, save some time or money with a handy app, and spread its popularity among friends. At the same time, your users are putting their trust in your app by agreeing to your apps permissions, which includes disclosing personal data. Though you might not have any app users in California, it’s still best practice to your let your users know if you are collecting any information. Keep that trustworthiness going by ensuring your app only collects that data it needs, and make sure you keep that user data secure – your users will truly appreciate it!
App developers and tech enthusiasts, so what do you say? Will you take any extra efforts because of these laws? Are you considering privacy issues while downloading new apps? Make your voice heard!