Get smart before you ship

Privacy Requirements for App Distribution

Federal Trade Commission Staff Report on Mobile Apps for Kids Provides privacy disclosure guidelines for kid-focused apps.
"App developers should provide this information through simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device."
Apple Apps Store Review Guidelines Disclosure of use required for any transmission of user data.
"Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."
Section 7.1
Android Market Developer Distribution Agreement Requires a privacy notice for use of usernames, logins or personal information.
"If the users provide you with, or your Product accesses or uses, user names, passwords, or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide legally adequate privacy notice and protection for those users."
Section 4.3
Microsoft Hub Application Provider Agreement Requires a privacy policy for apps that collect or transmit user information.
"If your Application enables access to and use of Internet-based or mobile services or otherwise collects and/or transmits user information to you or a third party, you are responsible for informing Purchasers of your terms of use and privacy policy that apply."
Section 4(d)
Amazon App Store for Android Distribution Agreement Requires privacy notices if you have access to personally identifiable information of users.
"If you have access to any name, password, other login information, or personally identifiable information of any end user of our program based on any use of or interaction with the Apps, you will (i) provide legally adequate privacy notices to such end user ..."
Section 5(b)
Readme for Open Feint Requires an "appropriate privacy policy" for all apps using Open Feint.
"As an OpenFeint developer, please keep in mind that you must inform users of your applications: Of all information you and OpenFeint will be collecting from your users and their devices and the uses for which you are collecting that information. ..."
Facebook Platform Policies Requires a privacy policy for all applications using the Facebook platform.
"You will have a privacy policy that tells users what user data you are going to use and how you will use, display, share, or transfer that data and you will include your privacy policy URL in the Developer Application."
Section II(3)
Twitter Developer Rules of the Road Requires a privacy policy for all applications using the Twitter API.
"Your Service must display a privacy policy. Clearly disclose what you are doing with information you collect from users."
Section 3(A)
Opera Mobile Store Standard Software Distribution Agreement Requires a privacy policy for all apps gathering or accessing personally identifiable information.
"If end users provide Software Owner with, or the Software gathers or accesses, usernames, passwords or other log-in information, or any personally identifiable information about end users ('End User Information'), Software Owner must make the end users aware that the End User Information will be available to Software Owner, and Software Owner must provide legally adequate privacy notice and protection of that information for those end users."
Section 2.2(A)
Windows Store App Developer Agreement Requires a privacy policy for apps using Internet-based services or personal information.
"If your app enables access to and the use of any Internet-based services, or otherwise collects or transmits any user’s personal information, you must maintain a privacy policy. You are responsible for informing customers of your privacy policy (including by submitting that policy to us for display to customers). Your privacy policy must (i) comply with applicable laws and regulations, (ii) inform users of the information collected by your app and how that information is used, stored, secured and disclosed, and (iii) describe the controls that users have over the use and sharing of their information, and how they may access their information. If your app uses the geolocation, texting/SMS, webcam or microphone capabilities, you must also provide access to your privacy policy in the app’s settings as displayed in the Windows settings charm."
Section 3(f)

Reference Materials

Hashing for privacy in social apps How to protect personal data on the server while still enabling social functionality.
"Do the hashing client-side, and only upload hashed data for comparison on the server."
Best Practices for Mobile Application Developers (CDT and FPF) Practical rules of the road for app developers from two leading privacy think-tanks.
"As the app developer, you need to be responsible for thinking about privacy, and taking privacy into consideration during the various stages of your app life cycle."
GSMA Privacy Design Guidelines for Mobile Application Development (Dec 2011) Detailed guidance from an organization of more than a thousand mobile companies.
"Give users easy to understand choices and mechanisms for exercising privacy choices. Make it easy not hard – they’ll like you better for it."
Mobile Application Privacy Policy Framework Privacy policy language and practices suggested by leading trade group.
"The policy is designed to address the core privacy issues and data processes of many mobile applications, but should not be considered sufficient by itself to cover all types of applications."
CTIA's Best Practices and Guidelines for Location Based Services Advice from the largest association of wireless providers.
"LBS Providers that share location information with third parties must disclose what information will be provided and to what types of third parties so that users can understand what risks may be associated with such disclosures."
Four Legal Considerations To Building A Mobile App Advice from a legal specialist in privacy and security.
"While it will take years for regulators and case law to solidify the legal boundaries around any emerging technology, including mobile apps, businesses and marketers who want to avoid predictable legal scrutiny can reduce their risks now by adhering to traditional best practices around advertising and privacy."
Privacy By Design How to bake good privacy practices into your service as you build it.
"Principles include "privacy as the default setting," "positive-sum not zero-sum," "keep it open," and "keep it user centric."
W3C Mobile Web Application Best Practices A motherlode of practical development guidance, including disclosure.
"Ensure that the user is informed if the application needs to access personal or device information. The user should be informed of the types of information that will be used by the application and whether / how that data will be exchanged with the server."

Privacy-Interested Organizations

Future of Privacy Forum Leading think tank hosts a rich application-privacy resource center.
"It is important that both users and developers understand how the data is used when the user interacts with the app, and what recommended practices developers should adopt to best protect the privacy and security of the people using their apps."
Association for Competitive Technology Mobile trade group educates and advocates for small developers.
"ACT was started by a small group information technology entrepreneurs who felt their interests were not being represented in government. Today, ACT is still run by entrepreneurs from the industry who intimately understand the challenges of building a business from the ground up."
Mobile Marketing Association Trade group supporting best practices for marketing on mobile devices.
"[R]ather than having long Privacy Statements which users have to continuously scroll through (imaging doing that on your mobile device), a better user experience would be to create descriptive categories of privacy (No Personal Information shared, Personal Information Shared for Advertising Only, etc…). "
""
Privacy