Mobile apps are the new “must have” tool in any mobile marketing strategy, particularly for consumer brands. Cost effective to develop and operate, apps provide an ease and immediacy of interaction with consumers that is not available through traditional marketing channels.
They also have the potential to gather extensive amounts of personal information about the consumer. For organisations bound by the Australian Privacy Act, including the Australian Privacy Principles, this presents a legal compliance risk that needs to be balanced against the marketing strategy.
A global sweep of 1,200 mobile apps earlier this year by the Global Privacy Enforcement Network (GPEN) which is made up of international privacy authorities including the Office of the Australian Privacy Commissioner, found that the majority of mobile apps have privacy issues.
Most of the apps included in the annual sweep seek to access the user’s contact details, social media accounts and other personal information, without providing the user with sufficient information security protocols or properly advising the user of how their personal information will be used (and how they can protect their privacy).
A similar picture was painted by the US Federal Trade Commission (FTC) in its recent report on mobile shopping apps. The FTC found these apps often failed to clearly advise consumers of how their personal information would be used or handled.
The recommendation of the GPEN, following its annual sweep, is that “clear, concise information about privacy practices builds customer trust and is good for business”. This sentiment is echoed by the FTC and reflected in the OAIC’s privacy guidance for mobile app developers in the OAIC’s “Mobile privacy: a better practice guide for mobile app developers”. (Although the OAIC Guide was developed prior to the privacy law reforms earlier this year, it still provides useful guidance as to better privacy practice for mobile app developers and providers.)
If you’re looking to develop or use a mobile app to interact with consumers in Australia, and you’re bound by the Australian Privacy Act, you will need to:
The golden rule: “if you don’t need to know, don’t collect it”. This goes hand-in hand with another golden rule: “the more you know, the more you’re responsible for”. Some tips:
Provide the user with:
The OAIC’s Guide contains an extensive list of recommendations for meeting the “small screen” challenge. This includes:
This means building in privacy and security settings into the app’s architecture from the beginning, rather than trying to “bolt it on” later.
The contract should reflect your privacy compliance (as well as commercial, technical and legal) requirements, such as the required privacy features and settings. It should also deal with the level of access the developer will have to consumer data collected through the app (if any) during development and testing and on completion.
The bottom line is, if you’re using a mobile app to engage with consumers in Australia or to otherwise collect personal information, then you will need to ensure it complies with the Australian Privacy Principles.
You must be transparent about what personal information you’re collecting and your privacy practices, as well as complying with your other privacy obligations under the Australian Privacy Principles. The risk of non-compliance could be a fine of up to $1.7 million for an organisation, which would put a big hole in any marketing budget.
 This may include a foreign company, if there is an “Australia link” in accordance with s5B of the Privacy Act 1988 (Cth).
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.