GSMA Releases Privacy Design Guidelines to Increase Privacy Considerations for Mobile Apps

A month after the Mobile Marketing Association released its Mobile Application Privacy Policy Framework (which we blogged about here), the GSM Association (GSMA) announced the release of its Privacy Design Guidelines for Mobile Application Development. The guidelines seek to provide developers with specific design points meant to enhance mobile application users’ abilities to guard personal information within mobile apps.

The mobile application business has experienced exponential growth over the past several years due to the increasing popularity of mobile devices. According to the GSMA, a global organization representing the interests of roughly 1,000 mobile operators and companies, “[a] critical factor for the sustainable development of [the mobile] eco-system is a robust and effective framework for the protection of privacy, where users can continue to have confidence and trust in mobile applications and services.”

The GSMA’s new Privacy Guidelines provide a foundation for that framework. Previously, in 2011, the GSMA published its Mobile Privacy Principles, which established certain high-level privacy principles meant to provide “meaningful transparency, notice, choice, and control for users with regards to their personal information and the safeguarding of their privacy.” The new Privacy Guidelines, which the GSMA developed through comments received from industry stakeholders and regulators, provide functional guidance regarding the implementation of those principles.

Specifically, the Privacy Guidelines encourage developers to adopt a proactive Privacy-By-Design approach by implementing the following:

Transparency, Choice, and Control

  • Give prior “who-what-why” notice and obtain a user’s “active consent” for the collection, use, and sharing of personal information, as well as any application changes affecting privacy (“active consent” occurs where a user has the opportunity to agree to the specific use of personal information)
  • Collect and use only reasonable amounts of information within the scope of the user’s expectations
  • Allow users to control the frequency of reminders about features which use personal information
  • Provide users with information and choice regarding an application’s privacy settings

Data Retention and Security

  • Ensure applications using unique identifiers are linked to the rightful user
  • Protect personal information from unauthorized access or disclosure and establish justifiable retention and deletion periods

Social Networking and Social Media

  • Ensure default settings protect privacy and allow easy control of profile information
  • Provide additional, heightened privacy measures for underage users
  • Obtain consent for any access, use, and/or sharing of location data

Mobile Advertising

  • Inform users, prior to download and/or activation, if applications are ad-supported
  • Obtain active consent for targeted advertising, profiling, and/or viral marketing
  • Ensure content is appropriate for the audience

Children and Adolescents

  • Provide age-targeted information regarding the consequences of using an application
  • Ensure the default location setting prevents a user from publishing his or her location
  • Comply with applicable jurisdictional laws regarding the protection of children
  • Where possible, include an age verification mechanism

Accountability and Enforcement

  • Assign responsibility for privacy issues throughout the application’s lifespan
  • Provide a means for users to report application problems.

Anne Bouverot, the Director General of the GSMA, labeled the Privacy Guidelines as “an important first step in establishing best practices for [the mobile application] industry.” In fact, several European mobile operators are already in the process of implementing the Privacy Guidelines for their branded mobile applications (France Telecom – Orange, Telecom Italia, Deutsche Telekom, Telekom Austria Group, Telenor Group, TeliaSonera, Vodafone, and Telefónica).