GPEN is an informal network of 27 Data Protection Authorities (“DPAs”) established in 2007. Its members include the UK’s ICO, Australia’s OAIC, and Canada’s OPC.
DPAs from 26 jurisdictions carried out this year’s sweep (an increase of seven jurisdictions compared with the last sweep which we reported on in May 2014). The recent sweep focused on (1) the types of permissions an app was seeking; (2) whether those permissions exceeded what would be expected based on an app of its type; and (3) the level of explanation an app provided as to why the personal information was needed and how it proposed to use it.
The results showed that:
- 85% of the mobile apps failed to explain clearly how they were collecting, using and disclosing personal information.
- 59% left users struggling to find basic privacy information.
- One in three apps appeared to request an excessive number of permissions to access additional personal information.
- 43% failed to tailor privacy policies for the small screen, e.g., by providing in tiny type or requiring users to scroll or click through multiple pages.
In announcing their results, the GPEN made it clear that the sweep was not in itself an investigation. However, the sweep is likely to result in follow-up work, such as outreach to organisations, deeper analysis of app privacy provisions, or enforcement actions.
Privacy shortcomings are not just a regulatory matter; research by the ICO last year suggested that 49% of app users have decided not to download an app because of privacy concerns. In an increasingly crowded app marketplace, good privacy policies may be a valuable way to stand out from the competition.