Privacy & Information Security Law Blog

On December 9, 2014, a coalition of 23 global privacy authorities sent a letter to the operators of mobile application (“app”) marketplaces urging them to require privacy policies for all apps that collect personal information. Although the letter was addressed to seven specific app marketplaces, the letter notes that it is intended to apply to all companies that operate app marketplaces.

According to the letter, the 2014 Global Privacy Enforcement Network (“GPEN”) enforcement sweep, which was conducted in coordination with 26 privacy enforcement authorities, examined the types of permissions sought by more than 1,200 apps and the extent to which consumers were notified about each app’s privacy practices. The sweep found that numerous apps did not have a privacy policy, and that the practice of linking to a privacy policy was applied inconsistently across the apps. The letter indicates that, although most marketplaces allow app developers to link to a privacy policy, this practice does not appear to be mandatory.

According to the letter, mobile operating system developers and other app marketplace operators play an important role in consumers’ interactions with apps. The marketplace acts a landing spot where individuals can search for apps, read reviews, and access technical information about a particular app before downloading it, which enables individuals to make informed decisions about products in that marketplace.

The letter indicates that, “[g]iven the wide-range and potential sensitivity of the data stored in mobile devices, we firmly believe that privacy practice information (for example, privacy policy links) should be required (and not optional) for apps that collect data in and through mobile devices within an app marketplace store.” The letter adds that the relevant privacy enforcement authorities “expect a marketplace operator would put in practice, if it has not already, this advice, and implement the necessary protections, to ensure the privacy practice transparency of apps offered in their stores.”

We previously reported on the results of the GPEN enforcement sweep carried out in May 2014 to assess mobile app compliance with data protection laws.

View the letter.