Mobile Apps, advertising and privacy: ?

Digital Advertising and Privacy 2013, London 25 June 2013

Key challenges in mobile

Ecosystem - global, interconnected but fragmented inconsistent approaches to privacy / inconsistent user privacy experiences Regulation - patchwork of 99 geographically bound laws applies unequally according to technology and infrastructure inconsistent rules, restrictions and burdens Based on notice and choice (consent)
Users have privacy interests: want transparency, choice and control transcend borders and geographically bound laws BUT complexity of comprehension & understanding on mobile makes it difficult
1

GSMA 2013

Notice, consent and distributed responsibilities: its complex

GSMA 2013

It really is complex

GSMA 2013

More than the browser

Data types:

Browser/search level Identifiers (IMEI, ICCID, MAC address, UDID, Android ID, ODIN, IDFA, IDFV, MSISDN) Device fingerprinting

Contacts
Images (video, still) Sensors (microphone, compass, camera)

Communications data (calls, text, IM)

Calendar Location (where I am, where I am not, where I have been ) User entered info Registration/ account level data
4

GSMA 2013

. its

more

than

compliance

. Users
a

CARE ..

LOT

Concern driving policy and regulation

USA: FTC app privacy guidance/actions USA: California Attorney General - App Privacy Best Practice Canada: Federal Privacy Commissioners App Privacy Guidelines Japan: Smartphone Privacy Initiative Australia: draft App Privacy Guidelines Hong Kong: App Privacy Guidelines Europe: Article 29 Working Party Opinion on apps on smart devices

China: Notice on Strengthening the Administration of Networked Smart Mobile Devices

GSMA 2013

Article 29 Working Party: App Privacy

App developers:
must obtain a users specific, free and informed consent before they retrieve

or place information on a device only collect and process the minimum necessary to perform the function of the app set reasonable retention periods. allow users to withdraw their consent, uninstall the app and delete data where appropriate. provide a single point of contact for users provide a readable, understandable and easily accessible privacy policy, inc with details about identity of responsible parties etc. refrain from processing children's data for behavioural advertising purposes

App stores OS and device manufacturers

Granular access to data and sensors

Advertising parties must specifically avoid delivering ads outside the context of the app
9

GSMA 2013

What GSMA doing

So
is the

about it?

GSMA Mobile Privacy Initiative

Address mobile privacy challenges as an industry Published GSMA Mobile Privacy Principles

Published GSMA Privacy Design Guidelines for Mobile Applications

Conducted Consumer Research

Privacy Design Guidelines for app development

Express principles in functional terms Provide Best Practice for Apps Illustrative examples and use cases Foster a privacy by design approach Include modules on: Location Mobile advertising

Children
Social networking

GSMA privacy design guidelines and advertising

BUT .. It needs more than words

Thank you For more information contact: pwalshe@gsma.com www.gsma.com/mobileprivacy

GSMA 2013

15