Over the past twelve months, the internet-connected doll My Friend Cayla went from one of the hottest toys of the holiday season to an internationally-classified 'espionage device.' The doll was the subject of an FBI warning, banned from sale or ownership in Germany, and eventually dropped from every major retailer in the United States. Despite the nearly universally high reviews for the doll, revelations about the privacy risks were insurmountable. What parent is going to buy an 'espionage device' for their young children?
My Friend Cayla is a cautionary tale about just how poorly things can go if you get privacy wrong, particularly for protected users (like children under 13 years old) or types of data (like health or financial information). Doing everything correctly from a legal perspective is crucial, but it is also important to develop a trusting relationship with your customers and users. Consumers are unlikely to read lengthy user agreements closely, yet those same consumers often feel aggrieved when they unwittingly share their data with strangers. And if it turns out a tech company's privacy and disclosure policy is ambiguous or inaccurate, an apology on social media probably won't be enough to counter the reputational blows.
Here are a few questions developers should ask themselves to avoid becoming the next privacy scandal.
Does your app have a privacy and disclosure policy
If not, get to work. Even if you aren't collecting data from your consumers or their devices, you should clearly inform your users of that. It is always better to have a privacy policy than to not to have one.
The Better Business Bureau
created a sample privacy policy you can use as a guide when crafting your own policy.
Is it accessible?
If it takes users more than a couple of minutes to find your privacy and disclosure policy on your app or website, the answer is no. Your privacy and disclosure policy should be prominently displayed on your website and app, and easily accessible from app store listings.
You also should consider including an email address, phone number, and mailing address so that users (and press) can contact you if they have questions.
Does it clearly and accurately explain how you use and store user data?
Hard-to-read and unclear privacy policies are just as likely to earn public derision as not having one at all.
Your privacy policy needs to be clear, concise, and written in language that consumers can understand. Where applicable, it should discuss whether your app:
- collects personally identifiable information and/or information for internal use;
- includes in-app purchases;
- has social media capabilities, and how they are utilized;
- includes advertising, and whether the advertising is behavioral or contextual;
- includes links to the internet and/or app store; and
- uses third party services or plug-ins.
Have you addressed any special audiences or functions that require additional disclosures?
Even small functions, like robocalls and text messaging notifications, require specific disclosures. If your app is directed to children, health and wellness, or retail, you need to take into account the following considerations.
Children - Apps directed to children must take extra consideration and care for minors' personal information. If your app's target audience includes children under 13 years old, it's important you understand and comply with the Federal Trade Commission's (FTC)
Children's Online Privacy and Protection Act (COPPA). The FTC has a handy
FAQ to help comply with COPPA - and don't forget to check that any third party services and plug-ins are also compliant.
Health and Wellness - Health and wellness apps may need to comply with laws that regulate the use of medical information and manage ad networks and analytics providers that may access consumers' data, like
HIPAA. If you plan to connect your app with health care providers, be sure to closely read the
HIPAA FAQ (for both
individuals and
professionals) and include the necessary disclosures in your policy.
Retail - If you're developing a retail app that will be used for any financial activities, you must safeguard user data and be transparent about any access partners, third party contractors, and/or affiliate marketing services may have to it. You can read up on the requirements for financial institutions under the Gramm-Leach-Bliley Act on the
FTC website.