In February 2024, the Information Commissioner’s Office (“ICO”) issued a reminder to all app developers regarding the safeguarding of users’ privacy, prompted by the ICO’s examination of period and fertility apps. This blog will explore the ICO’s four practical tips to help app developers comply with their data protection obligations and maintain the privacy of their users.
The ICO's assessment into fertility apps
In the past year, the ICO conducted a thorough assessment of period and fertility apps, delving into how they handle personal data and assessing potential impacts on users. According to a survey conducted by the ICO, findings showed that women prioritise transparency regarding the usage and security of their data over cost and ease of use when selecting an app. The ICO’s review also indicated that more than half of app users noticed a rise in baby or fertility-related advertisements after registering. While some viewed these advertisements positively, 17% found them distressing.
During the review, the ICO reached out to multiple app providers to gain insights into their privacy practices, alongside interacting with app users to understand their experiences. While no significant compliance issues or instances of harm were uncovered during the investigation, the ICO emphasises the crucial importance of ensuring the protection of users’ personal information, particularly when dealing with sensitive data. The Deputy Commissioner, Emily Keaney said, “Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary. Our review has highlighted there are improvements app developers could make to ensure that they are meeting all their obligations to be transparent with users and keep their data safe.”.
The ICO’s practical tips
1. Be transparent
The first tip from the ICO underscores the importance of transparency in app development. It emphasises the need for app developers to be upfront about how they utilise users’ personal information. This involves providing clear and concise privacy information, including the purposes for processing personal data, retention periods and recipients of the data. Ensuring this information is easily accessible is crucial, fostering trust and transparency between users and app developers.
The ICO’s emphasis on providing clear and concise privacy information aligns with contemporary expectations for data protection. It’s crucial for app developers to understand that users have a right to know how their data is being used and shared. Achieving transparency can be accomplished through various means. One effective approach is to implement an easily accessible privacy notice within the app interface, clearly outlining the purposes of data processing, retention periods and details on data sharing practices. Additionally, incorporating user-friendly consent mechanisms during app onboarding ensures that users are actively informed and consent to data processing activities.
2. Obtain valid consent
Obtaining genuine consent is paramount in the realm of app development is the ICO’s second tip. It entails providing users with a meaningful choice regarding the usage of their personal information. App developers must adhere to data protection laws, which demand that consent be explicit, unambiguous and involve a clear action to opt-in. Using pre-ticked boxes or default methods for consent is strictly prohibited. Additionally, app developers must facilitate easy withdrawal of consent at any given time, empowering users to maintain control over their data privacy preferences.
App developers should implement user-friendly interfaces that make it easy for individuals to both give and withdraw consent at any time. This can be achieved through clear and accessible consent prompts, as well as providing straightforward options for users to manage their consent preferences within the app settings.
3. Establish the correct lawful basis
The third tip from the ICO is that it is imperative for app developers to establish a valid lawful basis for processing personal data. This could include obtaining consent, fulfilling contractual obligations or pursuing legitimate interests. However, selecting the appropriate lawful basis requires careful consideration of the specific purposes and context of data processing activities. There is no one-size-fits-all approach, as the chosen basis must align closely with the nature of the processing.
App developers must conduct thorough assessments and documentation to ensure compliance and respect user rights. By prioritising this step, app developers demonstrate their commitment to data protection and enhance user trust in their apps.
4. Be accountable
App developers must take responsibility for the personal information they handle is the final tip from the ICO. If you are the one determining how and why data is processed, you are considered the data controller. As a data controller, it is your obligation to adhere to data protection regulations and implement necessary measures to ensure lawful processing of data. This accountability underscores the importance of transparency, diligence and ethical handling of user data throughout the app development process.
This can be achieved through implementing robust data protection measures, such as conducting regular audits, implementing privacy by design principles and providing clear and accessible privacy notices.
Aria Grace Law CIC
The data privacy and technology law team at Aria Grace Law CIC can assist app developers in achieving compliance with the four crucial tips outlined by the ICO. From ensuring transparency and obtaining valid consent to establish the correct lawful basis and fostering accountability, we provide tailored solutions to meet the specific needs of app developers. If you want to find out more information or have any questions, please get in touch with us at privacy@aria-grace.com.
Article by Lindsay Healy (Partner), Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 1 April 2024