7 steps to building privacy into a health app

By Mike Miliard
09:12 AM

A report published Wednesday by the Future of Privacy Forum (FPF) takes stock of many popular mobile apps, documenting which of them provide consumers with a privacy policy describing their data collection and usage. FPF also released a guide to best practices for app developers.

With some 40,000 mHealth apps already available across various platforms, and the market set to skyrocket – pegged to grow 25 percent annually over the next five years, according to a study earlier this month from Kalorama – such practices will only grow in importance when it comes to protecting personal health information.

[Q&A: ONC's Wil Yu on how app contests offer more than money.]

By providing a privacy policy, companies become legally accountable for their practices and provide consumers with an opportunity to make informed decisions about whether to download an app.

In an effort to provide application developers with the tools and resources needed to implement trustworthy data practices, including privacy policies, FPF and the Center for Democracy & Technology (CDT) released a publication titled "Best Practices for Mobile Application Developers."

"Developers have access to tremendous amounts of very sensitive data about their customers," said Justin Brookman, CDT's director of consumer privacy. "We're offering these Best Practices guidelines to help well-meaning developers preserve user privacy without stifling the innovation and convenience offered by new platforms."

[See also: ONC seeks good practices for mobile device privacy and security.]

The report is generally-focused, but does touch on the special challenges faced by health-related apps and the data they traffic in – most importantly the importance of HIPAA compliance.

As part of its best practices guide, FPF and CDT list seven "Basic Steps Towards Building Privacy into your App":

  1. Practice Privacy By Design. Be proactive. Ask important questions and embed privacy measures throughout the lifecycle of your product or service.
  2. Communicate Openly & Effectively. Have a comprehensive and transparent privacy policy covering all of your data collection, sharing, and use practices. Use clear and simple language.
  3. Make Your Privacy Policy Easily Accessible. Don’t make users search for your privacy policy – make it prominent and easy to find.
  4. Use Enhanced Notice. Don’t surprise users – have respect for context. Use enhanced notice in situations where users might not expect certain data to be collected.
  5. Provide Users with Choices & Controls. Empower users. Allow them to choose and control the way their data is collected and used.
  6. Secure Your Users’ Data! Always use appropriate and up-to-date security measures to protect user data.
  7. Ensure Accountability. Make sure someone is in charge! Designate a privacy guru, or make sure to explicitly assume the responsibility yourself.

"The first and most significant step toward respecting your users’ privacy is creating a privacy policy that explains what data you collect, how you use it and with whom you share it," according to the report. "Do not just cut and paste a privacy policy from another app or website. Start by understanding your app in your own terms, and then do your best to communicate the same to your users."

The study suggests developers should know the privacy rules and requirements for the various app platforms, whether Apple iOS, Android or Facebook. Also, they should "give users choice and control around the unexpected collection, storage or transfer of personal information where feasible. If you are collecting or using data outside the scope of what users would reasonably expect, you should at the very least make sure your users can opt-out of such uses of their data."

[Related: Apps focused on controlling weight take top prizes.]

The FPF study shows that the percentage of free apps with a privacy policy doubled on the iOS App Store platform, from 40 percent to 84 percent; the percentage of paid apps with privacy policies on the same platform increased by 4 percent, from 60 percent to 64 percent.

On the Google Play platform, the percentage of free apps with a privacy policy started remarkably high at 70 percent, and increased to 76 percent.  The percentage of paid apps increased as well, from 30 percent to 48 percent.

The study reveals that almost all of the leading apps that collect precise location information do provide consumers with a privacy policy.

Other findings from FPF's new app privacy policy survey:

  • Overall, 61.3 percent of the 150 apps examined had a privacy policy when offered across three app store platforms: iOS App Store, Google Play and Kindle Fire Appstore.  
  • The free apps analyzed were more likely to have a privacy policy than the paid apps.  69.3 percent of free apps and 53.3 percent of the paid apps had privacy policies.
  • To determine whether consumers could review how an app would use their data before downloading the app, the study focused on whether an app provided access to privacy policy information in or from the app store. 22.7 percent of free apps and 20 percent of paid apps in Google Play and the iOS App Store have access to the privacy policy at the app store promotion page.
  • Forty-eight percent of free apps and 32 percent of paid apps on all platforms have access to the privacy policy in the app itself or via a link from within the app. If apps don't provide access to a policy from the app, consumers are forced to search the Web to try to find the app's policy.
  • Twelve out of the 50 apps surveyed on the iOS App Store platform requested precise location information and 10 of those 12 had privacy policies. 14 out of the 50 apps surveyed on the Google Play platform requested precise location information and 10 of the 14 had privacy policies.  

"Mobile apps are at the forefront of current consumer privacy concerns," write the authors of the best practices report. "High profile media attention and a series of class action lawsuits have prompted close scrutiny of app developer data practices from federal and state regulators. As a result, the U.S. the Federal Trade Commission (FTC)  is actively enforcing consumer privacy rights against application developers that surreptitiously access or misuse user data.

[See also: VA aims to revvolutionzie rural care with SCAN-ECHO.]

The good news, said Jules Polonetsky, director and co-chair of the Future of Privacy Forum, "app developers are starting to get the message that access to consumer data is a privilege not a right."

Ensuring data collection and use practices are well-documented "is the first step to showing that you are a responsible company," he added. "Although providing a privacy policy is no silver bullet, the process of documenting data use and making oneself legally accountable is a critical first step to building consumer trust."