An overview of the main privacy issues with recommendations on how to avoid difficult situations with users

1. 10 Burning
Questions
on Privacy

2. 2
This presentation gives an overview of the most
important issues related to privacy on the web and
mobile.
It also provides insights and recommendations on what
you need to do for your mobile services and marketing
campaigns to create the best environment for users to
share their data.
Introduction
The author, Agathe Caffier, graduated as a business
lawyer in London and is now a Certified Information Privacy
Professional (CIPP/E).
As well as being the general council for Golden Gekko, one
of the leading mobile solution providers in the world, her
expertise in privacy matters related to mobile has led her to
provide privacy guidelines and audits to companies such
as Vodafone, Telefonica and many more.

3. Index
1. What is Privacy
2. What are the different regimes?
3. Which are the OECD principles?
4. Who are the different players?
5. What is the definition of personal data?
6. What does consent mean?
7. What is Active Consent in mobile?
8. Why is user data collected?
9. What is the Privacy debate about?
10. Why is there a debate about cookies?
3

4. 4
Defined as the right to be left alone, anonymity.
Control over the use of personal information.
The ability of an individual or group to seclude themselves
or information about themselves, and thereby reveal
themselves selectively.
What is Privacy?
There is no single privacy law that applies universally.
Some languages do not have a word for privacy and only
80 countries have data protection regimes.
Four categories of privacy: bodily (physical), territorial
(house), communication (mail, telephone), information
.

5. 5
Comprehensive model (EU)
General law covering data protection in public and
private sector, with an agency responsible for covering
its enforcement (DPA). France CNIL, Spain AEPD, UK
ICO
What are the different regimes? (1)
Sectoral Model (US)
No general framework but some existing laws addressing
specific industry sectors. Eg: finance, healthcare.
Each law will have a different enforcement authority.
.

6. 6
Co-regulatory, Self-regulatory Model (Canada)
Mix of government and non governmental institutions that
protects personal information.
Co: law which states that each industry must develop
enforceable codes
What are the different regimes? (2)
Self: no law but existence of codes of practice for
protection by company industry or independent body.
No general Privacy / data protection law (China)
No general law. No industry guidelines.
.

7. 7
Collection limitation principle - data subject should
know of collection when possible
Data quality principal - data to be relevant for the
purpose of collection
Which are the OECD principles? (1)
Purpose specification principle – purpose of collection
must be specified at time of collection
Use limitation principle – data to be used according to
purpose
.

8. 8
Security safeguards principle – data should be
protected
Openness principle – no secrecy about data controller
identity and the way the data is used
Which are the OECD principles? (2)
Individual participation principle – data subject right of
access (if refused there must be valid reasons)
Accountability principle- accountable for complying with
measures in principles
.

9. 9
Data Processor
Is an individual or organization, often a third party
outsourcing service, that processes data on behalf of
the data controller.
Is not authorized to do additional data processing
outside of the scope of what is permitted from the data
controller itself.
Who are the different players?
Data Subject
Individual whose information is being processed,
Eg: employee, end-user of an App.
Data Controller
An organization who has the authority to decide how
and why personal information is to be processed

10. 10
“Any data that relates to an identified or identifiable
individual”
There are certain differences from one country to
another. For example, in the EU, an IP address is
personal whereas this is not the case in the US
Examples of what is classified as personal data
includes name, gender, contact information, age
and birth date, marital status, social security
number.
What is the definition of
personal data? (1)

11. 11
A sub category is sensitive data, which covers for
example, racial or ethnic origin, political opinion,
biometric data, trade union membership or sexual
orientation.
Non- personal data is anonymized data, for example,
the date and time someone visits a specific webpage.
What is the definition of
personal data? (2)

12. 12
“Any freely given specific and informed indication of his
wishes by which the data subject signifies his
agreement to personal data relating to him being
processed”.
Consent must be unambiguous.
Valid consent assumes the individuals’ capacity to
consent.
What does consent mean?
Individuals who have consented should be able to
withdraw their consent, preventing further processing of
their data.
Consent must be provided before the processing of
personal data starts, but it can also be required in the
course of processing, where there is a new purpose to
the data.
.

13. 13
The definition of Active Consent in mobile is:
Voluntary, informed, express and revocable permission.
This means a user is given a clear opportunity to agree
a specific and notified use of their personal information.
Permission must be captured in a way that is not the
default option.
What is Active Consent in mobile?
Active consent applies to secondary, non-obvious use
of a user’s personal information, and/or applications
that have additional privacy implications for users
For example, an app requesting a user’s location,
where such data is not necessary for the functioning of
the app.
.

14. 14
Golden Gekko recommends not only to comply with
the minimum legal requirements imposed by the law
but to go the extra mile and involve the user. Ensure
they are able to actively approve of their data being
processed.
A great way to involve the user in
participating is to educate them.
Our recommendation
The user should own the consent process and be given
a choice. They should also be allowed to retract their
permission easily, for example in the main ‘Settings’
menu.
Another great way to involve the user in participating in
giving consent is to educate them. Education is very
efficient when the app includes a simple wizard which
takes the user through all the privacy parameters
included in the app.
.

15. 15
Your data can help app makers take important
decisions related to future feature enhancements
helping the app to work for you in a more personalized
way.
Some apps gather your personal data so that they can
target specific ads to you. If your data shows you meet
certain criteria, advertisers will tailor their marketing
efforts accordingly.
Why is user data collected?
In the case of a malicious app, your personal data could
be sold or used for illegal purposes.
For example, this type of app might send text messages
without your consent to premium numbers. In such
instances some users have reported being charged as
much as $10 per message. Getting access to your
contact list can be a goldmine for malware authors and
spammers.
.

16. 16
App users are aware that most applications will need to
use at least some basic personal data in order to allow
proper use.
The problem that most users encounter is not
necessarily centred around the idea of sharing their
personal data, but rather, around the lack of
transparency and the loss of ownership of said
information.
Our recommendation
Our recommendation: Be transparent and clearly
communicate to your user the reasons for collecting
their personal data.
Be transparent and clearly communicate
the reasons for data collection.

17. 17
App developers´ standpoint:
Privacy requirements should be respected to gain
users’ trust through being transparent.
Security measures need to be put in place to protect
users’ Privacy.
What is the privacy debate about?
Users’ standpoint:
Privacy may be voluntarily sacrificed in exchange for
perceived benefits.
Info can be stolen, misused and carries the threat of
identity theft.

18. 18
We refuse to follow a rigid approach which could mean
an overload of pop up notifications reducing the users’
positive experience.
We recommend a flexible approach to
privacy.
Our recommendation
We recommend a flexible approach to privacy.
A flexible approach should mean a leverage of best
practices from each sector in addition to a smart user
flow and privacy settings implemented within the app.

19. 19
In the EU, the first cookie law was introduced in 2002
where choosing to opt out was sufficient.
With the new Cookie law from 2009, opt in is required
with clear and comprehensive information about the
purposes of the storage of, or access to, that data.
Clear consent must be given.
Why is there a debate about cookies?
An example of a typical notice is: “This website uses
cookies. By using this website you approve to the use
of cookies. Please check our Privacy policy for more
information.”
There are different implementations of the law
depending on the jurisdictions:
http://cookiepedia.co.uk/cookie-laws-across-europe

20. 20
It is important to understand privacy and put in place
appropriate legal and security measures.
Understanding privacy matters linked to mobile
application solutions will play in your favour and help
you retain your customers.
By tackling privacy from the outset of the development
of your app, you will gain users’ trust more rapidly.
Our recommendation
We recommend you give your user the choice to share
or not his personal data as well as explaining the reason
for which the data is collected.
The customer should also be given the option to go
back and change their permission status easily.
The idea is not to overload the user with pop up
notifications at each step of the app but rather, by
thinking about how to integrate privacy upfront, allowing
them to be in control through education.

21. 21
A great way to do so is by adding a wizard that will
guide them when starting to use the app.
Moreover, by doing audits of your current application
on a regular basis you will gain users’ trust. The impact
of the latest breaches of personal data is raising
awareness amongst customers who are becoming
more demanding in regards to privacy settings.
Our recommendation
We recommend proactivity and adherence to the latest
industry recommendations by adjusting your user
journey accordingly.
We recommend proactivity and
adherence to the latest industry
guidelines.

22. Fighting for a world
full of mobile solutions
since 2005
web www.goldengekko.com
email
Agathe Caffier
Legal Adviser
info@goldengekko.com