Mobile apps installed on our smartphones are one of the biggest threats to our digital privacy. They are capable of collecting large amounts of personal data, often highly sensitive.
The consent model on which privacy laws are based does not work. App users remain concerned about privacy, as recent research shows, but they're still not very good at protecting it. They may not have the technical knowledge or time to review the privacy terms, or they may not have the willpower to resist the lure of trending apps and in-app custom offers.
As a result, privacy laws have become more detailed, imposing additional requirements on advance notice, data minimization and user rights. The feathers became harder. And laws are often global in reach, like the US Children's Online Privacy Protection Rule and the EU General Data Protection Regulation. For example, an African developer of an app downloaded by children in the US and the EU must comply with both the African Personal Information Protection Act. This complexity can create a significant compliance burden.
But the real problem, according to a report by the EU Agency for Cyber Security, is that lawyers and app developers don't speak the same language. An application developer may have no idea how to translate abstract legal principles into concrete engineering steps.
Cavoukian established seven fundamental principles for a privacy-by-design approach. But it's the second principle, “privacy as default setting,” that really sets the bar for a privacy-friendly app.
This places the app developer's responsibility to think about user privacy in advance, and to design the app in such a way that privacy is automatically protected, while providing a fully functional app experience.
Privacy should become a key component of design methodology, selection of technical tools and organizational value statements.