Last updated on 19 July 2024
I feel like app designersā attitudes on privacy have gone from š to š & lately to š³.
Itās ok: š hereās whatĀ you need to know.
Summary (TL;DR)
- Privacy isnāt scary: itās an opportunity to earn peopleās trust.
- This is about how we handle personal data.
- Some data are sensitive, and we need explicit consent before collecting them.
- System permissions for apps are not the same as explicit consent.
- Everyone is entitled to certain privacy rights: to be informed (Notice), to see the data we collect (Access), to take their data elsewhere (Portability), and to have their data corrected or deleted (Right to Be Forgotten).
- Here are some design patterns we can use to respect peopleās privacy in our mobile apps.
By the way, I donāt claim to be an expertā¦ This is stuff I learned from working on mobile health apps, advice from experts, books, articles, & my own review of:
HIPAA (Health Insurance Portability & Accountability Act)
GDPR (EU General Data Protection Regulation)
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Personal vs. Sensitive Data
As the title suggests, privacy deals with two broad categories of data. Personal data refers to any information that can identify a person. Sensitive data refers to a subset of personal data that leave a person especially vulnerable to discrimination or harassment. When in doubt, assume data are sensitive.
Collecting sensitive data requires explicit consent, i.e. opt-in.
Sensitive data include types that reveals information like:
- Religion
- Racial or ethnic origin
- Sexual orientation
- Political affiliations
- Criminal history
- Union memberships
- Genetics
- Biometrics
- Medical history
Asking for Explicit Consent
So, we understand that we need explicit consent before collecting a personās sensitive data. And the principle of informed consent means that people need to understand what theyāre consenting to. We usually give people this information in a privacy notice.
- Our privacy policy is how we agree to handle data.
- A privacy notice tells people about our privacy policy.
Since privacy notices tend to be long and difficult, we can use aĀ short-form privacy notice.Ā Itās a brief, understandable summary of your privacy policy.
I worked with this pattern at Philips, because the apps I worked on there collect medical data. Hereās an example for onboarding people to a fictitious baby health app.
As you can see, the screen summarizes the most important points of the privacy policy and links to the full privacy notice. And itās opt-in: the toggles are off by default, and theĀ I Agree button doesnāt appear until at least one toggle is switched on.
Using this pattern does interrupt a personās flow in using the app. But sharing sensitive data carries some serious risk, so itās in a personās best interest to stop & think for a moment about whatās happening. In that sense, this is the opposite of deceptive ādarkā patterns.
That doesnāt mean we canāt make it a little easier or more fun!Ā Itās an opportunity to establish trust, highlight the appās value, and express your serviceās personality. We can use techniques like motion to assist people as well.
Permissions vs. Consent
Please allow me to bust the most common myth Iāve seen around privacy for apps: Asking for system permissions (Allow āAppā to access your location?) is not the same as asking for consent.
Permissions are your operating system, asking if you trust the app in question. But consent represents an agreement between the person sharing data and the people collecting them.
Informed consent requires people that understand what theyāre consenting to.
So what does informed consent really mean?Ā Letās take a quick look at peopleās privacy rights.
Privacy Rights
You and I, as well as the people who use the things we create, have a legal right to privacy. While specific laws apply depending on where people live, hereās a rundown of the most important rights we need to respect when collecting data.
Right to Notice
People have the right to know:
- Which types of data weāre collecting
- Why weāre collecting the data (purpose)
- Who else (3rd parties) will get the data & why
- How to have their data corrected or erased
Right to Access
We need to make sure people can access all the data we have about them, for free and in a digital format.
When we analyze peopleās data (like with machine learning algorithms), they also have the right to know the processing logic & any consequences from being profiled. This is especially important when an algorithm decides how long you should go to jail.
Right to Portability
A person must be able to transfer their data from one place to another. So the data need to be made available āin a structured, commonly used, machine-readable and interoperable format. (GDPR)ā
Right to Erasure
A person also has the right to have their personal data corrected or deleted. They can withdraw any given consent, and sometimes any links to personal data must also be deleted (Right to Be Forgotten).
This presents a challenge for systems that rely on blockchain.Ā Because itās immutable, data on a blockchain canāt be deleted. Opinions differ as to how this challenge should be addressed.
Full disclosure: some of my clients work with blockchain. And I believe that we need to adapt technology to our human rights, not the other way around.
Our Responsibilities
We know that revealing a personās sensitive data could get them fired from their job, dropped from their insurance, or even arrested. But even seemingly āinnocentā data can be harmful. Revealing a personās name & date of birth leaves them vulnerable to identity theft,Ā so we have important responsibilities.
Collect only what you really need.
An appalling number of people still insist on collecting peopleās birth dates. But the risk of someone opening a credit card in my name far outweighs the benefit of getting that āhappy birthdayā spamĀ marketing e-mail from your company. So collect only what you really need, and destroy any data as soon as itās no longer needed.
Keep people informed.
Informed consent means always knowing what youāve consented to, especially when that changes. As a product evolves, you may want to start collecting new data, or find a new purpose for data youāre already collecting.
Thatās ok, but when we make changes, we need to let people know. And if we want to collect more sensitive data, or change how we use sensitive data we already have, we need to ask for explicit consent again.
Hereās a version of the short-form privacy notice, adapted to ask for new data.
Let people correct & delete their data.
People own their personal data, so they have a right to have it corrected or deleted whenever they want. Most companies require that you contact them to manage your data, but some provide in-app controls that allow you to do it yourself.
The Health app on iOS does this nicely by allowing people to view and delete their data within the interface.
What Now?
So there it is, what every app designer needs to know about privacy.
Thereās much more out there of course; engineers and business stakeholders have other things to think about as well. But weāre also customers and citizens, so we need to think about our own privacy.
Empower people, donāt exploit them.
There are lots of principles out there for Privacy by Design. And with privacy laws like the GDPR, there are plenty of consultants offering advice. But the main thing to remember is: be cool, not š©. Treat people with respect.
Special Thanks
My journey into the world of privacy started with Bram Hoovers and Almar van der Krogt. We started around 2013 working together on the first privacy guidelines for mobile apps at Philips, and Iāve been hooked ever since. Thanks, gentlemen!
Thank you, Hester Bruikman-PagĆ”n for your time and feedback! š
Further Reading
Privacy: And How to Get It BackĀ (Great book) ā B. J. Mendelson
Ethical Design ManifestoĀ (I follow this) ā Indie
A Technieās Rough Guide to GDPRĀ (More on the law) ā Cennydd Bowles
Hereās how Apple can figure out which emojis are popularĀ (Differential Privacy) āĀ Rob Verger
Grindr Is Letting Other Companies See User HIV Status And Location DataĀ (Privacy is important!) āĀ Azeen Ghorayshi