I feel like app designers’ attitudes on privacy have gone from 😐 to 😕 & lately to 😳.
It’s ok: 😌 here’s what you need to know.
- Privacy isn’t scary: it’s an opportunity to earn people’s trust.
- This is about how we handle personal data.
- Some data are sensitive, and we need explicit consent before collecting them.
- System permissions for apps are not the same as explicit consent.
- Everyone is entitled to certain privacy rights: to be informed (Notice), to see the data we collect (Access), to take their data elsewhere (Portability), and to have their data corrected or deleted (Right to Be Forgotten).
- Here are some design patterns we can use to respect people’s privacy in our mobile apps.
By the way, I don’t claim to be an expert… This is stuff I learned from working on mobile health apps, advice from experts, books, articles, & my own (cursory) review of:
- HIPAA (Health Insurance Portability & Accountability Act)
- GDPR (EU General Data Protection Regulation)
- EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Personal vs. Sensitive Data
As the title suggests, privacy deals with two broad categories of data. Personal data refers to any information that can identify a person. Sensitive data refers to a subset of personal data that leave a person especially vulnerable to discrimination or harassment. When in doubt, assume data are sensitive. ?
Collecting sensitive data requires explicit consent, i.e. opt-in.
Sensitive data include types that reveals information like:
- Racial or Ethnic origin
- Sexual orientation
- Political affiliations
- Criminal history
- Union memberships
- Medical history
Asking for Explicit Consent
So, we understand that we need explicit consent before collecting a person’s sensitive data. And the principle of informed consent means that people need to understand what they’re consenting to. We usually give people this information in a privacy notice.
I worked with this pattern at Philips, because the apps I worked on there collect medical data. Here’s an example for onboarding people to a fictitious baby health app.
Using this pattern does interrupt a person’s flow in using the app. But sharing sensitive data carries some serious risk, so it’s in a person’s best interest to stop & think for a moment about what’s happening. In that sense, this is the opposite of dark patterns.
That doesn’t mean we can’t make it a little easier or more fun! It’s an opportunity to establish trust, highlight the app’s value, and express your service’s personality. We can use techniques like motion to assist people as well.
Permissions vs. Consent
Please allow me to bust the most common myth I’ve seen around privacy for apps: Asking for system permissions (Allow “App” to access your location?) is not the same as asking for consent.
Permissions are your operating system, asking if you trust the app in question. But consent represents an agreement between the person sharing data and the people collecting them.
Informed consent requires people that understand what they’re consenting to.
So what does informed consent really mean? Let’s take a quick look at people’s privacy rights.
You and I, as well as the people who use the things we create, have a legal right to privacy. While specific laws apply depending on where people live, here’s a rundown of the most important rights we need to respect when collecting data.
Right to Notice
People have the right to know:
- Which types of data we’re collecting
- Why we’re collecting the data (purpose)
- Who else (3rd parties) will get the data & why
- How to have their data corrected or erased
Right to Access
We need to make sure people can access all the data we have about them, for free and in a digital format.
When we analyze people’s data (like with machine learning algorithms), they also have the right to know the processing logic & any consequences from being profiled. This is especially important when an algorithm decides how long you should go to jail.
Right to Portability
A person must be able to transfer their data from one place to another. So the data need to be made available “in a structured, commonly used, machine-readable and interoperable format. (GDPR)”
Right to Erasure
A person also has the right to have their personal data corrected or deleted. They can withdraw any given consent, and sometimes any links to personal data must also be deleted (Right to Be Forgotten).
This presents a challenge for systems that rely on blockchain. Because it’s immutable, data on a blockchain can’t be deleted. Opinions differ as to how this challenge should be addressed.
Full disclosure: some of my clients work with blockchain. And I believe that we need to adapt technology to our human rights, not the other way around.
We know that revealing a person’s sensitive data could get them fired from their job, dropped from their insurance, or even arrested. But even seemingly “innocent” data can be harmful. Revealing a person’s name & date of birth leaves them vulnerable to identity theft, so we have important responsibilities.
Collect only what you really need.
An appalling number of people still insist on collecting people’s birth dates. But the risk of someone opening a credit card in my name far outweighs the benefit of getting that “happy birthday”
spam marketing e-mail from your company. So collect only what you really need, and destroy any data as soon as it’s no longer needed.
Keep people informed.
Informed consent means always knowing what you’ve consented to, especially when that changes. As a product evolves, you may want to start collecting new data, or find a new purpose for data you’re already collecting.
That’s ok, but when we make changes, we need to let people know. And if we want to collect more sensitive data, or change how we use sensitive data we already have, we need to ask for explicit consent again.
Here’s a version of the short-form privacy notice, adapted to ask for new data.
Let people correct & delete their data.
People own their personal data, so they have a right to have it corrected or deleted whenever they want. Most companies require that you contact them to manage your data, but some provide in-app controls that allow you to do it yourself.
The Health app on iOS does this nicely by allowing people to view and delete their data within the interface.
So there it is, what every app designer needs to know about privacy.
There’s much more out there of course; engineers and business stakeholders have other things to think about as well. But we’re also customers and citizens, so we need to think about our own privacy.
Empower people, don’t exploit them.
There are lots of principles out there for “privacy by design,” and with the GDPR coming into force next month, there are plenty of consultants offering advice. But the main thing to remember is: be cool, not 💩. Treat people with respect.
My journey into the world of privacy started with Bram Hoovers and Almar van der Krogt. We started around 2015 working together on the first privacy guidelines for mobile apps at Philips, and I’ve been hooked ever since. Thanks, gentlemen!
And thank you, Hester Bruikman-Pagán for your time and feedback! 🙏
Privacy: And How to Get It Back (Great book) – B. J. Mendelson
Ethical Design Manifesto (I follow this) – Indie
A Technie’s Rough Guide to GDPR (More on the law) – Cennydd Bowles
Here’s how Apple can figure out which emojis are popular (Differential Privacy) – Rob Verger
Grindr Is Letting Other Companies See User HIV Status And Location Data (Privacy is important!) – Azeen Ghorayshi