Monday, October 27, 2014

Windows, Windows Phone, App Studio, Privacy Policies, Certification and legal responsibilities

At some point, probably in the not too distant future, the privacy of app data is going to become a seriously important issue. Some country or another is going to suddenly clamp down hard or a developer who should have known better is going to do something silly and end up getting taken to court and made an example of.

Why am I saying this?
Because I've been thinking about privacy policies and how they are referred to in apps created with App Studio.


In case you are developing apps and didn't realise it, you almost certainly need a privacy policy for your app.

If your app connects over the internet you definitely (supposedly?*) need one for it to be certified in the store.

App policies for Windows Phone 2.8.1
If your app has the technical ability to transmit data to you or a third party, you must maintain a privacy policy. This can be hosted within or directly linked from the app. The privacy policy must be accessible from your app at any time. App capability declarations that make your app network-capable include: internetClient, internetClientServer, privateNetworkClientServer, and ID_CAP_NETWORKING. Your privacy policy must inform users of the personal information accessed or transmitted by your app and how that information is used, stored, secured and disclosed, and describe the controls that users have over the use and sharing of their information, how they may access their information, and it must comply with applicable laws and regulations.

App certification requirements for the Windows Store
4.1.1 Your app must have a privacy statement if it is network-capable
If your app has the technical ability to transmit data to you or a third party, you must maintain a privacy policy. You must provide access to your privacy policy in the Description page of your app, as well as in the app’s settings as displayed in the Windows Settings charm.
App capability declarations that make your app network-capable include: internetClient, internetClientServer and privateNetworkClientServer.
Your privacy policy must inform users of the personal information accessed or transmitted by your app and how that information is used, stored, secured and disclosed, and describe the controls that users have over the use and sharing of their information, how they may access their information, and it must comply with applicable laws and regulations.


* I say "supposedly" because this isn't checked or enforced.

In that the store's have a space for the developer to enter the required privacy policy link then would it not be reasonable that when an app is submitted the URL becomes mandatory for apps which have a networking capability? (The store can easily detect his capability when an app is submitted.)

Is this a widespread issue?
Yes. Take a publisher. For the sake of an example let's look at "Microsoft Corporation". Take a look at their apps in the Windows Phone Store. For some you'll see they're breaking their own requirements and not including the required privacy policy link.

With App Studio apps (where I started this explorations) it's even worse.
For many such apps that make it into the store you'll find no privacy policy whatsoever. In the app bar there's also a "privacy" option but tapping it does nothing as they haven't added a link.




For a few apps you'll be directed to http://appstudio.windows.com/en-us/home/appprivacyterms
I'm not a lawyer (obviously) but this seems inadequate and overly vague. It doesn't even (IMHO) meet the store certification requirements for a privacy policy. At best it just defers any responsibility from any privacy related issues from Microsoft and onto the developer. It doesn't help the developer know what they should be declaring or even help them create an app without broken links in it's menu.


The app studio agreement also highlights the developers responsibility regarding the need for a privacy policy in two places:


II.1.a.3:
The Application must comply with the applicable laws of each jurisdiction into which you choose to make the Application available, including (i) export control laws; (ii) data protection, privacy, and other laws and regulations relating to collection and use of user information by your Application; (iii) telecommunications laws; and (iv) content ratings regulations. 

II.2.c:
Terms of Use and Privacy Policy. If you distribute an Application that enables access to and use of Internet-based or mobile services or otherwise collects and/or transmits user information to you or a third party, you are responsible for informing Development Partners and Application Recipients of your terms of use and privacy policy. At a minimum, you must maintain a privacy policy that (i) complies with applicable laws and regulations, (ii) informs users of the information collected by your Application and how that information is used, stored, secured, and disclosed, and (iii) describes the controls that users have over the use and sharing of their information and how they may access their information.


If you're publishing an app (including or maybe especially if it's created via App Studio) you need to consider what should be in your privacy policy.



Also though, don't you think Microsoft could and should be doing more to help developers? Most of whom are individuals who don't have the resources or knowledge to do a sufficient job in this area on their own.
It would also be nice to see the store enforcing its own policies - or at least helping flag to developers where they need to provide something, Especially when this can be done in an automated way.



I'm not a lawyer - this isn't legal advice. (It's advice to seek legal advice.)
You may (probably) need actual, bona fide legal advice for your app (business).
Seek it from someone suitably qualified. Not just some random blog! ;)

5 comments:

  1. Congrats, great content!

    Well, if I may, I'm running something still very incipient for brazilian (or portuguese native speakers) Windows Phonefilos ---> www.windowsphonedoctor.com ,
    created lately, with an article a day at least publishing vow. I'm working alone here, so don't expect much please, and this is not my priority. Anyway, I'm investing in it and looking forward to hiring a web designer.

    Thank you very much in advance, best regards! SI.

    ReplyDelete
  2. Air conditioning, Alarm clock, rolex replica Bathrobe, Bathroom amenities, Connecting rooms, Converters/ Voltage adaptors, Copier, Data port, Desk, hermes replica Desk with lamp, Direct dial phone number, Double beds, Dual voltage outlet, Hairdryer, High speed internet connection gucci replica, Iron, Ironing board, Modem, Non-smoking, Private bathroom, Safe, Separate modem line available, Speaker phone replica shoes, Telephone, Telephones with message light, Voice mail, Wake-up calls, Air conditioning individually louis vuitton replica controlled in room, Ceiling fan, Electrical adaptors available, Accessible room, Self-controlled replica louis vuitton heating/cooling system, Single bed, Maid service, Handicap room, High speed louis vuitton replica internet access fee

    ReplyDelete
  3. If your app has the technical ability to transmit data to you or a third party, you must maintain a privacy policy. This can be hosted within or directly linked from the app.trap beats for sale

    ReplyDelete