By Monika Kuschewsky and Katherine Gasztonyi

In May 2014, the Global Privacy Enforcement Network (“GPEN”) performed its second Global Privacy Sweep, in which 26 privacy enforcement authorities from 19 countries downloaded 1,211 mobile apps and assessed their privacy practices. On September 10, 2014, the Office of the Privacy Commissioner of Canada (“OPC”) published the results of the Sweep (the “OPC Report”). The main findings can be summarized as follows:

  • While most apps provided some privacy information, only 15% clearly explained the app’s privacy practices.
  • 30% of the apps tested provided no privacy communications to users—such as a link to or information about the app’s privacy policy—other than communications requesting access to information (referred to as “permissions”).
  • Nearly 60% of the apps tested raised privacy concerns before the app was downloaded—meaning that there was not enough information available prior to download for potential users to adequately assess or review the app’s privacy policies.
  • 43% of the apps reviewed did not tailor privacy communications to small screens such as those present on smartphones and tablets.
  • 31% of the apps requested access to more information than necessary, based on GPEN’s understanding of the app’s functionality. Of the types of data requested, location was the most popular, followed by device IDs.

Although the OPC Report expressed dismay at the serious lack of appropriate privacy information communicated by some apps reviewed in the Sweep, by contrast, many popular apps were considered to embrace “clear, easy-to-read and timely explanations about exactly what information w[ould] be collected and how it w[ould] be used, pursuant to each permission.” The OPC Report noted this was especially true for apps active in spaces where children’s privacy and parent consent was an issue. The Sweep also found many positive examples of apps properly tailoring their privacy communications for small screen devices through the use of pop-ups, layered information and just-in-time notifications.

This is the second Privacy Sweep by GPEN, an organization of 51 privacy enforcement authorities from 29 jurisdictions that was created to strengthen global privacy protections by assisting public authorities and encouraging cross-border cooperation. (Information regarding GPEN’s first Privacy Sweep may be found here.) Although the OPC Report notes that the Sweep was “not an investigation,”  privacy enforcement authorities are currently weighing whether to pursue enforcement actions as a result of GPEN’s findings. Canadian authorities have reportedly already begun to follow-up with organizations whose apps’ privacy policies raised concerns.