Personally identifiable information

Note: The following best practices are based on the BlackBerry Guidelines for Personally Identifiable Information, published on February 7, 2014. For information about what PII is, and what your responsibilities as an app developer are, see the Guidelines.

A primary privacy concern for most mobile customers is what happens to information that personally identifies them, commonly called personally identifiable information (PII). When handling customers’ PII, BlackBerry recommends app developers use the following best practices:

Use the principle of least permissions. Only collect, use, or disclose personal information for purposes that are reasonable. Likewise, only request the permissions your app reasonably needs to perform its intended functions. Do not request or require permissions that your app can function without, and always explain why you are seeking the permissions requested.

Consider the impact of third-party code. If your app includes third-party code, understand how it works, the functionality it provides, and if or how it handles customers’ information. Ensure that appropriate contracts are in place with any third-party service that you use. Consider how SDKs and third-party add-ins affect your app. For example, a third-party ad service might access and use PII that your app would not otherwise access.

Get consent and implement a privacy policy. If your app processes PII, you should have a publicly available privacy policy that complies with applicable law and explains what you do with information you gather. Ensure that your privacy policy is easily available and understandable to users. If you use unexpected practices or process sensitive information, be explicit about your practices and the reasons for them when obtaining consent from users.

Be accountable. Understand where your app is being sold and what legal privacy protection is in place for users in those locations. Ensure your app and its policies comply with all applicable laws. Be aware that data collected about minors or children can require additional special protection depending on the particular jurisdiction in which the app is sold.

Be transparent. Build trust with your customers by explaining clearly and simply how your app works, what data it collects, and what it does with that data. The explanation should include information about whether the information is sent off the device to remote servers. Consider options to explain these aspects, such as a separate link to how the app works or a special notice page in the app.

Secure your customers’ data. If the app collects, accesses, stores, or sends data to an external server, always safeguard that data. Use encryption at all layers, including encrypting the data stored on the phone, and use a secure transport layer for off device access such as SSL or TLS. Limit access to all user data to those who have a legitimate business purpose for accessing the data

Empower your customers to control their information. Give users additional choices and controls, including the use of a settings menu or privacy-sensitive default settings. For example, if you are collecting additional PII that is not strictly necessary for the app, make it clear to the customer that providing it is optional and allow users to opt out. Consider providing a paid version that doesn’t include ad packages.

Last modified: 2015-03-31

Got questions about leaving a comment? Get answers from our Disqus FAQ.

comments powered by Disqus