This presentation gives an overview of the most
important issues related to privacy on the web and
It also provides insights and recommendations on what
you need to do for your mobile services and marketing
campaigns to create the best environment for users to
share their data.
The author, Agathe Cafﬁer, graduated as a business
lawyer in London and is now a Certiﬁed Information Privacy
As well as being the general council for Golden Gekko, one
of the leading mobile solution providers in the world, her
expertise in privacy matters related to mobile has led her to
provide privacy guidelines and audits to companies such
as Vodafone, Telefonica and many more.
1. What is Privacy
2. What are the different regimes?
3. Which are the OECD principles?
4. Who are the different players?
5. What is the deﬁnition of personal data?
6. What does consent mean?
7. What is Active Consent in mobile?
8. Why is user data collected?
9. What is the Privacy debate about?
10. Why is there a debate about cookies?
Deﬁned as the right to be left alone, anonymity.
Control over the use of personal information.
The ability of an individual or group to seclude themselves
or information about themselves, and thereby reveal
What is Privacy?
There is no single privacy law that applies universally.
Some languages do not have a word for privacy and only
80 countries have data protection regimes.
Four categories of privacy: bodily (physical), territorial
(house), communication (mail, telephone), information
Comprehensive model (EU)
General law covering data protection in public and
private sector, with an agency responsible for covering
its enforcement (DPA). France CNIL, Spain AEPD, UK
What are the different regimes? (1)
Sectoral Model (US)
No general framework but some existing laws addressing
speciﬁc industry sectors. Eg: ﬁnance, healthcare.
Each law will have a different enforcement authority.
Co-regulatory, Self-regulatory Model (Canada)
Mix of government and non governmental institutions that
protects personal information.
Co: law which states that each industry must develop
What are the different regimes? (2)
Self: no law but existence of codes of practice for
protection by company industry or independent body.
No general Privacy / data protection law (China)
No general law. No industry guidelines.
Collection limitation principle - data subject should
know of collection when possible
Data quality principal - data to be relevant for the
purpose of collection
Which are the OECD principles? (1)
Purpose speciﬁcation principle – purpose of collection
must be speciﬁed at time of collection
Use limitation principle – data to be used according to
Security safeguards principle – data should be
Openness principle – no secrecy about data controller
identity and the way the data is used
Which are the OECD principles? (2)
Individual participation principle – data subject right of
access (if refused there must be valid reasons)
Accountability principle- accountable for complying with
measures in principles
Is an individual or organization, often a third party
outsourcing service, that processes data on behalf of
the data controller.
Is not authorized to do additional data processing
outside of the scope of what is permitted from the data
Who are the different players?
Individual whose information is being processed,
Eg: employee, end-user of an App.
An organization who has the authority to decide how
and why personal information is to be processed
“Any data that relates to an identiﬁed or identiﬁable
There are certain differences from one country to
another. For example, in the EU, an IP address is
personal whereas this is not the case in the US
Examples of what is classiﬁed as personal data
includes name, gender, contact information, age
and birth date, marital status, social security
What is the deﬁnition of
personal data? (1)
A sub category is sensitive data, which covers for
example, racial or ethnic origin, political opinion,
biometric data, trade union membership or sexual
Non- personal data is anonymized data, for example,
the date and time someone visits a speciﬁc webpage.
What is the deﬁnition of
personal data? (2)
“Any freely given speciﬁc and informed indication of his
wishes by which the data subject signiﬁes his
agreement to personal data relating to him being
Consent must be unambiguous.
Valid consent assumes the individuals’ capacity to
What does consent mean?
Individuals who have consented should be able to
withdraw their consent, preventing further processing of
Consent must be provided before the processing of
personal data starts, but it can also be required in the
course of processing, where there is a new purpose to
The deﬁnition of Active Consent in mobile is:
Voluntary, informed, express and revocable permission.
This means a user is given a clear opportunity to agree
a speciﬁc and notiﬁed use of their personal information.
Permission must be captured in a way that is not the
What is Active Consent in mobile?
Active consent applies to secondary, non-obvious use
of a user’s personal information, and/or applications
that have additional privacy implications for users
For example, an app requesting a user’s location,
where such data is not necessary for the functioning of
Golden Gekko recommends not only to comply with
the minimum legal requirements imposed by the law
but to go the extra mile and involve the user. Ensure
they are able to actively approve of their data being
A great way to involve the user in
participating is to educate them.
The user should own the consent process and be given
a choice. They should also be allowed to retract their
permission easily, for example in the main ‘Settings’
Another great way to involve the user in participating in
giving consent is to educate them. Education is very
efﬁcient when the app includes a simple wizard which
takes the user through all the privacy parameters
included in the app.
Your data can help app makers take important
decisions related to future feature enhancements
helping the app to work for you in a more personalized
Some apps gather your personal data so that they can
target speciﬁc ads to you. If your data shows you meet
certain criteria, advertisers will tailor their marketing
Why is user data collected?
In the case of a malicious app, your personal data could
be sold or used for illegal purposes.
For example, this type of app might send text messages
without your consent to premium numbers. In such
instances some users have reported being charged as
much as $10 per message. Getting access to your
contact list can be a goldmine for malware authors and
App users are aware that most applications will need to
use at least some basic personal data in order to allow
The problem that most users encounter is not
necessarily centred around the idea of sharing their
personal data, but rather, around the lack of
transparency and the loss of ownership of said
Our recommendation: Be transparent and clearly
communicate to your user the reasons for collecting
their personal data.
Be transparent and clearly communicate
the reasons for data collection.
App developers´ standpoint:
Privacy requirements should be respected to gain
users’ trust through being transparent.
Security measures need to be put in place to protect
What is the privacy debate about?
Privacy may be voluntarily sacriﬁced in exchange for
Info can be stolen, misused and carries the threat of
We refuse to follow a rigid approach which could mean
an overload of pop up notiﬁcations reducing the users’
We recommend a ﬂexible approach to
We recommend a ﬂexible approach to privacy.
A ﬂexible approach should mean a leverage of best
practices from each sector in addition to a smart user
ﬂow and privacy settings implemented within the app.
In the EU, the ﬁrst cookie law was introduced in 2002
where choosing to opt out was sufﬁcient.
With the new Cookie law from 2009, opt in is required
with clear and comprehensive information about the
purposes of the storage of, or access to, that data.
Clear consent must be given.
Why is there a debate about cookies?
An example of a typical notice is: “This website uses
cookies. By using this website you approve to the use
There are different implementations of the law
depending on the jurisdictions:
It is important to understand privacy and put in place
appropriate legal and security measures.
Understanding privacy matters linked to mobile
application solutions will play in your favour and help
you retain your customers.
By tackling privacy from the outset of the development
of your app, you will gain users’ trust more rapidly.
We recommend you give your user the choice to share
or not his personal data as well as explaining the reason
for which the data is collected.
The customer should also be given the option to go
back and change their permission status easily.
The idea is not to overload the user with pop up
notiﬁcations at each step of the app but rather, by
thinking about how to integrate privacy upfront, allowing
them to be in control through education.
A great way to do so is by adding a wizard that will
guide them when starting to use the app.
Moreover, by doing audits of your current application
on a regular basis you will gain users’ trust. The impact
of the latest breaches of personal data is raising
awareness amongst customers who are becoming
more demanding in regards to privacy settings.
We recommend proactivity and adherence to the latest
industry recommendations by adjusting your user
We recommend proactivity and
adherence to the latest industry
Fighting for a world
full of mobile solutions