How does the Privacy Act apply to mobile apps? New guidance note for businesses and developers

Tuesday 29 July 2014

Authors: Tim Clarke and Laura Littlewood

​​​​​A recent survey of commonly used mobile apps has revealed that only half of all New Zealand mobile apps comply with the Privacy Act 19931. This has prompted the Privacy Commissioner to release a guidance note entitled “Need to know or nice to have: Making mobile app privacy your competitive advantage” which is aimed at helping businesses and mobile app developers understand their privacy obligations. The release of this Guide is consistent with the Privacy Commissioner’s focus on technology, which will underpin the upcoming reform of the Privacy Act (as discussed in our previous update here).

Your mobile app may be one of the 50 per cent identified that does not comply with the Privacy Act. If so, this is a timely opportunity to review whether your collection, use, and disclosure of information utilising your app meet the requirements of the Privacy Act.

Mobile apps present unique challenges for compliance with the Privacy Act, as they are capable of collecting a significant amount of personal information and using that information in continually evolving ways. For example, geotracking data and user analytics may be passively provided by users, and this information may be shared with other traders, as well as cloud and other service providers. Customer information collected through apps may also be used to personalise a user’s experience and for real-time location based marketing.

The Guide emphasises that, under the Privacy Act, an agency may only collect information “for a lawful purpose connected with a function or activity of the agency,” where the collection of personal information is “necessary” for that purpose. The Privacy Commissioner questions whether some specific examples of information collected using mobile apps surveyed is “necessary” as required under the Privacy Act: “What about the photography app that says it needs your location? What about the banking app that wants access to your address book?” Ultimately the answers to these questions will be fact-specific but the Guide highlights the distinction between information which you “need to know” (which can be lawfully collected in accordance with the Privacy Act) and information which is “nice to have” (which should not be collected).

The Guide sets out the following key privacy considerations for businesses and mobile app developers:

  1. Integrating privacy starts on day one.

    Make a plan and spot the risks.

  2. Be open and transparent about your privacy practices.

    When a user makes decisions – to download your app, update it, or share personal information – be there with the right information.

  3. Collect and keep only what your app needs to function, and secure it.

    “Nice to know” doesn’t mean “need to know”.

  4. Obtain meaningful consent despite the small screen challenge.

    Spend time working out how to make privacy understandable and relatable with the tools you have.

  5. Timing of user notice and consent is critical.

    Providing information in real time is as important as being up front in advance.

A copy of the Guide may be downloaded here.

To read our recent article on customer data, please click here.

1 A survey was conducted in May this year by the Privacy Commissioner’s Office with 27 overseas privacy authorities from the Global Enforcement Network. Of the New Zealand mobile apps examined, 50 per cent had a link to their privacy policies available on the marketplace listing. After installation, 64 per cent of mobile apps did not display or have a link to a privacy policy within the mobile app itself.


This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

For more information
  • Tim Clarke

    Partner Auckland
  • Rachael Brown

    Partner Wellington
Related areas of expertise
  • Employment and workplace safety
  • Information, communications and technology
  • Privacy and data protection