For Developers

Consumers use products and services they trust, and prefer dealing with companies that take trust seriously. A dedicated channel for privacy issues demonstrates commitment and increases internal awareness of privacy concerns.

Why are developers following these best practices? what's the advantage?

Improving data governance and privacy practices is good for business, good for consumers, and simply the right thing to do. And of course if developers don’t raise the bar, regulators in the US and EU will do it for us (without our input).

Consumers should be made aware of anything that might reasonably change their minds about how they use your service. If the change doesn’t impact data sharing or usage, there is probably no need to seek additional consent.

What if my app uses metadata when not in use and that data contains no identifiers? Am I still required to notify users?

Yes. Transparency is a window, not a one-way mirror. In this case users should be made aware of both what data the app uses (and that it is de-identified), and the fact that data is being accessed when the app is not in use (and be given the ability to consent).

What if my data practices utilize remote storage by a third party? Do I have to provide the third party’s privacy practices?

If you rely on third parties, it is up to you to put in place contractual guarantees that your published data practices apply. Consumers should not be required to contract with everyone in your supply chain: it’s your job to ensure their data is safeguarded by your subcontractors based on your published terms.

What if I plan to use third parties, but do not at this point? When should I notify if I start?

You are free to rework your supply chain so long as your own suppliers are bound by the policies you already have in place with your users. If anything you do changes the commitments you’ve made to consumers, you are obligated to inform them.

When is the acceptable time to notify users of a breach?

Every situation is different, but the best policy is to notify them as soon you reasonably can. Factors that might delay this include forensic research, law enforcement requests, or uncertainty over the scope or scale of the breach. A rule of thumb might be, when would you tell your mom that her data was part of a breach?

What is a reasonable time limit on data retention?

There is no fixed timeline - what’s important is that users are aware of your general policy (as long as needed, 90 days, 5 years by law, etc.). Developers generally should not hold data beyond its useful life. Include the deletion of backups in your data retention strategy.