This article applies to the following:
A primary privacy concern for most mobile customers is the question of what happens to information that personally identifies them, commonly called personally identifiable information (PII). They want to know what is collected, how it’s used, how it’s stored, who can access it, and with whom it may be shared. This article attempts to clarify what BlackBerry considers personal information and provides general guidance on how it should be protected. By applying these principles, and otherwise complying with privacy/data protection legislation, third-party app developers will not only help protect customers’ PII, but also help ensure that their apps can remain listed in BlackBerry World. This article builds on previous guidance provided by BlackBerry. With that said, these guidelines are not legal advice, and an app that complies with them is not guaranteed to meet all of a developer’s legal obligations. As always, it is up to app developers to comply with applicable laws, regulations, and standards and to meet the terms of their contracts.
The legal definition of PII can vary widely between legal jurisdictions. Since the vendor may choose to make its app available in BlackBerry World globally, this presents a significant challenge for app developers. As a general rule, however, anyone collecting, using, or disclosing PII is expected to gain consent to do so from the person they are collecting information about. With that said, privacy/data protection legislation may make an exception to this rule, depending on the information or scenario involved. Different types of information or circumstances may also call for different forms of consent. For example, more sensitive PII, such as health or financial data, may require a more explicit and immediate request for consent.
PII is typically defined as information about an identifiable individual. Because of the broad nature of PII definitions in relevant legislation, it is not possible to compile a definitive or comprehensive list of what is PII. The PII Examples in this document are therefore not an exhaustive list or legal advice, but are only intended to provide illustrative examples. The list does not reflect the PII definitions of any particular jurisdiction, and does not replace independent legal advice for app developers about customers in varying jurisdictions. And, of course, the guidance below is also subject to change as the global climate around privacy continues to evolve.
When handling customers’ PII, BlackBerry recommends app developers use best practices, including:
Use the Principle of Least Permissions – Limiting Collection
Only collect, use or disclose personal information for purposes that are reasonable. Likewise, only request the permissions your app reasonably needs to perform its intended functions. Do not request or require permissions that your app can function without, and explain why you are seeking the permissions requested.
Consider the Impact of Third-Party Code
If your app includes third-party code, understand how it works, the functionality it provides, and if or how it handles customers’ information. Ensure that appropriate contracts are in place with any third party service that you use. Consider how SDKs and third-party add-ins affect your app. For example, a third-party ad service might access and use PII that your app would not otherwise access.
Understand where your app is being sold and what legal privacy protections are in place for users in those locations. Ensure your app and its policies comply with all applicable laws. Please be aware that data collected about minors or children can require additional special protections depending on the particular jurisdiction in which the app is sold.
Build trust with your customers by explaining clearly and simply how your app works, what data it collects, and what it does with that data. This should include information about whether the information is sent off the device to remote servers. Consider options to explain these aspects, such as a separate link to how the app works or a special notice page in the app.
Secure Your Customers’ Data
If the app collects, accesses, stores, or sends data to an external server, always safeguard that data. Use encryption at all layers, including encrypting the data stored on the phone, and use a secure transport layer for off device access such as SSL or TLS. Limit access to all user data to those who have a legitimate business purpose for accessing the data.
Empower Your Customers to Control Their Information
Give users additional choices and controls, including the use of a Settings menu or privacy-sensitive default settings. For example, if you are collecting additional PII that is not strictly necessary for the app, make it clear to the customer that providing it is optional and allow users to opt out. Consider providing a paid version that doesn’t include ad packages.
For information about suggested best practices for developing secure apps, look for articles about application security on the BlackBerry Developer Blog.
For information about the guidelines and rules governing BlackBerry World, read the RIME Store Vendor Agreement (formerly BlackBerry App World Vendor Agreement), and the BlackBerry World Vendor Guidelines.
When collecting and using customer data, consider whether the data is included in, or similar in nature to, the examples below. Please note that the following is not a definitive or exhaustive list of PII, and it may change or be updated without notice. Developers should consult their own legal counsel when determining what is PII, and what consent(s) or other privacy/data protection practices are appropriate.
©2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners. This documentation is provided "as is" and without condition, endorsement, guarantee, representation or warranty, or liability of any kind by BlackBerry Limited and its affiliated companies, all of which are expressly disclaimed to the maximum extent permitted by applicable law in your jurisdiction.