Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® World™ Development

Guidelines for Personally Identifiable Information in the BlackBerry® World™ storefront

by BlackBerry Development Advisor on ‎02-07-2014 02:33 PM - edited on ‎03-06-2014 04:26 PM by Community Manager (8,148 Views)

This article applies to the following:

  • BlackBerry® World™ storefront

A primary privacy concern for most mobile customers is the question of what happens to information that personally identifies them, commonly called personally identifiable information (PII).  They want to know what is collected, how it’s used, how it’s stored, who can access it, and with whom it may be shared. This article attempts to clarify what BlackBerry considers personal information and provides general guidance on how it should be protected.  By applying these principles, and otherwise complying with privacy/data protection legislation, third-party app developers will not only help protect customers’ PII, but also help ensure that their apps can remain listed in BlackBerry World. This article builds on previous guidance provided by BlackBerry. With that said, these guidelines are not legal advice, and an app that complies with them is not guaranteed to meet all of a developer’s legal obligations. As always, it is up to app developers to comply with applicable laws, regulations, and standards and to meet the terms of their contracts.

 

The legal definition of PII can vary widely between legal jurisdictions. Since the vendor may choose to make its app available in BlackBerry World globally, this presents a significant challenge for app developers.  As a general rule, however, anyone collecting, using, or disclosing PII is expected to gain consent to do so from the person they are collecting information about. With that said, privacy/data protection legislation may make an exception to this rule, depending on the information or scenario involved. Different types of information or circumstances may also call for different forms of consent. For example, more sensitive PII, such as health or financial data, may require a more explicit and immediate request for consent.

 

PII is typically defined as information about an identifiable individual. Because of the broad nature of PII definitions in relevant legislation, it is not possible to compile a definitive or comprehensive list of what is PII. The PII Examples in this document are therefore not an exhaustive list or legal advice, but are only intended to provide illustrative examples.  The list does not reflect the PII definitions of any particular jurisdiction, and does not replace independent legal advice for app developers about customers in varying jurisdictions. And, of course, the guidance below is also subject to change as the global climate around privacy continues to evolve.

When handling customers’ PII, BlackBerry recommends app developers use best practices, including:

 

Use the Principle of Least Permissions – Limiting Collection

Only collect, use or disclose personal information for purposes that are reasonable. Likewise, only request the permissions your app reasonably needs to perform its intended functions.  Do not request or require permissions that your app can function without, and explain why you are seeking the permissions requested.

 

Consider the Impact of Third-Party Code

If your app includes third-party code, understand how it works, the functionality it provides, and if or how it handles customers’ information. Ensure that appropriate contracts are in place with any third party service that you use. Consider how SDKs and third-party add-ins affect your app. For example, a third-party ad service might access and use PII that your app would not otherwise access.

 

Get Consents and Implement a Privacy Policy

If your app processes PII, you should have a publicly available privacy policy that complies with applicable law that explains what you do with information you gather.  Ensure that your privacy policy is easily available and understandable to users. If you use unexpected practices or process sensitive information, include more explicit user consent explaining your practices and the reasons for them. 

 

Be Accountable

Understand where your app is being sold and what legal privacy protections are in place for users in those locations. Ensure your app and its policies comply with all applicable laws. Please be aware that data collected about minors or children can require additional special protections depending on the particular jurisdiction in which the app is sold.

 

Be Transparent

Build trust with your customers by explaining clearly and simply how your app works, what data it collects, and what it does with that data. This should include information about whether the information is sent off the device to remote servers. Consider options to explain these aspects, such as a separate link to how the app works or a special notice page in the app.

 

Secure Your Customers’ Data

If the app collects, accesses, stores, or sends data to an external server, always safeguard that data. Use encryption at all layers, including encrypting the data stored on the phone, and use a secure transport layer for off device access such as SSL or TLS.  Limit access to all user data to those who have a legitimate business purpose for accessing the data.

 

Empower Your Customers to Control Their Information

Give users additional choices and controls, including the use of a Settings menu or privacy-sensitive default settings.  For example, if you are collecting additional PII that is not strictly necessary for the app, make it clear to the customer that providing it is optional and allow users to opt out.   Consider providing a paid version that doesn’t include ad packages.

 

Further reading

 

To read the Privacy Policy of BlackBerry Limited, see www.blackberry.com/legal/privacy.shtml.

 

For information about suggested best practices for developing secure apps, look for articles about application security on the BlackBerry Developer Blog.

 

For information about the guidelines and rules governing BlackBerry World, read the RIME Store Vendor Agreement (formerly BlackBerry App World Vendor Agreement), and the BlackBerry World Vendor Guidelines.

 

PII Examples

 

When collecting and using customer data, consider whether the data is included in, or similar in nature to, the examples below. Please note that the following is not a definitive or exhaustive list of PII, and it may change or be updated without notice.  Developers should consult their own legal counsel when determining what is PII, and what consent(s) or other privacy/data protection practices are appropriate.

 

Account/User Information  

  • Name/identity of the end user
  • Date Of Birth
  • Gender
  • Address
  • Email address
  • Telephone number
  • Account credentials (e.g., usernames and passwords or BlackBerry® ID)
  • Credit/debit/payment card information, or other personal banking/financial records
  • Driver’s license  number  or other government-issued identification information
  • Medical/health information (may include biometric data)

Unique Device Info

  • Unique device and customer identifiers (such as IMEI, IMSI, UDID, mobile phone number or PIN)
  • IP Address that the developer is, or should be, aware is associated with an identifiable individual/invariable identifier that is known

Usage/Tracking Data

  • Geo-location data (e.g. GPS)
  • Physical Addresses
  • Media usage history (e.g. music, videos), or browsing history
  • Applications downloaded/installed/used on device, or purchase history
  • Logs of phone calls, SMS or instant messaging (including BBM, or call logs of BBM Voice, BBM Video, BlackBerry® MVS)

User Generated Content

  • Contacts List/Address Book
  • Photos and videos or audio recordings
  • Calendar or reminder entries
  • Message content (e.g. email, P2P, BBM™, text messages) 

 

Legal disclaimers

 

©2014 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners. This documentation is provided "as is" and without condition, endorsement, guarantee, representation or warranty, or liability of any kind by BlackBerry Limited and its affiliated companies, all of which are expressly disclaimed to the maximum extent permitted by applicable law in your jurisdiction.

Contributors
Users Online
Currently online: 31 members 1,366 guests
Please welcome our newest community members: