The Article 29 working group -- composed data protection authorities from across the European Union -- has issued a new set of recommendations which may have a significant impact on app developers. Under the new guidelines, it's proposed that developers should ask for consent for each kind of data an app wants to access, including not only common items like location, contacts, payment info, and social network logins, but browsing history and other content. Even then though Article 29 argues that this "does not legitimize excessive or disproportionate data processing," and further recommends setting an inactivity window, after which data collection from a person's app account will stop.
The group suggests that companies running app stores, like Apple and Google, should implement consent mechanisms in their operating systems that run at the first launch of an app, or else the first time an app asks for potentially sensitive data. "The default settings must be such as to avoid any tracking. Third parties must not circumvent any mechanism designed to avoid tracking, as it currently often happens with the 'Do Not Track' mechanisms implemented in browsers," the group's new document
reads.
The Article 29 recommendations may have an impact not only because of their source, but because many of the provisions are already in portions of EU law, such as the Data Protection Directive and the ePrivacy Directive. They may therefore reflect how regulators intend to interpret the law, whether in dealing with developers or the operators of app stores.