This document describes privacy best practices for web applications, including those that might use device APIs.

This document outlines privacy best practices for web applications that may rely upon device APIs. These web application practices impact the user of the web application but are not directly related to the API definition itself, but rather the context of the use of those APIs by the web application.

Since the last publication of this document, a new best practice related to "active consent" has been added (best practice 6), "informed consent" is noted in an existing practice (best practice 3), various editorial wording changes have been made, and the practices have also been renumbered to accomodate the addition of the new practice. A red-line showing the changes since the previous publication is available.

Introduction

This document outlines good privacy practices for web applications, including those that might use device APIs. This continues the work on privacy best practices in section 3.3.1 on "User Awareness and Control" Mobile Web Application Best Practices [[MWABP]]. It does not repeat the privacy principles and requirements documented in the Device API Privacy Requirements Note [[DAP-PRIVACY-REQS]] which should also be consulted.

Privacy By Design

The principles of "Privacy by Design" should be reflected in the web application design and implementation, including the use of device APIs. These are enumerated below and in more detail in the reference [[PRIVACY-BY-DESIGN]].

Follow "Privacy By Design" principles.

Proactively consider privacy, make preservation of privacy the default, including privacy in a user-centric and transparent design without making tradeoffs against privacy for other features as privacy is possible along with other functionality.

These principles include the following:

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality — Positive-Sum, not Zero-Sum
  5. End-to-End Security — Full Lifecycle Protection
  6. Visibility and Transparency — Keep it Open
  7. Respect for User Privacy — Keep it User-Centric

User Centric Design

Privacy should be user centric, giving the user understanding and control over use of their personal data.

Enable the user to make informed decisions about sharing their personal information with a service.

The end user should have enough information about a service and how it will use their personal information to make an informed decision on whether to share information with that service. This should include understanding of the data to be shared, clarity about how long data will be kept and information with whom it will be shared (and for what purpose).

Enable the user to make decisions at the appropriate time with the correct contextual information.

The user should have the opportunity to decide whether to share information (and what to share) at the time it is needed. This is necessary as the decision can depend on the context, including the details of what the user is trying to accomplish, the details of that task, and differences in how the service will operate, use and share data.

The Web Application should make sure that consent is "informed consent" and provide necessary privacy notice and other information at the time user consent is required, either through action or other means.

When learning user privacy decisions and providing defaults, allow the user to easily view and change their previous decisions.

A service may learn and remember personal information of the user in order to improve a service. One example is remembering a billing address; another example might be remembering payment information. When doing so the service should make it clear to the user which information is retained and how it is used. It should give the user an opportunity to correct or remove the information.

Focus on usability and avoid needless prompting.

Focusing on usability should improve a service as well as making it easier for the user to understand and control use of their personal information. Minimize use of modal dialogs as they harm the user experience and many users will not understand how to respond to prompts, instead making a choice that enables them to continue their work [[GEOLOCATION-PRIVACY]].

Active consent should be freely given, for specific data, and be informed.

Active consent is where user action is taken to also give permission, avoiding the need for consent dialogs. Such active consent should be freely given, for specific data, and be informed. Thus the user should be able to cancel the operation, know which data is shared, and have adequate information at the time of the action regarding the intended use of the data [[CONSENT-EU-WP187]]. The web application should provide the user with information on intended use in conjunction with device API usage.

Examples of active consent include selecting contact fields to share, electing to create a picture by clicking on the camera shutter, and so on. Active consent can improve usability and be less disruptive than consent dialogs, and can also meet privacy requirements if appropriate criteria are met.

Be clear and transparent to users regarding potential privacy concerns.

The end user should understand if information is being used by the service itself or being shared with a third party, especially when third party services are involved in a "mashup".

Be clear as to whether information is needed on a one-time basis or is necessary for a period of time and for how long.

The end user should understand whether information collected is for a single use or will be retained and have an impact over time.

Minimize collection and transmission of personal data

Review the data and how it is structured and used, minimizing the amount and detail of data required to provide a service.

Request the minimum number of data items at the minimum level of detail needed to provide a service.

As an example, an address book entry is not the natural level of granularity as the user may wish to share various individual address book fields independently. Thus the natural level of granularity in an address book is a field and no more than the necessary fields should be provided in response to an address book entry request.

Retain the minimum amount of data at the minimum level of detail for the minimum amount of time needed. Consider potential misuses of retained data and possible countermeasures.

As an example, retaining user payment information entails the risk of this information being stolen and misused. Perhaps it does not need to be retained but if it is (with user permission) perhaps it should be encrypted (to give one possible countermeasure).

Maintain the confidentiality of personal data

Maintain the confidentiality of user data in transmission, for example using HTTPS for transport rather than HTTP.

Use of HTTPS can provide confidentiality of personal data in transport when an appropriate cipher suite is required. This should be done for sensitive personal information unless confidentiality can be assured by other means.

Maintain the confidentiality of user data in storage.

The confidentiality of personal information should be maintained when in storage, to prevent inadvertent or malicious loss (e.g. break in to a server, theft of backups or other threats).

Control and log access

Control and log access to data.

Control access to information through access controls and log access.