Privacy Guideline

With the growing emphasis on the importance of privacy protection in today's digital environment, users are being increasingly concerned about how apps collect, use, and share personal information. Therefore, as app developers, it is our responsibility to prioritize privacy and implement robust measures to protect user data.

This privacy guide is designed to provide you with comprehensive information on developing and maintaining your app while ensuring privacy protection for users.

Not only by following the guidelines but also by complying with broader requirements set out in data protection laws and other appropriate laws to the purpose of the app, you will be able to develop a secure and trustworthy app that respects all user privacy.

Privacy by Design

Privacy by Design is an approach that integrates privacy protection as a core element of app development. It entails considering privacy from the early stages of app design and ensuring its continuous assurance throughout the entire lifecycle of the app.

Privacy should be considered at every stage of app development, from development and testing to deployment and maintenance. Responsible app development goes beyond complying with legal requirements; it should aim to adopt privacy as a default mode of operation.

Secure by Design

To protect the data of users and corporations, LG is continuously enhancing security throughout all layers of hardware and software. Weaknesses embedded in software mostly occurs due to developer’s mistakes or insecure design. To remove such weaknesses and provide secure software for customers, LG Smart TV keeps up with LG-SDL when developing software, following the principle of Secure by Design.

LG-SDL applies software security activity throughout all stages of software development and lifecycle, providing a high level of security. LG supports app development to expand the ecosystem of smart TV and provide various services for customers.

Using the public SDK, anyone can develop apps for smart TV, and the apps should also keep software development security into consideration.

See also: Microsoft Security Development Lifecycle (SDL), CWE List Version 4.6

App Review and Distribution Process

LG performs security reviews on submitted apps before distribution, using the vulnerability analyzing system.

When a problem is identified, LG will stop the distribution process, communicates the issue to the app submitter, and request a fix for the app. After the app has been fixed, it will again undergo app security review. Following the security review, the app package is digitally signed to assure the integrity of the app package. The app installation phase verifies the digital signature to assure that the app has not been changed or tampered with since it was digitally signed.

If any problem is detected after the app distribution, distribution is suspended, and the app submitter is informed with the reasons for suspension.

Privacy Policy

Your app should include a privacy policy that addresses topics, such as what kind of data your app collects from or about your users, how it is used, with whom it is shared, where it is stored and processed, and how users can make privacy-related choices within the app.

You should use plain language and avoid technical jargon, to help your end users understand easily.

You should provide a mechanism for obtaining end user consent to the collection and processing of their data, in accordance with the user’s privacy policy before the collection of any such data.

If possible, provide a control mechanism that allows a user to easily change permissions.

You should not collect any data from end users (whether personal or otherwise) unless the appropriate consents have been given.

Data Collection & Usage

To protect users' privacy, it is important to collect and use only the data essential for providing service and enhancing user experience.

Your app should only collect the minimum user data required for providing service and should avoid collecting unnecessary data. Data collected for a certain purpose should be used only for that purpose and not be repurposed unless otherwise explicitly permitted by law.

Data Protection

When handling sensitive information, the data must be encrypted to protect it from attackers.

Data leakage can occur not only through external attacks but also from the developer’s mistakes or insecure app design. In such cases, data encryption can prevent leakage of data.

It is crucial to use recommended encryption algorithms for data protection. Failure to use these suggested algorithms can lead to data leaks, as they may not provide an adequate level of security.

See also: NIST: Transitioning the Use of Cryptographic Algorithms and Key Lengths

Permission

Ensure that the app requests only the least privilege necessary for its operation.

To protect users' privacy, do not request user permissions which are not functionally required by the app and do minimize the permissions usage in your app. You should provide information about permissions requested by your aps, such as camera and microphone, along with valid reasons why each of these permissions are needed.

Additionally, you should ensure that the primary function of the app operates even if the user chooses to disable its optional functionality or permissions.

See also: OWASP Cheat Sheet: Authorization

Prominent Disclosure in Data Safety Section on LG Apps

LG Apps provide all users with transparent information about data collection, usage, and sharing for all apps.

Therefore, all app developers must complete and submit well-defined and comprehensible data safety information detailing collection, usage, and sharing of user data. Then the information you have provided will be displayed in the Data Safety section on LG Apps. It enables users to review the app before making a purchase or downloading it, giving them information on which app to install.

You are responsible for the information disclosed in Data Safety section and the following must be declared in the section.

Data Types and Purposes

• Describe the types of data being accessed or collected by your app.

  Data types	Example
  Device Identifier Information	Personal device identification information (Device ID, Mac Address), Advertising ID, IP address, etc.
  Personal Information	Name, ID, Email address, date of birth, gender, address and zip code, resident registration number, passport number, Social Security number(SSN), etc.
  Usage Data	User-app interaction information (clicked menu items, app execution history and usage time, etc.)
  Content Viewing Information	Real-time TV viewing information including VOD and movies (identification information of the viewing content, content name, content related information, content usage time, etc.)
  Voice Information	User’s voice data such as a voice or sound recording
  Photo and Video Information	User’s photos and videos
  Financial Information	Payment information, credit card information (card number, expiration date, etc.), account information, purchase-related payment information, purchase history, other financial information (user's credit score, user salary, etc.)

• Explain why the data checked above is necessary and how the data will be used and shared.

  Purpose	Description
  App or Service functionality	Used for app service and features
  Analytics	Used to observe how users interact with the app or how it performs
  Advertising or Marketing	Used to display ads or promotional activities
  Personalization	Used to provide customized customer experiences, such as recommendations or suggestions
  Other Purposes (Text written by developer)	Used for other purposes

Data Shared

• Provide information on the data that will be shared or transferred from your app to third parties (e.g. other companies, organizations, governments, or other stakeholders).

Location of the Data Stored

• Provide information on the countries where data will be stored and processed (e.g. jurisdiction to which the ICT infrastructure is deployed for data processing).

Requested Access Permission

• Provide information on whether the app will utilize microphone, camera, or USB functionality.

Contact Point

• Provide users with a single point of contact for any inquiries or assistance users may need.

Privacy Policy

• Provide Privacy Policy within your app.

Respect Users' Privacy and Grant the User Control Over Data

• Enable users to exercise their rights to object on access, modification, deletion and data processing.

  Provide and guide users on simple and effective methods to exercise these rights. For instance, develop a user-friendly interface on your app that allows users to access, modify, and delete their personal data. Another option is to provide clear contact information, allowing users to inquire about and exercise their rights.

  Establish a data retention policy to get rid of user data that you no longer need after a set time period. If the data is no longer needed or the retention period has expired, delete user data without undue delay.

• Be careful not to include sensitive data in log files.

  This means being careful not to log content related to personally identifiable information, passwords, financial information, or other sensitive data. By refraining from logging sensitive data, protect user data from potential security threats.

Distribution and Maintenance

Developers should establish a process to promptly update and monitor their software dependencies for any known vulnerabilities within their app. Each app must have a vulnerability disclosure process, such as contact details or a form, which is created and maintained by the developer. In the event a developer becomes aware of a security incident in an app that involves a personal data breach, they should inform all relevant stakeholders, App Store Operators, and library/SDK Developers.

As for LG products and services, LG collects information on errors and vulnerabilities through LG PSRT. This collected information is relayed to the LG developer who then reviews it and formulates improvement plans. When LG developers submit a patch, LG conducts an internal security review before distribution. LG notifies users of new updates and encourages users to install these patches. Following the distribution of patches, LG posts information about patched vulnerabilities or errors on the LG PSRT website. Users can find information about any patched vulnerabilities or errors on this website.

Compliance with Regulations

When using users' data or personal information, apps must comply with data privacy regulations, such as the European Union’s General Data Protection Regulation ("EU GDPR"), UK Code of practice for app store operators and app developers, California Consumer Privacy Act("CCPA"), etc.

With regard to apps aimed at health, fitness, and medical, refer to UK Medical Device Regulation and accompanying guidance on medical devices: software applications (apps) for Great Britain and to Regulation (EU) 2017/745 for Northern Ireland, etc.

With regard to apps aimed at Kids, you must comply with children or minors international/national legislation, such as the Children's Online Privacy Protection Act ("COPPA"), the European Union’s General Data Protection Regulation("EU GDPR"), etc. It may refrain from processing children's data for behavioural advertising purposes, either directly or indirectly, and refrain from collecting data through the children.

See also