Legal policies are ubiquitous on the web these days–and for good reason. In the ever-changing legal landscape of internet privacy, it has never been more important to keep your mobile applications compliant and protected.
Table of Contents
- Applicable Laws for Mobile Apps
- General Requirements For Mobile Apps
- iOS Applications
- Android Apps
- Windows Apps
- Accessibility Options
- Notable Examples in Mobile Applications
These policies are used by companies and mobile app developers to stay compliant with federal laws. They fulfill the legal requirement to safeguard user privacy while also protecting the company itself from legal challenges.
The contents of these policies can vary greatly depending on the industry, user demographics, governing laws and jurisdictions, and application platform. Employing the use of third party services may also affect the need for one, as well as its contents–even if the app itself doesn’t collect user information.
As the use of mobile devices has become more prevalent, the number of mobile applications has also increased. Mobile applications present unique privacy concerns due to the sheer number of them and the vast amount of personal information that is collected and shared.
This decline of privacy has seen an increased emphasis placed on safeguarding the rights we still have. These policies have never been more essential for online businesses and mobile applications.
The short answer is yes, you probably need one. With the legal environment surrounding internet privacy in near-constant flux, there is a good chance that a law, regulation, affiliate, or platform will require that your mobile app include such a policy. There are several reasons why you might need one:
You Collect Personal Data
This includes any cookies or other tracking technologies you use that may collect personal data such as location, login information, and buying habits.
You Use a Third Party Service Provider
If you employ a third-party service provider that gathers user data, you are required to include one–even if your app doesn’t collect the data itself. You are responsible for disclosing what and how user data is gathered and used on your app.
There are a number of third-party service providers that might require that privacy policies be placed on your mobile app, such as Google Analytics, Google Maps, and Facebook Graph API.
The Platform or App Store Requires One
Many app stores like Windows Store and Apple’s App Store require application developers to have these policies in place on their apps before they can be approved for sale. Designers who fail to include these policies can face having their apps suspended or removed from an app store.
You Want to Reassure Your Users
According to a survey done by the Pew Research Center, more than 57% of mobile app users have either chosen not to install an app over concerns about the sharing of their personal information, or uninstalled an app for similar reasons.
People care about the privacy and management of their personal information. Including such a policy in your app will not only ease the concerns of your users, but also give them confidence in you and your app knowing that their personal information is safe.
You Want to Err on the Side of Caution
You can stay safe and protected by adding legal policies to your mobile application now–regardless of your obligation to do so.
Ultimately, it can’t hurt to have one. In fact, it can only benefit you and your business.
3. Applicable Laws for Mobile Apps
There are a number of privacy laws that govern the collection of personal information by mobile applications. Although the United States has been criticized for not having comprehensive federal laws relating to information privacy, there are several state and federal laws that apply to mobile applications.
United States Federal Trade Commission
The US Federal Trade Commission (FTC) requires that all applications which collect and use the personal information of its users inform users about the collection methods.
In its “Mobile Privacy Disclosures: Building Trust Through Transparency” document, the FTC emphasizes that application developers in the United States or those who distribute applications to be used in the United States should include privacy policies in their applications.
California’s Online Privacy Protection Act
The Attorney General of California has articulated in the state’s Online Privacy Protection Act (CalOPPA) that all websites and mobile applications that collect personal information must contain privacy policies. Not only does this regulation affect developers based in California, it also applies to any developer who potentially targets users residing in California.
This law requires any mobile application that collects personally identifiable user data to post a policy detailing and explaining completely how the application collects and uses the data.
According to the law, personally identifiable information includes:
- Physical addresses
- Email addresses
- Phone numbers
- Identification numbers (SSN, Driver’s License, etc)
- Physical appearance descriptions
- Any other information that would allow a user to be personally identified
CalOPPA requires that a link to such a policy be shown on your website’s homepage, and that a link on the app’s homepage containing the word “privacy” be directly linked to it.
- A Description of the Information Gathered: information that will be collected by the mobile application
- Modifications: information about how and when the company that owns the application will make changes to the program
- Third Party Information: information about the third parties who might be provided access to the personal data of users
An application developer that does not comply with CalOPPA can be held accountable under California law. This noncompliance must be either knowing and willful or negligent and material. Minor technical breaches are unlikely to be found as violations of CalOPPA.
Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act (COPPA) is a federal law that applies to the online collection of information by United States based businesses about children under the age of 13.
COPPA is the reason that many websites and applications do not allow users under the age of 13 to access the content or register an account. Complying with the law is often seen as too difficult to merit the inclusion of children of that age.
Many privacy policies include clauses which state that the company does not knowingly allow access to users under the age of 13, nor does it knowingly collect information from such users.
Privacy Rights for California Minors in the Digital World
The Privacy Rights for California Minors in the Digital World Act (also called the Eraser Button Law) applies to websites and mobile applications that allow users under the age of 18 to register and post content.
The Eraser Button Law states that these websites and apps must allow users under the age of 18 to remove the content or information they have contributed if and when they desire. It also states that these users must be clearly informed of their right and ability to do so.
The law also prohibits websites and mobile applications from using the personal information of users under the age of 18 to market or advertise specified types of products or services.
Student Online Personal Information Protection Act
The Student Online Personal Information Protection Act (SOPIPA) applies to the online collection of the personal information of K-12 student-users.
The law states that any information gathered from students cannot be used in targeted advertising toward them or their parents. The student data can also not be sold or disclosed without express authorization and only under specified circumstances.
If the personal information of K-12 students could possibly be collected with your mobile application, it is crucial that your policy addresses this and stays compliant with SOPIPA.
The European Union’s Data Protection Directive
The applicable legal framework for privacy policies in the European Union is the Data Protection Directive. This law applies to any situation in which the use of a website or app within the European Union involves the processing of the personal data of its users.
The directive stipulates that the personal data of users located within the European Union should not be processed at all–unless certain conditions are met. These specific conditions are divided into three categories: transparency, legitimacy, and proportionality.
If the conditions are met, a policy must be included with your mobile app that outlines in very clear, easily understandable language:
- who you are
- why you are collecting the data
- what specific information you are collecting
- what you will do with it
- what rights users have regarding its management
Special consideration must be taken by mobile app developers with regards to where their app is used or accessed.
If users within the European Union can access or use your mobile app–even if you are located elsewhere–you are subject to those privacy laws and your policies must reflect your compliance with the Data Protection Directive.
Furthermore, individual states across the European Union may have their own laws and regulations with which you would also need to comply.
Although the Data Protection Directive is the law of the land, on May 25, 2018, the new General Data Protection Regulation (GDPR) will come into force. The GDPR is much stricter and requires any business — even if they are not located in the EU — that collects data from European citizens must comply.
4. General Requirements for Mobile Apps
Privacy policies are essential for apps that collect personal data. Personal data can include all sorts of information including first names, last names, email addresses, telephone numbers, location data, and other personally identifiable information. A mobile application that collects this type of data must provide an easily understandable, readable, and readily accessible privacy document.
These policies must contain some particular elements, including the following:
- Identity: who is collecting the information as well as the company’s contact details
- Types of Data: what categories of personal data the app will collect and process
- Reason: why data processing is necessary and for what precise purpose the collection is being performed
- Disclosures: whether the data in question will be disclosed to third parties
- User Rights: what rights users have including the right to the withdrawal of consent and the deletion of data.
There are additional policy requirements for developers who plan to use HealthKit, HomeKit, third party keyboards, or integrate Apple Pay into their application.
5. iOS Applications
Apple’s App Store requires that such a policy accompany an app if:
- It’s made for kids
- It offers automatically renewable in-app purchases
- It offers free subscriptions
- It allows for user registration
- It accesses a user’s existing account
- It collects user data
- It’s otherwise required by law
Additionally, some specific third party services require individuals to create policies that pertain to their applications, including Google Analytics.
As one of the largest file sharing programs around, Apple’s iTunes Connect policy has influenced how a large number of privacy policies for mobile applications are written. Developers who use iTunes Connect are required to create one for each language in which the mobile application will be available.
It is difficult to outline the required elements for an application because not all apps are the same. Individuals should at the very least attempt to meet the minimum CalOPPA requirements, which include:
- A description of the personal information collected
- The parties with which the personal information will be disclosed
- A description of how users can access and request changes to the information
- A description of how operators will notify users of material changes to the policy
- An effective date
6. Android Apps
Android is an operating system developed by Google for use on mobile devices. Android apps are primarily sold in the Google Play Store, but can also be sold in other third party marketplaces such as the Amazon Appstore, GetJar, and SlideMe.
However, Google does require Android apps to include one if:
- The app requests access to sensitive permissions or data–which include certain functions like the camera or microphone
- The app is designed for families and/or children
Even though Google Play does not require all apps to have them, Google Play Developer Distribution Agreements must be read and agreed to when a developer registers for a Google Play account. These policies inform developers that they are required to have “privacy procedures and notices in place”.
“Privacy procedures and notices” refers to a document where a developer agrees to use the Google Play Store to distribute products in exchange for protecting the privacy and legal rights of users.
This statement informs developers that this type of uncensored use could hurt individuals or deceive users. Google also states that it responds to clear notices of alleged privacy infringement and invites users who might be infringed upon to contact the developer directly to resolve concerns.
7. Windows Apps
Microsoft requires all Windows Store app developers to use privacy policies. The Windows Store policies page mentions that Windows applications that collect or transmit personal information must have them.
Developers must also provide access to the policy in the description page of the application and a link to the policy must be accessible from the application at all times.
The policy must inform users about the information that will be collected, accessed, or transmitted, how that information will be used, and what rights users have regarding the developer’s collection of personal information.
8. Accessibility Options
Whether you have an iOS, Android, or Windows app, you can include such a policy several ways:
- Embed it directly in your app
- Provide a link to a dedicated webpage
- Place it on your official website
Embed Directly in the App
Embedding the policy in your application means to dedicate space within the app to display it. Users can simply navigate within the app to get to the policy.
Through this method, your legal policies are only ever a few actions away from the current page. Users are aware of its presence, can consult it at any time, and are not inconvenienced by doing so.
Provide a Link to a Dedicated Webpage
Clicking this link opens up the policy in a new internet browser window. This webpage is usually hosted by a third party, but can also be part of the company’s website.
While this method allows for an easily accessible policy, it also inconveniences users by interrupting app use and forcing them to open up their internet browser.
You can also include a link to your policy on your app’s profile page in whichever app store you choose to sell your product. This allows users to view your policy before downloading your application.
Place the Policy on Your Official Site
If your company has a website, you can display your legal policies there. It is good practice to use the same policies for both your app and your website.
Even if your website is just a placeholder site, you will still benefit from the legal protection afforded to you by the presence of such a policy.
9. Notable Examples in Mobile Applications
Within that framework, however, companies may have very different policies depending on what their mobile applications are used for.
We’ve outlined several notable examples:
Dropbox uses the same policy for both its company at large and its mobile application. It outlines with whom user information will be shared and why. The company also directly states that it won’t sell personal data to advertisers or other third parties.
The company’s policy is easy to read and utilizes friendly language in order to inform users that Dropbox will collect personal information. The policy is specific and thorough, leaving little room for legal interpretation.
Facebook has identical policies for the company and the mobile application. The policy is formatted in an FAQ format, which makes for easy reading. The language used is also very understandable, making it easy for users to process.
Snapchat is an exclusively mobile application that allows for the taking, editing, and sharing of photos. Although the service is only provided through mobile devices, its legal policies are hosted on its official website.
The company’s policy is clearly laid out and very approachable. However, it states that Snapchat may use your personal information for ad targeting and customization. This is seemingly at odds with SOPIPA.
The company even describes how it requires the third party service providers it employs to handle user information in accordance with Whatsapp policies.