- Mobile Apps and Privacy Laws
- Current Applicable Laws for Mobile App Privacy Policies
- Privacy Policies for iOS and Android Apps
- General Requirements for Mobile App Privacy Policies
- Inform Mobile Users If They Are Being Tracked
- FAQs About App Privacy Policies
1. Mobile Apps and Privacy Laws
A mobile privacy app is developed and presented to users so that mobile app developers stay compliant with state, federal, and international laws. As a result, they fulfill the legal requirement to safeguard user privacy while protecting the company itself from legal challenges.
Step 2: Answer a few simple prompts and questions, and go through all of the steps until you reach “Final Details.”
What is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is information you may use directly or indirectly to identify an individual. If separate and distinct items of data can be used in conjunction with other pieces of data to eventually identify a physical person, that is also considered PII and must be protected.
Examples of PII include:
- Phone numbers
- Social Security numbers
- Billing or shipping address
- Email addresses
- Birth locations
- Medical records
- License plate numbers
- ID numbers
- Data provided with voluntary consent
- DNA/Genetic information
- Biometric data (e.g., fingerprints, facial recognition)
- Registration numbers (including vehicle registration)
- Device data
- IP addresses
- Browsing history
- Billing or shipping address
- Credit card details
- Automatic cookie data
- Sensitive personal data (e.g., race, ethnicity, sexuality)
You should take special consideration when collecting PII that the GDPR defines as “sensitive.”
Sensitive data includes information such as an individual’s race, ethnicity, sexuality, political beliefs, and biometric or genetic data.
How to Know if Your App Collects Personally Identifiable Information
Once you know what data qualifies as PII, you must maintain legal compliance by implementing the appropriate measures for alerting users and protecting their data. Here are some tips for assessing whether you collect PII:
Conduct an Audit
As you conduct your audit, be clear on what you collect and make a note of:
- Where it’s collected
- Why it’s collected
- How it’s stored
- How it may be shared
Be sure to consider pseudonymous data. By itself, this is data that cannot be used to identify an individual but that can readily be linked to other data. The end result will deprive mobile users of their privacy by using disconnected bits of their personal information to identify them.
Consider Each Category Collected
It may be useful to structure the information you or a third party collects by separating the information into categories and showing where along the process it is collected.
Consider Third Parties
The process works the other way around as well. Several third-party service providers already require that privacy policies be presented on your mobile app when you use providers such as Google Analytics, Google Maps, and Facebook Graph API.
Simply notifying your users that third parties collect their information is not sufficient. If true, you must make it clear that you may not have control over third-party PII information that may be collected, sold, or traded.
Look in Specific Areas
When searching your mobile app for all the places and ways in which you collect PII, there are a few key areas to keep in mind:
- Direct collection through forms: Signup forms commonly gather personal information entered by the user. However, you may be collecting user data without consent if the PII is collected whether or not the user actually completes and submits the form.
- Geolocation targeting: Geolocation or geotargeting technology may collect a mobile app user’s general or exact location by monitoring their mobile device either by default or with permission. Note that if the mobile app location data is joined with another piece of PII, it could be used to identify a physical person.
- Point of Sale systems (POS): Modern POS systems are often digital and are seen at the checkout page of an eCommerce or SaaS website. These systems collect customer information such as names, telephone numbers, email addresses, credit card data, and other payment information.
- Customer relationship management software (CRM): Your sales and marketing teams will likely collect and store information on potential and current users. To maintain GDPR CRM compliance, you must directly notify mobile users of these practices.
- Customer support: At a minimum, customer support collects data on names, phone numbers, addresses, and more. Your mobile app may use software to store this information and keep it on file. Figure this out and explain it to your users clearly and directly.
Consider Voluntary Consent
Voluntary consent is another means through which you can collect PII. If voluntarily provided, data can be shared for any purpose as long as the user is notified and consents by — for example, a checkmark — or they consent by continued use of the app.
- Your app collects personal data
- Your app uses a third-party service provider
- The iOS or Android platform requires one
- You want to reassure your app’s users
- You want to err on the side of caution
Reassure Your Users
According to a survey done by the Pew Research Center, more than 57% of mobile app users have uninstalled or decided not to install an app due to concerns about the sharing of their personal information.
As privacy policies and data protection laws related to mobile applications continue to expand, the definition of PII can change. For example, ways to determine an individual’s identity through an IP address have progressed far enough that it was added to the GDPR’s list of protected PII information.
2. Current Applicable Laws for Mobile App Privacy Policies
United States Federal Trade Commission
The US Federal Trade Commission (FTC) emphasizes that mobile application developers in the United States or those who distribute applications to be used in the United States should include privacy policies in their applications.
- Notice prior to collecting data
- The choice to agree to collection or opt-out
- Access data for accuracy and correction
- Security steps to protect user data and delete old data
- Enforcement to address and remedy privacy concerns
As a part of these five Fair Information Practice Principles, a site’s security measures should be specified in its own section. The required security measures you’ll need to have in place will depend on the amount of data you collect and its sensitivity.
For example, PayPal explains that they use technical, physical, and administrative security measures to protect your data and prevent data breaches, including firewalls, data encryption, and physical access controls.
General Data Protection Regulation (GDPR)
A look at Walt Disney’s GDPR compliance
Walt Disney is an example of a company in compliance with the rules of the GDPR. With an easy-to-navigate menu, you can see and easily understand:
- How your data is being collected
- Why it’s being collected
- What type of data is being collected
- How your data is being used
- Where your data is being used
- How you can revoke consent
Here’s Google’s GDPR policy on deleting data
One of the GDPR’s most significant policies concerns giving users the capability to remove, revoke consent, or delete data. Google provides easily accessible methods for its users to export their data or delete it entirely. Clearly marked and separate signal buttons guide users through the process of exporting or immediately deleting all data.
Accountability Principles of GDPR
GDPR’s data protection and accountability principles must be followed:
- Data processing must be fair
- Data collected must be for specific and legitimate purposes
- No more data is collected than what is needed
- No storage of data longer than needed
- Data must be accurate
- Data collected to ensure security, integrity, and confidentiality
- Demonstrated compliance with data principles
A fine could be levied up to 20 million euros or 4% of your mobile app’s annual global revenue. For more details on the key concepts regarding the requirements of the GDPR, refer to our GDPR overview.
The California Consumer Privacy Act of 2018 (CCPA)
The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses worldwide are allowed to handle the personally identifiable information (PII) of California residents.
Under the CCPA, consumers now have rights such as the right to request their data be erased or not sold. Although it’s sometimes called a light version of the more comprehensive GDPR, the CCPA is the first law of its kind in the United States and one of the strictest privacy laws in US history.
All companies that serve California residents must comply with the CCPA if they:
- Have at least $25 million or more in annual revenue
- Collect, share, buy, or sell the personal data of 50,000 or more “consumers, households, or devices”
- Collect more than half of their revenues from the sale of personal data from Californians
Unlike the GDPR, the CCPA expands privacy laws by:
- Allowing users to request information on any data collected on them, not just PII
- Granting users the right to refuse the sale of their personal information to third parties
- Requiring that minors under the age of 16 be opted-out of the sale of their information by default
The CCPA carries fines of up to $7,500 per intentional violation, with unintentional violations costing $2,500 per violation if not remedied within 30 days.
Recently, the FTC fined TikTok, a popular social networking platform directed at kids, for violating the Children’s Online Privacy Protection Act (COPPA). TikTok was fined 5.7 million for illegally collecting children’s information without parental consent for the purpose of selling it elsewhere.
Now TikTok displays prominent notices regarding the data it uses to track users and the personally identifiable information it collects:
California’s Online Privacy Protection Act (CalOPPA)
CalOPPA applies to any businesses running mobile apps. Failure to comply with CalOPPA could result in fines of up to $2,500 per user per violation. Fines of over a quarter of a million dollars can easily be levied against even a small mobile application company that reaches only 100 users per week.
- Information about modifications and how they will be made
- Third-party information regarding exactly who collects data
Children’s Online Privacy Protection Act (COPPA)
To help protect children’s privacy and keep them safe online, the FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires websites, mobile apps, and other online services to obtain consent from parents before collecting personal information from kids younger than 13.
COPPA is the reason that many websites and apps do not allow users under the age of 13 to access the content or register an account. Complying with the law is often seen as too difficult to merit the inclusion of children of that age.
In addition to requiring privacy policies, COPPA imposes fines on companies that fail to follow their guidelines for how online businesses and mobile apps should treat children’s information.
Privacy Rights for California Minors in the Digital World
The Privacy Rights for California Minors in the Digital World Act (also called the Eraser Button Law) applies to websites and mobile applications that allow users under the age of 18 to register and post content.
The Eraser Button Law states that these websites and mobile apps must allow users under the age of 18 to remove the content or information they have contributed whenever they would like to. It also states that these users must be clearly informed of their rights and ability to do so.
Student Online Personal Information Protection Act
The Student Online Personal Information Protection Act (SOPIPA) applies to the online collection of the personal information of K-12 student-users in California.
The law states that any information gathered from students cannot be used in targeted advertising toward them or their parents. The student data can also not be sold or disclosed without express authorization and only under specified circumstances.
3. Privacy Policies for iOS and Android Apps
- Collects user data
- Is made for, or specifically directed, at kids
- Offers automatically renewable in-app purchases
- Allows for user registration
- Accesses a user’s existing account
- Offers free subscriptions
- Is otherwise required by law
Android is an operating system developed by Google for use on mobile devices. Android apps can be purchased in the Google Play Store or other third-party marketplaces such as SlideME or the Amazon Appstore.
The new safety section in the Google Play Console will inform users and help them understand:
- What type of data an app collects
- Why the app collects that data
- Which data is shared with third-party providers
- Whether users have control over their data
- How the app uses security practices like encryption
- If the data is optional or needed for app functionality
General Requirements for Mobile App Privacy Policies
Section 1: Explain the Type of Personal Information You Collect
Privacy policies almost always begin by explaining the types of data that a website or app may collect from users. It’s important that you are as detailed as possible about the data you collect.
Section 2: Define How You Use and Share Data
In addition to revealing the type of data you collect, you must explain how the data gets used and whether or not it gets shared with third-party services.
Section 3: Disclose Use of Third Party Services
Third-party tools and providers can enhance your mobile apps through content optimization, better customer service, data analytics, affiliate marketing, and lead generation.
If you share data with third-party services, your policy must reveal how and why.
As on many mobile apps, Google Analytics is mentioned by name as a service that receives user PII to perform statistical analysis regarding the use of an app.
As Google Analytics is a recognizable and frequently used third-party service, be sure your mobile app meets the requirements of the GDPR. In addition, consider reviewing our Google Analytics GDPR guide as it provides actionable steps for complying with the GDPR.
Note that any irregular processing of personal data collected through third-party analytics tools can result in a fine of up to 4% of your mobile app’s annual global revenue.
Section 4: Describe How Users Can Control Their Data
Control over a user’s data has become a key concern for online businesses as they strive to comply with laws like the GDPR and CCPA. By default, privacy policies have become instruction manuals for how users can exercise their data rights.
You should include the steps that users can take to access, transfer, change, delete, correct, amend, export, or limit the use of their information.
Section 5: Update Users of Policy Changes
Mobile app users have the right to be informed of any changes to your privacy law. As a result, you may need to update your policy. Publish the date of the last change and reassure users that any significant changes will be presented prominently and emailed to the user.
Inform Mobile Users If They Are Being Tracked
A significant and growing interest to mobile application users is the concern over being tracked by their purchases, daily activities, physical geolocations, and website history.
According to a recent Pew Research Center study, nearly all mobile app users take steps to manage, control, or protect their personal data:
- 54% of mobile app users did not install a mobile app due to the amount of personal information they needed to share in order to use the app
- 30% of mobile app users have uninstalled an app that was already on their mobile device once they learned it was collecting personal information they didn’t wish to share
For example, in an effort to acknowledge user concerns, the Walt Disney Company is careful to inform users of its tracking policy. Children and families spend billions on Disney Company products, movies, and visits to amusement parks. To provide complete transparency, Disney is clear about how the company and its advertisers track web behavior for advertising purposes.
Whether you have an iOS, Android, or Windows app, you can include such a policy in several ways:
- Embed it directly in your app
- Provide a link to a dedicated webpage
- Place it on your official website
Embed Directly in the App
Embedding the policy in your application means dedicating space within the app to display it. Then, users can simply navigate within the app to get to the policy.
Through this method, your legal policies are only ever a few actions away from the current page. Users are aware of its presence, can consult it at any time, and are not inconvenienced by doing so.
You can also include a link to your policy on your app’s profile page in whichever app store you choose to sell your product. This allows users to view your policy before downloading your application.
Place the Policy on Your Official Site
Even if your website is just a placeholder site, you will still benefit from the legal protection afforded to you by the presence of such a policy.
However, within that framework, companies may have very different policies depending on what their mobile applications are used for.
We’ve outlined several notable examples:
Dropbox uses the same policy for both its company at large and its mobile application. It outlines with whom user information will be shared and why. The company also directly states that it won’t sell personal data to advertisers or other third parties.
The company’s policy is easy to read and utilizes friendly language to inform users that Dropbox will collect personal information. The policy is specific and thorough, leaving little room for legal interpretation.
Facebook has identical policies for the company and the mobile application. The policy is formatted in an FAQ format, which makes for easy reading. The language used is also very understandable, making it easy for users to process.
Snapchat is an exclusively mobile application that allows for the taking, editing, and sharing of photos. Although the service is only provided through mobile devices, its legal policies are hosted on its official website.
The company’s policy is clearly laid out and very approachable. However, it states that Snapchat may use your personal information for ad targeting and customization. This is seemingly at odds with SOPIPA.
The company even describes how it requires the third-party service providers it employs to handle user information in accordance with Whatsapp policies.
Whether you copy and paste or download the template below, please remember that this is just a template and should be edited to match your mobile app.
FAQs About App Privacy Policies