Whether you have an iOS or Android app, you must keep your mobile application compliant with an app privacy policy. Keep reading to find out what they are, whether you need one, and the requirements for different platforms.
You can also download our FREE app privacy policy template or create your own with our state-of-the-art privacy policy generator.
- Mobile Apps and Privacy Laws
- Current Applicable Laws for Mobile App Privacy Policies
- Privacy Policies for iOS and Android Apps
- General Requirements for Mobile App Privacy Policies
- Inform Mobile Users If They Are Being Tracked
- How to Give Users Access to Your App's Privacy Policy
- App Privacy Policy Examples
- Mobile App Privacy Policy Template for iOS and Android [Full Text and Download]
- FAQs About App Privacy Policies
1. Mobile Apps and Privacy Laws
Mandated by various laws around the world, privacy policies for mobile apps should clearly and explicitly detail which personal information (PI) is collected, why it’s collected, with whom it may be shared, and how users can control their data. In addition, a full copy of your privacy policy should be accessible at all times.
What is a Mobile App Privacy Policy?
A mobile app privacy policy is a legal statement that must be clear, conspicuous, and consented to by all users. It must disclose how a mobile app gathers, stores, and uses the personal information it collects from its users.
A mobile privacy app is developed and presented to users so that mobile app developers stay compliant with state, federal, and international laws. As a result, they fulfill the legal requirement to safeguard user privacy while protecting the company itself from legal challenges.
Whether you have an iOS or Android app, you must keep your mobile application compliant by using a privacy policy on your app.
Create a Mobile App Privacy Policy Using Termly
Here’s how you can use Termly’s generator to create a comprehensive and compliant privacy policy for your mobile app.
Step 1: Go to Termly’s privacy policy generator.
Step 2: Answer a few simple prompts and questions, and go through all of the steps until you reach “Final Details.”
Step 3: Once you’ve filled in everything and you are satisfied with the preview, click “Publish.” You will then be prompted to create an account on Termly so you can save and edit your privacy policy further.
What is Personal Information (PI)?
Personal information is information you may use directly or indirectly to identify an individual. If separate and distinct items of data can be used in conjunction with other pieces of data to eventually identify a physical person, that is also considered personal info and must be protected.
Here are some examples of personal information:
- Names
- Phone numbers
- Social Security numbers
- Billing or shipping address
- Email addresses
- Birth locations
- Geolocations
- Medical records
- Birthdays
- License plate numbers
- ID numbers
- Data provided with voluntary consent
- DNA/Genetic information
- Biometric data (e.g., fingerprints, facial recognition)
- Registration numbers (including vehicle registration)
- Device data
- IP addresses
- Browsing history
- Billing or shipping address
- Credit card details
- Automatic cookie data
- Sensitive personal data (e.g., race, ethnicity, sexuality)
You should take special consideration when collecting personal information that the GDPR defines as “sensitive.”
Sensitive data includes information such as an individual’s race, ethnicity, sexuality, political beliefs, and biometric or genetic data.
How to Know if Your App Collects Personal Information
Once you know what data qualifies as PI, you must maintain legal compliance by implementing the appropriate measures for alerting users and protecting their data. Here are some tips for assessing whether you collect PI:
Conduct an Audit
As you look toward developing your own mobile app privacy policy, take the time to identify each possible step within your mobile app that requires collecting personal data, whether through a checkout process, an email signup form, or an account registration page. It’s possible that you, or the third-party services you use, may collect more PI than you realize.
As you conduct your audit, be clear on what you collect and make a note of:
- Where it’s collected
- Why it’s collected
- How it’s stored
- How it may be shared
Be sure to consider pseudonymous data. By itself, this is data that cannot be used to identify an individual but that can readily be linked to other data. The end result will deprive mobile users of their privacy by using disconnected bits of their personal information to identify them.
Consider Each Category Collected
It may be useful to structure the information you or a third party collects by separating the information into categories and showing where along the process it is collected.
Spotify’s privacy policy presents a sweeping model for how you could structure such a section and go further by offering details on when the data is collected and if it’s required or optional.
Consider Third Parties
Even if your app doesn’t collect the data itself, you must include a mobile app privacy policy if you employ a third-party service provider that gathers user data. You are responsible for disclosing “what” and “how” user data is collected and used on your app.
The process works the other way around as well. Several third-party service providers already require that privacy policies be presented on your mobile app when you use providers such as Google Analytics, Google Maps, and Facebook Graph API.
With regard to cookies, be aware that third-party services regularly use cookies to gather and store personal information. It is your responsibility to know and understand whether these providers are engaged in those practices, and if they are, you must include an appropriate app privacy policy.
Simply notifying your users that third parties collect their information is not sufficient. If true, you must make it clear that you may not have control over third-party PI information that may be collected, sold, or traded.
Whatsapp is a popular messaging service application that is used worldwide. You can find a link to its privacy policy not only on the app profile page but also within the app. Furthermore, they openly display that they extend their privacy policy to third-party providers and require them to employ and handle user information in accordance with Whatsapp policies.
Look in Specific Areas
When searching your mobile app for all the places and ways in which you collect PI, there are a few key areas to keep in mind:
- Direct collection through forms: Signup forms commonly gather personal information entered by the user. However, you may be collecting user data without consent if the PI is collected whether or not the user actually completes and submits the form.
- Cookies: In addition to your own mobile app, be alert for third-party services that use cookies to gather and store personal information. It is your responsibility to know if your app or any third-party service providers collect PI, ranging from user behavior to passwords to payment information. You must clearly address these practices in both your mobile app privacy policy and a dedicated cookie policy.
- Geolocation targeting: Geolocation or geotargeting technology may collect a mobile app user’s general or exact location by monitoring their mobile device either by default or with permission. Note that if the mobile app location data is joined with another piece of PI, it could be used to identify a physical person.
- Point of Sale systems (POS): Modern POS systems are often digital and are seen at the checkout page of an eCommerce or SaaS website. These systems collect customer information such as names, telephone numbers, email addresses, credit card data, and other payment information.
- Customer relationship management software (CRM): Your sales and marketing teams will likely collect and store information on potential and current users. To maintain GDPR CRM compliance, you must directly notify mobile users of these practices.
- Customer support: At a minimum, customer support collects data on names, phone numbers, addresses, and more. Your mobile app may use software to store this information and keep it on file. Figure this out and explain it to your users clearly and directly.
Consider Voluntary Consent
Voluntary consent is another means through which you can collect PI. If voluntarily provided, data can be shared for any purpose as long as the user is notified and consents by — for example, a checkmark — or they consent by continued use of the app.
The music listening service called Pandora provides additional privacy policy rules with regard to voluntary consent. It explicitly informs its users that any such information they choose to provide, including community posting, will be shared with others.
Do You Need A Mobile App Privacy Policy?
The simple answer is yes; you need a privacy policy if your mobile app falls under the following situations:
- Your app collects personal data
- Your app uses a third-party service provider
- The iOS or Android platform requires one
- You want to reassure your app’s users
- You want to err on the side of caution
A privacy policy for your app isn’t just a way to meet legal requirements; it’s a good way to:
Reassure Your Users
According to a survey done by the Pew Research Center, more than 57% of mobile app users have uninstalled or decided not to install an app due to concerns about the sharing of their personal information.
Including a mobile app privacy policy will ease your users’ concerns and give them confidence in your app by knowing that their personal information is safe.
Anticipate Changes
As privacy policies and data protection laws related to mobile applications continue to expand, the definition of PI can change. For example, ways to determine an individual’s identity through an IP address have progressed far enough that it was added to the GDPR’s list of protected personal information.
2. Current Applicable Laws for Mobile App Privacy Policies
United States Federal Trade Commission
The US Federal Trade Commission (FTC) emphasizes that mobile application developers in the United States or those who distribute applications to be used in the United States should include privacy policies in their applications.
The foundation of every privacy policy begins with the Fair Information Practice Principles. In 1998, the FTC found that there were five core principles of privacy protection that were common in privacy policies in most countries. These five principles are:
- Notice prior to collecting data
- The choice to agree to collection or opt-out
- Access data for accuracy and correction
- Security steps to protect user data and delete old data
- Enforcement to address and remedy privacy concerns
As a part of these five Fair Information Practice Principles, a site’s security measures should be specified in its own section. The required security measures you’ll need to have in place will depend on the amount of data you collect and its sensitivity.
For example, PayPal explains that they use technical, physical, and administrative security measures to protect your data and prevent data breaches, including firewalls, data encryption, and physical access controls.
General Data Protection Regulation (GDPR)
Since 2018, the General Data Protection Regulation (GDPR) has required that companies across the globe process the personal data of EU citizens with very stringent data security tools and data privacy measures in place. In addition, companies must present their data practices to the user in the form of a privacy policy.
If your app is available to those located in any EU country, you are subject to comply with the GDPR. Complying with the GDPR starts with a comprehensive mobile app privacy policy that details what, how, when, with whom, and where data is collected.
For example, if you operate a mobile app, you are likely to collect data such as geolocation and mobile device information from your app’s users. Therefore, you should be explicit in outlining all these potential avenues of data collection in your app’s privacy policy.
A look at Walt Disney’s GDPR compliance
Walt Disney is an example of a company in compliance with the rules of the GDPR. With an easy-to-navigate menu, you can see and easily understand:
- How your data is being collected
- Why it’s being collected
- What type of data is being collected
- How your data is being used
- Where your data is being used
- How you can revoke consent
- Terms of the complete privacy policy
Here’s Google’s GDPR policy on deleting data
One of the GDPR’s most significant policies concerns giving users the capability to remove, revoke consent, or delete data. Google provides easily accessible methods for its users to export their data or delete it entirely. Clearly marked and separate signal buttons guide users through the process of exporting or immediately deleting all data.
Accountability Principles of GDPR
Any mobile application that handles personal data from EU citizens is required to make certain declarations to those mobile users in the form of a privacy policy. In addition, users must give explicit and informed consent before a mobile app can process their information.
GDPR’s data protection and accountability principles must be followed:
- Data processing must be fair
- Data collected must be for specific and legitimate purposes
- No more data is collected than what is needed
- No storage of data longer than needed
- Data must be accurate
- Data collected to ensure security, integrity, and confidentiality
- Demonstrated compliance with data principles
A fine could be levied up to 20 million euros or 4% of your mobile app’s annual global revenue. For more details on the key concepts regarding the requirements of the GDPR, refer to our GDPR overview.
The California Consumer Privacy Act of 2018 (CCPA)
The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses worldwide are allowed to handle the personal information (PI) of California residents.
Under the CCPA, consumers now have rights such as the right to request their data be erased or not sold. Although it’s sometimes called a light version of the more comprehensive GDPR, the CCPA is the first law of its kind in the United States and one of the strictest privacy laws in US history.
All companies that serve California residents must comply with the CCPA if they:
- Have at least $25 million or more in annual revenue
- Collect, share, buy, or sell the personal data of 50,000 or more “consumers, households, or devices”
- Collect more than half of their revenues from the sale of personal data from Californians
Unlike the GDPR, the CCPA expands privacy laws by:
- Allowing users to request information on any data collected on them, not just PI
- Granting users the right to refuse the sale of their personal information to third parties
- Requiring that minors under the age of 16 be opted-out of the sale of their information by default
The CCPA carries fines of up to $7,500 per intentional violation, with unintentional violations costing $2,500 per violation if not remedied within 30 days.
Recently, the FTC fined TikTok, a popular social networking platform directed at kids, for violating the Children’s Online Privacy Protection Act (COPPA). TikTok was fined 5.7 million for illegally collecting children’s information without parental consent for the purpose of selling it elsewhere.
Now TikTok displays prominent notices regarding the data it uses to track users and the personal information it collects:
California’s Online Privacy Protection Act (CalOPPA)
CalOPPA applies to any businesses running mobile apps. Failure to comply with CalOPPA could result in fines of up to $2,500 per user per violation. Fines of over a quarter of a million dollars can easily be levied against even a small mobile application company that reaches only 100 users per week.
In addition to basic GDPR rules, other requirements must be satisfied for compliance with CalOPPA. The privacy policy for a mobile application must contain:
- A link to the privacy policy from the website and mobile app’s homepage, which must contain the word “privacy”
- Information about modifications and how they will be made
- Third-party information regarding exactly who collects data
Children’s Online Privacy Protection Act (COPPA)
To help protect children’s privacy and keep them safe online, the FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires websites, mobile apps, and other online services to obtain consent from parents before collecting personal information from kids younger than 13.
COPPA is the reason that many websites and apps do not allow users under the age of 13 to access the content or register an account. Complying with the law is often seen as too difficult to merit the inclusion of children of that age.
In addition to requiring privacy policies, COPPA imposes fines on companies that fail to follow their guidelines for how online businesses and mobile apps should treat children’s information.
For example, in 2019, YouTube was issued a COPPA fine of $170 million for illegally harvesting children’s personal data and targeting ads at kids without their parents’ consent. In such a situation, direct notification by a privacy policy would have been insufficient to avoid fines as COPPA requires verifiable parental consent before proceeding with any sensitive distribution or selling of children’s information and, in some cases, is never allowed.
Privacy Rights for California Minors in the Digital World
The Privacy Rights for California Minors in the Digital World Act (also called the Eraser Button Law) applies to websites and mobile applications that allow users under the age of 18 to register and post content.
The Eraser Button Law states that these websites and mobile apps must allow users under the age of 18 to remove the content or information they have contributed whenever they would like to. It also states that these users must be clearly informed of their rights and ability to do so.
Student Online Personal Information Protection Act
The Student Online Personal Information Protection Act (SOPIPA) applies to the online collection of the personal information of K-12 student-users in California.
The law states that any information gathered from students cannot be used in targeted advertising toward them or their parents. The student data can also not be sold or disclosed without express authorization and only under specified circumstances.
3. Privacy Policies for iOS and Android Apps
Privacy Policy for iOS Apps
iOS is a mobile operating system created and developed by Apple for exclusive distribution on its hardware. Even before compliance with other privacy laws, mobile app developers are required to include a privacy policy in an iOS application.
Apple’s App Store requires a privacy policy if an app:
- Collects user data
- Is made for, or specifically directed, at kids
- Offers automatically renewable in-app purchases
- Allows for user registration
- Accesses a user’s existing account
- Offers free subscriptions
- Is otherwise required by law
Privacy Policy for Android Apps
Android is an operating system developed by Google for use on mobile devices. Android apps can be purchased in the Google Play Store or other third-party marketplaces such as SlideME or the Amazon Appstore.
By April 22, 2022, every single application published by the Google Play Store will be required to have a privacy policy and declare how it collects, protects, and handles private user data.
The new safety section in the Google Play Console will inform users and help them understand:
- What type of data an app collects
- Why the app collects that data
- Which data is shared with third-party providers
- Whether users have control over their data
- How the app uses security practices like encryption
- If the data is optional or needed for app functionality
General Requirements for Mobile App Privacy Policies
To make your app’s privacy policy comprehensive and user-friendly, it should contain the following information:
Section 1: Explain the Type of Personal Information You Collect
Privacy policies almost always begin by explaining the types of data that a website or app may collect from users. It’s important that you are as detailed as possible about the data you collect.
Section 2: Define How You Use and Share Data
In addition to revealing the type of data you collect, you must explain how the data gets used and whether or not it gets shared with third-party services.
Section 3: Disclose Use of Third Party Services
Third-party tools and providers can enhance your mobile apps through content optimization, better customer service, data analytics, affiliate marketing, and lead generation.
If you share data with third-party services, your policy must reveal how and why.
As on many mobile apps, Google Analytics is mentioned by name as a service that receives user PI to perform statistical analysis regarding the use of an app.
Section 3 of Twitter’s privacy policy includes a paragraph on the kinds of data they share and the types of service providers they use and also name Google Analytics directly.
As Google Analytics is a recognizable and frequently used third-party service, be sure your mobile app meets the requirements of the GDPR. In addition, consider reviewing our Google Analytics GDPR guide as it provides actionable steps for complying with the GDPR.
Note that any irregular processing of personal data collected through third-party analytics tools can result in a fine of up to 4% of your mobile app’s annual global revenue.
Section 4: Describe How Users Can Control Their Data
Control over a user’s data has become a key concern for online businesses as they strive to comply with laws like the GDPR and CCPA. By default, privacy policies have become instruction manuals for how users can exercise their data rights.
You should include the steps that users can take to access, transfer, change, delete, correct, amend, export, or limit the use of their information.
Section 5: Update Users of Policy Changes
Mobile app users have the right to be informed of any changes to your privacy law. As a result, you may need to update your policy. Publish the date of the last change and reassure users that any significant changes will be presented prominently and emailed to the user.
Inform Mobile Users If They Are Being Tracked
A significant and growing interest to mobile application users is the concern over being tracked by their purchases, daily activities, physical geolocations, and website history.
According to a recent Pew Research Center study, nearly all mobile app users take steps to manage, control, or protect their personal data:
- 54% of mobile app users did not install a mobile app due to the amount of personal information they needed to share in order to use the app
- 30% of mobile app users have uninstalled an app that was already on their mobile device once they learned it was collecting personal information they didn’t wish to share
For example, in an effort to acknowledge user concerns, the Walt Disney Company is careful to inform users of its tracking policy. Children and families spend billions on Disney Company products, movies, and visits to amusement parks. To provide complete transparency, Disney is clear about how the company and its advertisers track web behavior for advertising purposes.
How to Give Users Access to Your App’s Privacy Policy
Whether your mobile application requires a privacy policy, it is a good idea to include one. Having one will offer some level of protection in the event of a legal challenge.
Whether you have an iOS, Android, or Windows app, you can include such a policy in several ways:
- Embed it directly in your app
- Provide a link to a dedicated webpage
- Place it on your official website
Embed Directly in the App
Embedding the policy in your application means dedicating space within the app to display it. Then, users can simply navigate within the app to get to the policy.
Through this method, your legal policies are only ever a few actions away from the current page. Users are aware of its presence, can consult it at any time, and are not inconvenienced by doing so.
Use an App Privacy Policy Url
Many developers use an app privacy policy URL to directly link to the policy within the app. This means that users can navigate to a place within the app that has a hyperlink containing the word “privacy.”
Clicking this link opens up the privacy policy in a new internet browser window. This webpage is usually hosted by a third party but can also be part of the company’s website.
You can also include a link to your policy on your app’s profile page in whichever app store you choose to sell your product. This allows users to view your policy before downloading your application.
Place the Policy on Your Official Site
If your company has a website, you can display privacy policy changes there. It is good practice to use the same policies for both your app and your website.
Even if your website is just a placeholder site, you will still benefit from the legal protection afforded to you by the presence of such a policy.
App Privacy Policy Examples
Every company should have a privacy policy, and those that collect user information are legally required to do so.
However, within that framework, companies may have very different policies depending on what their mobile applications are used for.
We’ve outlined several notable examples:
Dropbox
There is a link to the Dropbox privacy policy on the app’s profile page in the app store. Users can first view the policy and then decide if they want to download the app.
Dropbox uses the same policy for both its company at large and its mobile application. It outlines with whom user information will be shared and why. The company also directly states that it won’t sell personal data to advertisers or other third parties.
The company’s policy is easy to read and utilizes friendly language to inform users that Dropbox will collect personal information. The policy is specific and thorough, leaving little room for legal interpretation.
Facebook also provides a link to its privacy policy on its profile page in the app store. In addition, the company has adopted a more up-front, user-friendly approach to its legal policies in response to public concerns over the sharing of personal information.
Facebook has identical policies for the company and the mobile application. The policy is formatted in an FAQ format, which makes for easy reading. The language used is also very understandable, making it easy for users to process.
Additionally, third parties that develop Facebook apps for use on its platform are required to enter a privacy policy URL in order to publish their app.
Pandora
Pandora is a music streaming service with both a website and a mobile app. There is a link to its privacy policy on the mobile app’s profile page in the app store. In keeping with most modern companies, Pandora’s policies are consistent across all platforms.
The company stresses that it will not share your personal information with anyone–except under extreme circumstances. Interestingly, however, the company will share user information with a successor company in the event of a merger or corporate takeover. There is no guarantee that the successor company will honor the current privacy policy.
Snapchat
Snapchat is an exclusively mobile application that allows for the taking, editing, and sharing of photos. Although the service is only provided through mobile devices, its legal policies are hosted on its official website.
The company’s policy is clearly laid out and very approachable. However, it states that Snapchat may use your personal information for ad targeting and customization. This is seemingly at odds with SOPIPA.
Whatsapp is a popular messaging service application that is used worldwide. You can find a link to its privacy policy not only on the app profile page but also within the app.
Whatsapp seems to pride itself on its practices for keeping personal information secure. Its privacy policy is comprehensive and precise.
The company even describes how it requires the third-party service providers it employs to handle user information in accordance with Whatsapp policies.
Mobile App Privacy Policy Template for iOS and Android [Full Text and Download]
Whether you copy and paste or download the template below, please remember that this is just a template and should be edited to match your mobile app.
Before using it, read through the entire mobile app privacy policy template – fill in all of the [brackets], remove any sections that do not apply to your app, and tweak any language as needed.
If you’re looking for a different type of privacy policy, have a look at our other template pages to find what you need:
Privacy Policy | Description |
Website Privacy Policy Template | A standard privacy policy for basic websites and blogs. |
Ecommerce Privacy Policy Template | A privacy policy built specifically for online eCommerce stores. |
GDPR Privacy Policy Template | A GDPR-ready privacy policy for any online business. |
FAQs About App Privacy Policies
When do I need a privacy policy for an app?
A privacy policy is required for your app if it collects personal information from California residents or residents in the EEA. In addition, depending on applicable laws, your app may also need a privacy policy if it markets to certain demographics.
Even if you’re not legally required to have a privacy policy, third-party app services and platforms (such as Google Analytics and the iOS App Store) often require your app to contain a privacy policy.