Legal policies are ubiquitous on the web these days–and for good reason. In the ever-changing legal landscape of internet privacy, it has never been more important to keep your mobile applications compliant and protected.
- Applicable Laws for Mobile Apps
- General Requirements for Mobile Apps
- iOS Applications
- Android Apps
- Windows Apps
- Accessibility Options
- Notable Examples in Mobile Applications
Whether you copy and paste or download the template below, please remember that this is just a template and should be edited to match your mobile app. Read through the entire policy before using it – fill in all of the [brackets], remove any sections that do not apply to your app, and tweak any language as needed.
Last updated [month day, year]
COLLECTION OF YOUR INFORMATION
We may collect information about you in a variety of ways. The information we may collect via the Application depends on the content and materials you use, and includes:
Demographic and other personally identifiable information (such as your name and email address) that you voluntarily give to us when choosing to participate in various activities related to the Application, such as chat, posting messages in comment sections or in our forums, liking posts, sending feedback, and responding to surveys. If you choose to share data about yourself via your profile, online chat, or other interactive areas of the Application, please be advised that all data you disclose in these areas is public and your data will be accessible to anyone who accesses the Application.
Information our servers automatically collect when you access the Application, such as your native actions that are integral to the Application, including liking, re-blogging, or replying to a post, as well as other interactions with the Application and other users via server log files.
The Application may by default access your Facebook basic account information, including your name, email, gender, birthday, current city, and profile picture URL, as well as other information that you choose to make public. We may also request access to other permissions related to your account, such as friends, checkins, and likes, and you may choose to grant or deny us access to each individual permission. For more information regarding Facebook permissions, refer to the Facebook Permissions Reference page.
Data from Social Networks
User information from social networking sites, such as [social media sites that your mobile app connects to], including your name, your social network username, location, gender, birth date, email address, profile picture, and public data for contacts, if you connect your account to such social networks. This information may also include the contact information of anyone you invite to use and/or join the Application.
We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using the Application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
Mobile Device Access
We may request access or permission to certain features from your mobile device, including your mobile device’s [list all features that your app can connect to (eg. bluetooth)]. If you wish to change our access or permissions, you may do so in your device’s settings.
Mobile Device Data
Device information such as your mobile device ID number, model, and manufacturer, version of your operating system, phone number, country, location, and any other data you choose to provide.
We may request to send you push notifications regarding your account or the Application. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
Information from third parties, such as personal information or network friends, if you connect your account to the third party and grant the Application permission to access this information.
Data From Contests, Giveaways, and Surveys
Personal and other information you may provide when entering contests or giveaways and/or responding to surveys.
USE OF YOUR INFORMATION
Having accurate information about you permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Application to: [Choose from the options below, or add your own]
- Administer sweepstakes, promotions, and contests.
- Assist law enforcement and respond to subpoena.
- Compile anonymous statistical data and analysis for use internally or with third parties.
- Create and manage your account.
- Deliver targeted advertising, coupons, newsletters, and other information regarding promotions and the Application to you.
- Email you regarding your account or order.
- Enable user-to-user communications.
- Fulfill and manage purchases, orders, payments, and other transactions related to the Application.
- Generate a personal profile about you to make future visits to the Application more personalized.
- Increase the efficiency and operation of the Application.
- Monitor and analyze usage and trends to improve your experience with the Application.
- Notify you of updates to the Application.
- Offer new products, services, mobile applications, and/or recommendations to you.
- Perform other business activities as needed.
- Prevent fraudulent transactions, monitor against theft, and protect against criminal activity.
- Process payments and refunds.
- Request feedback and contact you about your use of the Application.
- Resolve disputes and troubleshoot problems.
- Respond to product and customer service requests.
- Send you a newsletter.
- Solicit support for the Application.
DISCLOSURE OF YOUR INFORMATION
We may share information we have collected about you in certain situations. Your information may be disclosed as follows:
By Law or to Protect Rights
If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation. This includes exchanging information with other entities for fraud protection and credit risk reduction.
Third-Party Service Providers
We may share your information with third parties that perform services for us or on our behalf, including payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
With your consent, or with an opportunity for you to withdraw consent, we may share your information with third parties for marketing purposes, as permitted by law.
Interactions with Other Users
If you interact with other users of the Application, those users may see your name, profile photo, and descriptions of your activity, including sending invitations to other users, chatting with other users, liking posts, following blogs.
When you post comments, contributions or other content to the Applications, your posts may be viewed by all users and may be publicly distributed outside the Application in perpetuity
We may use third-party advertising companies to serve ads when you visit the Application. These companies may use information about your visits to the Application and other websites that are contained in web cookies in order to provide advertisements about goods and services of interest to you.
We may share your information with our business partners to offer you certain products, services or promotions.
The Application may display a third-party-hosted “offer wall.” Such an offer wall allows third-party advertisers to offer virtual currency, gifts, or other items to users in return for acceptance and completion of an advertisement offer. Such an offer wall may appear in the Application and be displayed to you based on certain data, such as your geographic area or demographic information. When you click on an offer wall, you will leave the Application. A unique identifier, such as your user ID, will be shared with the offer wall provider in order to prevent fraud and properly credit your account.
Social Media Contacts
If you connect to the Application through a social network, your contacts on the social network will see your name, profile photo, and descriptions of your activity.
Other Third Parties
We may share your information with advertisers and investors for the purpose of conducting general business analysis. We may also share your information with such third parties for marketing purposes, as permitted by law.
Sale or Bankruptcy
We are not responsible for the actions of third parties with whom you share personal or sensitive data, and we have no authority to manage or control third-party solicitations. If you no longer wish to receive correspondence, emails or other communications from third parties, you are responsible for contacting the third party directly.
Cookies and Web Beacons
You should be aware that getting a new computer, installing a new browser, upgrading an existing browser, or erasing or otherwise altering your browser’s cookies files may also clear certain opt-out cookies, plug-ins, or settings.
SECURITY OF YOUR INFORMATION
We use administrative, technical, and physical security measures to help protect your personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties. Therefore, we cannot guarantee complete security if you provide personal information.
POLICY FOR CHILDREN
We do not knowingly solicit information from or market to children under the age of 13. If you become aware of any data we have collected from children under age 13, please contact us using the contact information provided below.
CONTROLS FOR DO-NOT-TRACK FEATURES
OPTIONS REGARDING YOUR INFORMATION
You may at any time review or change the information in your account or terminate your account by: [Choose from the options below, or add your own]
- Logging into your account settings and updating your account
- Contacting us using the contact information provided below
Emails and Communications
If you no longer wish to receive correspondence, emails, or other communications from us, you may opt-out by: [Choose from the options below, or add your own]
- Noting your preferences at the time you register your account with the Application
- Logging into your account settings and updating your preferences.
- Contacting us using the contact information provided below
If you no longer wish to receive correspondence, emails, or other communications from third parties, you are responsible for contacting the third party directly.
CALIFORNIA PRIVACY RIGHTS
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with the Application, you have the right to request removal of unwanted data that you publicly post on the Application. To request removal of such data, please contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Application, but please be aware that the data may not be completely or comprehensively removed from our systems.
[City, State Zip]
These policies are used by companies and mobile app developers to stay compliant with federal laws. They fulfill the legal requirement to safeguard user privacy while also protecting the company itself from legal challenges.
The contents of these policies can vary greatly depending on the industry, user demographics, governing laws and jurisdictions, and application platform. Employing the use of third party services may also affect the need for one, as well as its contents–even if the app itself doesn’t collect user information.
As the use of mobile devices has become more prevalent, the number of mobile applications has also increased. Mobile applications present unique privacy concerns due to the sheer number of them and the vast amount of personal information that is collected and shared.
This decline of privacy has seen an increased emphasis placed on safeguarding the rights we still have. These policies have never been more essential for online businesses and mobile applications.
The short answer is yes, you probably need one. With the legal environment surrounding internet privacy in near-constant flux, there is a good chance that a law, regulation, affiliate, or platform will require that your mobile app include such a policy. There are several reasons why you might need one:
You Collect Personal Data
This includes any cookies or other tracking technologies you use that may collect personal data such as location, login information, and buying habits.
You Use a Third Party Service Provider
If you employ a third-party service provider that gathers user data, you are required to include one–even if your app doesn’t collect the data itself. You are responsible for disclosing what and how user data is gathered and used on your app.
There are a number of third-party service providers that might require that privacy policies be placed on your mobile app, such as Google Analytics, Google Maps, and Facebook Graph API.
The Platform or App Store Requires One
Many app stores like Windows Store and Apple’s App Store require application developers to have these policies in place on their apps before they can be approved for sale. Designers who fail to include these policies can face having their apps suspended or removed from an app store.
You Want to Reassure Your Users
According to a survey done by the Pew Research Center, more than 57% of mobile app users have either chosen not to install an app over concerns about the sharing of their personal information, or uninstalled an app for similar reasons.
People care about the privacy and management of their personal information. Including such a policy in your app will not only ease the concerns of your users, but also give them confidence in you and your app knowing that their personal information is safe. Just remember to avoid using legalese as that can make your policy difficult to understand for users.
You Want to Err on the Side of Caution
You can stay safe and protected by adding legal policies to your mobile application now–regardless of your obligation to do so.
4. Applicable Laws for Mobile Apps
There are a number of privacy laws that govern the collection of personal information by mobile applications. Although the United States has been criticized for not having comprehensive federal laws relating to information privacy, there are several state, federal, and international laws that apply to mobile applications.
The General Data Protection Regulation (GDPR)
Having officially gone into effect on May 25th, 2018, the GDPR is the world’s most comprehensive data privacy law to date. Based in the European Union (EU), this stringent set of guidelines pertains to any business who targets citizens or residents of the EU.
If your app is available to those located in any EU country, you are subject to comply with the GDPR.
In that policy, you should detail in plain and clear language (as to satisfy Article 12 of the GDPR), the following:
- What data you collect
- From where that data is collected
- Why you are collecting the data
- What you will do with that information
- If you share that information, and with whom
- What rights users have regarding its management
Feeling overwhelmed by the extensive guidelines of the GDPR? Our GDPR overview breaks down the key concepts of this complex law.
The California Consumer Privacy Act of 2018 (CCPA)
The CCPA has garnered a reputation as the light version of the GDPR. Although it doesn’t match the strictness exhibited by the GDPR, it is the loftiest piece of digital privacy legislation passed in the United States.
Signed into law in California on June 28th of 2018, and taking effect in 2020, this law applies to any business with Californian users.
Like the GDPR, the CCPA puts a priority on businesses operating with transparency when disclosing their data collection and handling practices to consumers.
Under the CCPA, consumers now have rights such as the right to request their data be erased or not sold. Read more about what the California Consumer Privacy Act means for your business practices and consumer relations.
United States Federal Trade Commission
The US Federal Trade Commission (FTC) requires that all applications which collect and use the personal information of its users inform users about the collection methods.
In its “Mobile Privacy Disclosures: Building Trust Through Transparency” document, the FTC emphasizes that application developers in the United States or those who distribute applications to be used in the United States should include privacy policies in their applications.
California’s Online Privacy Protection Act
The Attorney General of California has articulated in the state’s Online Privacy Protection Act (CalOPPA) that all websites and mobile applications that collect personal information must contain privacy policies. Not only does this regulation affect developers based in California, it also applies to any developer who potentially targets users residing in California.
This law requires any mobile application that collects personally identifiable user data to post a policy detailing and explaining completely how the application collects and uses the data.
According to the law, personally identifiable information includes:
- Physical addresses
- Email addresses
- Phone numbers
- Identification numbers (SSN, Driver’s License, etc)
- Physical appearance descriptions
- Any other information that would allow a user to be personally identified
CalOPPA requires that a link to such a policy be shown on your website’s homepage, and that a link on the app’s homepage containing the word “privacy” be directly linked to it.
- A Description of the Information Gathered: information that will be collected by the mobile application
- Modifications: information about how and when the company that owns the application will make changes to the program
- Third Party Information: information about the third parties who might be provided access to the personal data of users
An application developer that does not comply with CalOPPA can be held accountable under California law. This noncompliance must be either knowing and willful or negligent and material. Minor technical breaches are unlikely to be found as violations of CalOPPA.
Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act (COPPA) is a federal law that applies to the online collection of information by United States based businesses about children under the age of 13.
COPPA is the reason that many websites and applications do not allow users under the age of 13 to access the content or register an account. Complying with the law is often seen as too difficult to merit the inclusion of children of that age.
Many privacy policies include clauses which state that the company does not knowingly allow access to users under the age of 13, nor does it knowingly collect information from such users.
Privacy Rights for California Minors in the Digital World
The Privacy Rights for California Minors in the Digital World Act (also called the Eraser Button Law) applies to websites and mobile applications that allow users under the age of 18 to register and post content.
The Eraser Button Law states that these websites and apps must allow users under the age of 18 to remove the content or information they have contributed if and when they desire. It also states that these users must be clearly informed of their right and ability to do so.
The law also prohibits websites and mobile applications from using the personal information of users under the age of 18 to market or advertise specified types of products or services.
Student Online Personal Information Protection Act
The Student Online Personal Information Protection Act (SOPIPA) applies to the online collection of the personal information of K-12 student-users.
The law states that any information gathered from students cannot be used in targeted advertising toward them or their parents. The student data can also not be sold or disclosed without express authorization and only under specified circumstances.
If the personal information of K-12 students could possibly be collected with your mobile application, it is crucial that your policy addresses this and stays compliant with SOPIPA.
5. General Requirements for Mobile Apps
Privacy policies are essential for apps that collect personal data. Personal data can include all sorts of information including first names, last names, email addresses, telephone numbers, location data, and other personally identifiable information (PII). A mobile application that collects this type of data must provide an easily understandable, readable, and readily accessible privacy document.
These policies must contain some particular elements, including the following:
- Identity: who is collecting the information as well as the company’s contact details
- Types of Data: what categories of personal data the app will collect and process
- Reason: why data processing is necessary and for what precise purpose the collection is being performed
- Disclosures: whether the data in question will be disclosed to third parties
- User Rights: what rights users have including the right to the withdrawal of consent and the deletion of data.
There are additional policy requirements for developers who plan to use HealthKit, HomeKit, third party keyboards, or integrate Apple Pay into their application.
6. iOS Applications
Apple’s App Store requires that such a policy accompany an app if:
- It’s made for kids
- It offers automatically renewable in-app purchases
- It offers free subscriptions
- It allows for user registration
- It accesses a user’s existing account
- It collects user data
- It’s otherwise required by law
As one of the largest file sharing programs around, Apple’s iTunes Connect policy has influenced how a large number of privacy policies for mobile applications are written. Developers who use iTunes Connect are required to create one for each language in which the mobile application will be available.
It is difficult to outline the required elements for an application because not all apps are the same. Individuals should at the very least attempt to meet the minimum CalOPPA requirements, which include:
- A description of the personal information collected
- The parties with which the personal information will be disclosed
- A description of how users can access and request changes to the information
- A description of how operators will notify users of material changes to the policy
- An effective date
7. Android Apps
Android is an operating system developed by Google for use on mobile devices. Android apps are primarily sold in the Google Play Store, but can also be sold in other third party marketplaces such as the Amazon Appstore, GetJar, and SlideMe.
However, Google does require Android apps to include one if:
- The app requests access to sensitive permissions or data–which include certain functions like the camera or microphone
- The app is designed for families and/or children
Even though Google Play does not require all apps to have them, Google Play Developer Distribution Agreements must be read and agreed to when a developer registers for a Google Play account. These policies inform developers that they are required to have “privacy procedures and notices in place”.
“Privacy procedures and notices” refers to a document where a developer agrees to use the Google Play Store to distribute products in exchange for protecting the privacy and legal rights of users.
This statement informs developers that this type of uncensored use could hurt individuals or deceive users. Google also states that it responds to clear notices of alleged privacy infringement and invites users who might be infringed upon to contact the developer directly to resolve concerns.
8. Windows Apps
Microsoft requires all Windows Store app developers to use privacy policies. The Windows Store policies page mentions that Windows applications that collect or transmit personal information must have them.
Developers must also provide access to the policy in the description page of the application and a link to the policy must be accessible from the application at all times.
The policy must inform users about the information that will be collected, accessed, or transmitted, how that information will be used, and what rights users have regarding the developer’s collection of personal information.
9. Accessibility Options
Whether you have an iOS, Android, or Windows app, you can include such a policy several ways:
- Embed it directly in your app
- Provide a link to a dedicated webpage
- Place it on your official website
Embed Directly in the App
Embedding the policy in your application means to dedicate space within the app to display it. Users can simply navigate within the app to get to the policy.
Through this method, your legal policies are only ever a few actions away from the current page. Users are aware of its presence, can consult it at any time, and are not inconvenienced by doing so.
Provide a Link to a Dedicated Webpage
Clicking this link opens up the policy in a new internet browser window. This webpage is usually hosted by a third party, but can also be part of the company’s website.
While this method allows for an easily accessible policy, it also inconveniences users by interrupting app use and forcing them to open up their internet browser.
You can also include a link to your policy on your app’s profile page in whichever app store you choose to sell your product. This allows users to view your policy before downloading your application.
Place the Policy on Your Official Site
Even if your website is just a placeholder site, you will still benefit from the legal protection afforded to you by the presence of such a policy.
10. Notable Examples in Mobile Applications
Within that framework, however, companies may have very different policies depending on what their mobile applications are used for.
We’ve outlined several notable examples:
Dropbox uses the same policy for both its company at large and its mobile application. It outlines with whom user information will be shared and why. The company also directly states that it won’t sell personal data to advertisers or other third parties.
The company’s policy is easy to read and utilizes friendly language in order to inform users that Dropbox will collect personal information. The policy is specific and thorough, leaving little room for legal interpretation.
Facebook has identical policies for the company and the mobile application. The policy is formatted in an FAQ format, which makes for easy reading. The language used is also very understandable, making it easy for users to process.
Snapchat is an exclusively mobile application that allows for the taking, editing, and sharing of photos. Although the service is only provided through mobile devices, its legal policies are hosted on its official website.
The company’s policy is clearly laid out and very approachable. However, it states that Snapchat may use your personal information for ad targeting and customization. This is seemingly at odds with SOPIPA.
The company even describes how it requires the third party service providers it employs to handle user information in accordance with Whatsapp policies.