- Applicable Laws for App Privacy Policies
- General Requirements for Mobile App Privacy Policies
- Accessibility Options
- FAQs About App Privacy Policies
These policies are used by companies and mobile app developers to stay compliant with federal laws. They fulfill the legal requirement to safeguard user privacy while also protecting the company itself from legal challenges.
Your App Collects Personal Data
This includes any cookies or other tracking technologies you use that may collect personal data such as location, login information, and buying habits.
Your App Uses a Third Party Service Provider
If you employ a third-party service provider that gathers user data, you are required to include one–even if your app doesn’t collect the data itself. You are responsible for disclosing what and how user data is gathered and used on your app.
There are a number of third-party service providers that might require that privacy policies be placed on your mobile app, such as Google Analytics, Google Maps, and Facebook Graph API.
The Platform or App Store Requires One
Many app stores, like Google’s Play for Android and Apple’s App Store for iOS, require application developers to have these policies in place on their apps before they can be approved for sale. Designers who fail to include these policies can face having their apps suspended or removed from an app store.
You Want to Reassure Your App’s Users
According to a survey done by the Pew Research Center, more than 57% of mobile app users have either chosen not to install an app over concerns about the sharing of their personal information, or uninstalled an app for similar reasons.
People care about the privacy and management of their personal information. Including such a policy in your app will not only ease the concerns of your users, but also give them confidence in you and your app knowing that their personal information is safe. Just remember to avoid using legalese as that can make your policy difficult to understand for users.
You Want to Err on the Side of Caution
You can stay safe and protected by adding legal policies to your mobile application now–regardless of your obligation to do so.
4. Applicable Laws for App Privacy Policies
There are a number of privacy laws that govern the collection of personal information by mobile applications. Although the United States has been criticized for not having comprehensive federal laws relating to information privacy, there are several state, federal, and international laws that apply to apps.
The General Data Protection Regulation (GDPR)
Having officially gone into effect on May 25th, 2018, the GDPR is the world’s most comprehensive data privacy law to date. Based in the European Union (EU), this stringent set of guidelines pertains to any business who targets citizens or residents of the EU.
If your app is available to those located in any EU country, you are subject to comply with the GDPR.
- What data you collect
- From where that data is collected
- Why you are collecting the data
- What you will do with that information
- If you share that information, and with whom
- What rights users have regarding its management
The California Consumer Privacy Act of 2018 (CCPA)
The CCPA has garnered a reputation as the light version of the GDPR. Although it doesn’t match the strictness exhibited by the GDPR, it is the loftiest piece of digital privacy legislation passed in the United States.
This law applies to any business with Californian users—including businesses running mobile apps.
Like the GDPR, the CCPA puts a priority on businesses operating with transparency when disclosing their data collection and handling practices to consumers.
United States Federal Trade Commission
The US Federal Trade Commission (FTC) requires that all mobile apps which collect and use the personal information of its users inform users about the collection methods.
In its “Mobile Privacy Disclosures: Building Trust Through Transparency” document, the FTC emphasizes that application developers in the United States or those who distribute applications to be used in the United States should include privacy policies in their applications.
California’s Online Privacy Protection Act
The Attorney General of California has articulated in the state’s Online Privacy Protection Act (CalOPPA) that all websites and mobile applications that collect personal information must contain privacy policies. Not only does this regulation affect developers based in California, it also applies to any developer who potentially targets users residing in California.
According to the law, personally identifiable information includes:
- Physical addresses
- Email addresses
- Phone numbers
- Identification numbers (SSN, Driver’s License, etc)
- Physical appearance descriptions
- Any other information that would allow a user to be personally identified
CalOPPA requires that a link to such a policy be shown on your website’s homepage, and that a link on the app’s homepage containing the word “privacy” be directly linked to it.
- A Description of the Information Gathered: information that will be collected by the mobile application
- Modifications: information about how and when the company that owns the application will make changes to the program
- Third Party Information: information about the third parties who might be provided access to the personal data of users
Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act (COPPA) is a federal law that applies to the online collection of information by United States based businesses about children under the age of 13.
COPPA is the reason that many websites and apps do not allow users under the age of 13 to access the content or register an account. Complying with the law is often seen as too difficult to merit the inclusion of children of that age.
Privacy Rights for California Minors in the Digital World
The Privacy Rights for California Minors in the Digital World Act (also called the Eraser Button Law) applies to websites and mobile applications that allow users under the age of 18 to register and post content.
The Eraser Button Law states that these websites and mobile apps must allow users under the age of 18 to remove the content or information they have contributed if and when they desire. It also states that these users must be clearly informed of their right and ability to do so.
Student Online Personal Information Protection Act
The Student Online Personal Information Protection Act (SOPIPA) applies to the online collection of the personal information of K-12 student-users.
The law states that any information gathered from students cannot be used in targeted advertising toward them or their parents. The student data can also not be sold or disclosed without express authorization and only under specified circumstances.
5. General Requirements for Mobile App Privacy Policies
Privacy policies are essential for apps that collect personal data. Personal data can include all sorts of information including first names, last names, email addresses, telephone numbers, location data, and other personally identifiable information (PII). A mobile application that collects this type of data must provide an easily understandable, readable, and readily accessible privacy document.
These app privacy policies must contain some particular elements, including the following:
- Identity: who is collecting the information as well as the company’s contact details
- Types of Data: what categories of personal data the app will collect and process
- Reason: why data processing is necessary and for what precise purpose the collection is being performed
- Disclosures: whether the data in question will be disclosed to third parties
- User Rights: what rights users have including the right to the withdrawal of consent and the deletion of data.
Apple’s App Store requires that such a policy accompany an app if:
- It’s made for kids
- It offers automatically renewable in-app purchases
- It offers free subscriptions
- It allows for user registration
- It accesses a user’s existing account
- It collects user data
- It’s otherwise required by law
As one of the largest file sharing programs around, Apple’s iTunes Connect policy has influenced how a large number of privacy policies for mobile applications are written. Developers who use iTunes Connect are required to create one for each language in which the mobile application will be available.
It is difficult to outline the required elements for an application because not all apps are the same. Individuals should at the very least attempt to meet the minimum CalOPPA requirements, which include:
- A description of the personal information collected
- The parties with which the personal information will be disclosed
- A description of how users can access and request changes to the information
- A description of how operators will notify users of material changes to the policy
- An effective date
Android is an operating system developed by Google for use on mobile devices. Android apps are primarily sold in the Google Play Store, but can also be sold in other third party marketplaces such as the Amazon Appstore, GetJar, and SlideMe.
- The app requests access to sensitive permissions or data–which include certain functions like the camera or microphone
- The app is designed for families and/or children
Many apps, whether intentional or not, have components that rely on personal data to function. Even though Google Play does not explicitly require all apps to have them, it is highly recommended to have one or risk removal from the Play store if the App is ever found to have used sensitive permissions. In addition, Google Play Developer Distribution Agreements must be read and agreed to when a developer registers for a Google Play account. These policies inform developers that they are required to have “privacy procedures and notices in place.”
This statement informs developers that this type of uncensored use could hurt individuals or deceive users. Google also states that it responds to clear notices of alleged privacy infringement and invites users who might be infringed upon to contact the developer directly to resolve concerns.
9. Accessibility Options
Whether you have an iOS, Android, or Windows app, you can include such a policy several ways:
- Embed it directly in your app
- Provide a link to a dedicated webpage
- Place it on your official website
Embed Directly in the App
Embedding the policy in your application means to dedicate space within the app to display it. Users can simply navigate within the app to get to the policy.
Through this method, your legal policies are only ever a few actions away from the current page. Users are aware of its presence, can consult it at any time, and are not inconvenienced by doing so.
You can also include a link to your policy on your app’s profile page in whichever app store you choose to sell your product. This allows users to view your policy before downloading your application.
Place the Policy on Your Official Site
Even if your website is just a placeholder site, you will still benefit from the legal protection afforded to you by the presence of such a policy.
Within that framework, however, companies may have very different policies depending on what their mobile applications are used for.
We’ve outlined several notable examples:
Dropbox uses the same policy for both its company at large and its mobile application. It outlines with whom user information will be shared and why. The company also directly states that it won’t sell personal data to advertisers or other third parties.
The company’s policy is easy to read and utilizes friendly language in order to inform users that Dropbox will collect personal information. The policy is specific and thorough, leaving little room for legal interpretation.
Facebook has identical policies for the company and the mobile application. The policy is formatted in an FAQ format, which makes for easy reading. The language used is also very understandable, making it easy for users to process.
Snapchat is an exclusively mobile application that allows for the taking, editing, and sharing of photos. Although the service is only provided through mobile devices, its legal policies are hosted on its official website.
The company’s policy is clearly laid out and very approachable. However, it states that Snapchat may use your personal information for ad targeting and customization. This is seemingly at odds with SOPIPA.
The company even describes how it requires the third party service providers it employs to handle user information in accordance with Whatsapp policies.