More likely than not, your Android app is required to have a Privacy Policy. There are three main reasons for this:
Multiple international laws require a Privacy Policy if any user information is collected and used by an app,
The Google Play Store Distribution Agreement requires all apps available through the store to have a Privacy Policy in place if the app collects personal data, and
Some app permission requests automatically trigger the requirement of a Privacy Policy by Google Play Store
If your Android app collects any personal information from users - that is, information that could be used to identify an individual - you need a Privacy Policy. Some examples of personal information include:
First and last names,
Email addresses,
Financial information (bank account number, credit card number, etc.),
Shipping and billing addresses,
Birthdate,
Social security numbers
If your app collects this information, a number of laws and regulations that aim to protect consumers will apply to your app and require it to have a Privacy Policy.
United States
In the US, the California Online Privacy Protection Act (CalOPPA) requires that any website or mobile app that collects personal information from users in the state of California must have a Privacy Policy in place that lets users know that their data is being collected, how it is being collected and used, and for what purposes.
Australia
The Australian Privacy Act of 1988 lists 13 Privacy Principles that companies that collect personal information must adhere to.
The very first principle is that companies need to have an up-to-date Privacy Policy in place.
In the UK
The Data Protection Act of 1998 from the UK has 8 principles that call for fair and minimal collection and use of personal information.
Data should only be collected for legitimate business reasons, and should only be collected in non-intrusive ways.
Transparency on collection practices is called for, as well as giving users notice about your practices. This is accomplished by including a Privacy Policy.
The new GDPR Directive may change some of these requirements as it comes into place.
Required by Google Play
The Google Play Developer Policy requires that all Android apps that collect and handle personal or sensitive user data have a Privacy Policy in place. The Privacy Policy must be posted in the Play Developer Console, as well as from within the app itself.
The content of the Privacy Policy must disclose "how your app collects, uses and shares user data, including the types of parties with whom it's shared."
How to add your Privacy Policy's URL to your Google Play Store app listing
Click Save and your URL will now show up in the Google Play Store along with the rest of your app's information.
Here's how Pinterest's Privacy Policy URL is displayed on its listing in the Google Play Store:
The Privacy Policy is also a part of the regular app and can be accessed by users at any time from within the app.
Google takes their Privacy Policy requirement seriously enough that they sent out an email to owners of apps that were in violation of the requirement.
Any apps that requested dangerous permissions and didn't have an adequate Privacy Policy in place by March of 2017 were to be removed from the Google Play Store if action wasn't taken before that deadline.
Sensitive permissions that need a Privacy Policy
The Android platform requires that any apps that request user data or make sensitive permissions requests, such as a request by an app to access a user's "Camera" or "Microphone,"Â will need a valid Privacy Policy both in the app store listing, and within the app itself.
Normal permissions cover areas where there are very few if any risks to the privacy of the user.
Dangerous or sensitive permissions cover the areas where the app requests data or access to resources that involve private user information, and could potentially affect the personal data stored on the user's device.
If your app requests permission to access any of the following "dangerous" or sensitive permission areas of a phone, you will need a Privacy Policy:
Camera - If an app can access a camera, it may be able to turn on the camera and record video without a user's consent. This can obviously be a huge violation of the user's privacy.
Microphone - Recording audio is a sensitive permission because it will require use of the device's microphone, which raises issues of user privacy. Here's how Google Hangouts requests permission for the Hangouts app to record audio.
Contacts
Calendar
Location
Sensors
Storage
Messaging
Phone
If your app will be accessing multiple sensitive areas of a user's Android device, you'll need to request permission for each area.
For example, Hangouts app asks for permission to record audio, and then it must also request separate permission to send and view SMS messages.
The Facebook Android app presents users with a permissions screen that helps summarize and explain that the app wants to access the Camera so that pictures can be taken while inside the app.
The app also wants to access the device's "Storage" so that the app can "store and access information like photos on your phone and its SD card."
After this main request screen, individual permissions to take pictures and record video are presented:
As well as access to photos, media and files on the device are asked by the app:
The Firefox Browser for Android requests multiple permissions at once, but each has a separate spot on the list with a drop-down arrow where a user can find out more information about each sensitive area.
Here's how the Firefox Privacy Policy is linked to its listing in the Google Play Store as required by Google:
You can also include a link in your permissions request box where users can find out more information before deciding to allow or deny the request.
This "Find Out More" link can link back to your Privacy Policy where users will be informed about your data collection and use practices.
Requesting permission to access sensitive areas of a mobile device isn't only for Androids.
It's used across platforms to stay compliant with privacy laws. Here's how Path requests permission to access the contacts on a user's iOS device:
The more permissions your app requests, the more likely it is that you'll be dealing with sensitive information and that your permissions will be deemed dangerous.
Include a Privacy Policy even if you do not collect personal data
Even if your Android app doesn't request any dangerous permissions, remember that you'll still need a Privacy Policy in place if your app collects any personal information from users.
Even if you don't collect any personal information and aren't required to have a Privacy Policy, it can never hurt to include one anyway that lets users know that their data won't be touched.
Users appreciate the transparency and clarity, and it can help keep you compliant with privacy laws as they grow and change with the digital world.
To recap, your Android app will need a Privacy Policy in place if it:
Collects any personal information from or about users via the app, or
Requests permission to access sensitive areas of the mobile device.
This Privacy Policy must be linked:
To your app's listing page in the Google Play Store, and
Within your app itself.
These easy steps will keep you compliant with international laws, Google's policies, and Android's platform requirements. It will also give your app users the transparency they want when it comes to knowing how their personal information and personal mobile devices are used by you and your app.
Law school graduate, B.A. in English/Writing. In-house writer.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
