Android Permissions That Need a Privacy Policy

More likely than not, your Android app is required to have a Privacy Policy. There are three main reasons for this.

First, multiple international laws require a Privacy Policy if any user information is collected and used by an app. Secondly, the Google Play Store Distribution Agreement requires all apps available through the store to have a Privacy Policy in place if the app collects personal data. Finally, some app permission requests automatically trigger the requirement of a Privacy Policy by the Google Play Store.

This article will break down what you'll need to do to comply with legal requirements and with Google, and how you can do so.

Privacy Policy Requirements for Android Apps

A Privacy Policy for Android Apps is Required by Law

If your Android app collects any personal information from users - that is, information that could be used to identify an individual - you legally need a Privacy Policy. Some examples of personal information include:

• First and last names
• Email addresses
• Financial information (bank account number, credit card number, etc.)
• Shipping and billing addresses
• Birthdate
• Social security numbers

If your app collects this information, a number of laws and regulations that aim to protect consumers will apply to your app and require it to have a Privacy Policy.

United States

In the U.S., CalOPPA, the CPRA and other laws require that any website or mobile app that collects personal information from users in the state of California must have a Privacy Policy in place.

The Privacy Policy must let users know that their data is being collected, how it is being collected and used, and for what purposes.

Australia

The Australian Privacy Act of 1988 lists 13 Privacy Principles that companies that collect personal information must adhere to.

The very first principle is that companies need to have an up-to-date Privacy Policy in place.

In the UK

The Data Protection Act of 1998 from the UK has 8 principles that call for fair and minimal collection and use of personal information. Transparency on collection practices is called for, as well as giving users notice about your practices. This is accomplished by including a Privacy Policy.

Data should only be collected for legitimate business reasons, and should only be collected in non-intrusive ways.

In the EU

The GDPR imposes a number of requirements on businesses that interact with residents of the EU. If your app reaches these individuals, which it likely does, then you need to disclose some specific information in a compliant Privacy Policy.

A Privacy Policy for Android Apps is Required by Google Play

The Google Play Developer Policy requires that all Android apps that collect and handle personal or sensitive user data have a prominent disclosure in place that discloses the collection, use, sharing and accessing of data. This can be met by having a Privacy Policy.

The content of the Privacy Policy must disclose "how your app collects, uses and shares user data, including the types of parties with whom it's shared."

Google takes its Privacy Policy requirement seriously enough that it sent out an email to owners of apps that were in violation of the requirement.

Any apps that requested dangerous permissions and didn't have an adequate Privacy Policy in place by March of 2017 were to be removed from the Google Play Store if action wasn't taken before that deadline.

How to Add a Privacy Policy's URL to Google Play Store App Listing

Google makes it so easy to add your Privacy Policy URL to your Google Play Store listing. Follow these steps to stay compliant:

1. Log into your Google Play Developer Console. Create one if you don't have one yet.
2. Select All apps and then click on the app you wish to add a Privacy Policy to:
3. In the left menu, under the Policy section, select App content:
4. From the App Content page, go to the Privacy policy section and click start:

5. In the Privacy Policy URL field, enter the URL for where you host your Privacy Policy:

You can use our Privacy Policy Generator to create a Privacy Policy. TermsFeed will host the policy for free.

6. Click Save and your Privacy Policy's URL will now show up in the Google Play Store along with the rest of your app's information.

Example from Pinterest

Here's how Pinterest's Privacy Policy URL is displayed on its listing in the Google Play Store:

The Privacy Policy is also a part of the regular app and can be accessed by users at any time from within the app. Within the app, the user will click on the "Settings" icon:

Under the "Support" section, the user can tap on "See terms and privacy:"

Sensitive Permissions That Need a Privacy Policy for Android Apps

The Android platform requires that any apps that request user data or make sensitive permissions requests, such as a request by an app to access a user's "Camera" or "Microphone," will need a valid Privacy Policy both in the app store listing, and within the app itself.

Normal permissions cover areas where there are very few if any risks to the privacy of the user.

Dangerous or sensitive permissions cover the areas where the app requests data or access to resources that involve private user information, and could potentially affect the personal data stored on the user's device.

If your app requests permission to access any of the following "dangerous" or sensitive permission areas of a phone, you will need a Privacy Policy:

• Camera - If an app can access a camera, it may be able to turn on the camera and record video without a user's consent. This can obviously be a huge violation of the user's privacy.
• Microphone - Recording audio is a sensitive permission because it will require use of the device's microphone, which raises issues of user privacy.
• Contacts
• Calendar
• Location
• Sensors
• Storage
• Messaging
• Phone

If your app will be accessing multiple sensitive areas of a user's Android device, you'll need to request permission for each area.

Example from Facebook Android App

Facebook's Android app has a "Permissions" screen under the "Settings" section of the app. This screen summarizes and explains the list of permissions that Facebook requires, asks for and uses:

For example, when the Facebook's app needs to access the device's camera, it explains why it requires this permisson: so that the app can "access camera roll and enable other features."

Then, Android's default permissions default screen will appear. This screen asks for permission to be granted to take pictures and record videos:

It also requests permission to record audio:

Example from Firefox

The Firefox Browser for Android requests multiple permissions at once, but each has a separate spot on the list with a drop-down arrow where a user can find out more information about each sensitive area:

Here's how the Firefox Privacy Policy is linked to its listing in the Google Play Store as required by Google:

You can also include a link in your permissions request box where users can find out more information before deciding to allow or deny the request:

This "Find out more" link can link back to your Privacy Policy where users will be informed about your data collection and use practices.

Summary

The more permissions your app requests, the more likely it is that you'll be dealing with sensitive information and that your permissions will be deemed dangerous.

Include a Privacy Policy even if you do not collect personal data.

Even if your Android app doesn't request any dangerous permissions, remember that you'll still need a Privacy Policy in place if your app collects any personal information from users.

Even if you don't collect any personal information and aren't required to have a Privacy Policy, it can never hurt to include one anyway that lets users know that their data won't be touched.

Users appreciate the transparency and clarity, and it can help keep you compliant with privacy laws as they grow and change with the digital world.

To recap, your Android app will need a Privacy Policy in place if it:

• Collects any personal information from or about users via the app, or
• Requests permission to access sensitive areas of the mobile device

This Privacy Policy must be linked:

• To your app's listing page in the Google Play Store, and
• Within your app itself

These easy steps will keep you compliant with international laws, Google's policies, and Android's platform requirements. It will also give your app users the transparency they want when it comes to knowing how their personal information and personal mobile devices are used by you and your app.