Android Permissions That Need a Privacy Policy

Android Permissions That Need a Privacy Policy

More likely than not, your Android app is required to have a Privacy Policy. There are three main reasons for this:

  1. Multiple international laws require a Privacy Policy if any user information is collected and used by an app,
  2. The Google Play Store Distribution Agreement requires all apps available through the store to have a Privacy Policy in place if the app collects personal data, and
  3. Some app permission requests automatically trigger the requirement of a Privacy Policy by Google Play Store

Requirement of a Privacy Policy for Android

Required by law

If your Android app collects any personal information from users - that is, information that could be used to identify an individual - you need a Privacy Policy. Some examples of personal information include:

  • First and last names,
  • Email addresses,
  • Financial information (bank account number, credit card number, etc.),
  • Shipping and billing addresses,
  • Birthdate,
  • Social security numbers

If your app collects this information, a number of laws and regulations that aim to protect consumers will apply to your app and require it to have a Privacy Policy.

United States

US Flag

In the US, the California Online Privacy Protection Act (CalOPPA) requires that any website or mobile app that collects personal information from users in the state of California must have a Privacy Policy in place that lets users know that their data is being collected, how it is being collected and used, and for what purposes.

The FTC on requirements of CalOPPA

Australia

Australia Flag

The Australian Privacy Act of 1988 lists 13 Privacy Principles that companies that collect personal information must adhere to.

The very first principle is that companies need to have an up-to-date Privacy Policy in place.

In the UK

Flag of UK (Great Britain)

The Data Protection Act of 1998 from the UK has 8 principles that call for fair and minimal collection and use of personal information.

Data should only be collected for legitimate business reasons, and should only be collected in non-intrusive ways.

Transparency on collection practices is called for, as well as giving users notice about your practices. This is accomplished by including a Privacy Policy.

In the EU

Flag of EU

The Data Protection Directive and ePrivacy Directive require that any app company that operates from the EU must have a Privacy Policy in place.

The new GDPR Directive may change some of these requirements as it comes into place.

Required by Google Play

The Google Play Developer Policy requires that all Android apps that collect and handle personal or sensitive user data have a Privacy Policy in place. The Privacy Policy must be posted in the Play Developer Console, as well as from within the app itself.

The content of the Privacy Policy must disclose "how your app collects, uses and shares user data, including the types of parties with whom it's shared."

Privacy Policy requirement by Google Play Store

How to add your Privacy Policy's URL to your Google Play Store app listing

Google makes it so easy to add your Privacy Policy URL to your Google Play Store listing. Follow these steps to stay compliant:

  1. Log into your Google Play Developer Console. Create one if you don't have one yet.
  2. Find and select All Applications.google-play-store-developer-console-all-applications-menu
  3. Select the application you need to add your Privacy Policy to.
  4. Click Store Listing to edit the listing for your app.Google Play Store Developer Console: Highlight Store Listing menu
  5. Find the field labeled Privacy Policy and enter the URL for where you host your policy. Note: Your policy must be hosted on your website.

    You can use our Privacy Policy Generator to create a Privacy Policy. TermsFeed will host the policy for free.

    Google Developer Console: Privacy Policy URL

  6. Click Save and your URL will now show up in the Google Play Store along with the rest of your app's information.

Here's how Pinterest's Privacy Policy URL is displayed on its listing in the Google Play Store:

Pinterest App Listing: Highlight Privacy Policy URL

The Privacy Policy is also a part of the regular app and can be accessed by users at any time from within the app.

Pinterest, Android: Highlight Terms and privacy menu item

Google takes their Privacy Policy requirement seriously enough that they sent out an email to owners of apps that were in violation of the requirement.

Any apps that requested dangerous permissions and didn't have an adequate Privacy Policy in place by March of 2017 were to be removed from the Google Play Store if action wasn't taken before that deadline.

Sensitive permissions that need a Privacy Policy

The Android platform requires that any apps that request user data or make sensitive permissions requests, such as a request by an app to access a user's "Camera" or "Microphone," will need a valid Privacy Policy both in the app store listing, and within the app itself.

Normal permissions cover areas where there are very few if any risks to the privacy of the user.

Dangerous or sensitive permissions cover the areas where the app requests data or access to resources that involve private user information, and could potentially affect the personal data stored on the user's device.

If your app requests permission to access any of the following "dangerous" or sensitive permission areas of a phone, you will need a Privacy Policy:

  • Camera - If an app can access a camera, it may be able to turn on the camera and record video without a user's consent. This can obviously be a huge violation of the user's privacy.
  • Microphone - Recording audio is a sensitive permission because it will require use of the device's microphone, which raises issues of user privacy. Here's how Google Hangouts requests permission for the Hangouts app to record audio.

    Dialog from Android: Permission to record audio

  • Contacts
  • Calendar
  • Location
  • Sensors
  • Storage
  • Messaging
  • Phone

If your app will be accessing multiple sensitive areas of a user's Android device, you'll need to request permission for each area.

For example, Hangouts app asks for permission to record audio, and then it must also request separate permission to send and view SMS messages.

Hangouts Android Permissions Dialog: Allow to send and view SMS messaging

The Facebook Android app presents users with a permissions screen that helps summarize and explain that the app wants to access the Camera so that pictures can be taken while inside the app.

The app also wants to access the device's "Storage" so that the app can "store and access information like photos on your phone and its SD card."

Facebook Android Permissions Dialog: Allow for Camera and Storage

After this main request screen, individual permissions to take pictures and record video are presented:

Facebook Android Permissions Dialog: Allow for Video

As well as access to photos, media and files on the device are asked by the app:

Facebook Android Permissions Dialog: Allow for Device Storage Access

The Firefox Browser for Android requests multiple permissions at once, but each has a separate spot on the list with a drop-down arrow where a user can find out more information about each sensitive area.

Firefox Android Permissions Dialog: Allow for Device Location, Camera, Microphone

Here's how the Firefox Privacy Policy is linked to its listing in the Google Play Store as required by Google:

Firefox Android app listing: Highlight the URL to Privacy Policy

You can also include a link in your permissions request box where users can find out more information before deciding to allow or deny the request.

Highlight the Find out more link on Android Permissions dialog

This "Find Out More" link can link back to your Privacy Policy where users will be informed about your data collection and use practices.

Requesting permission to access sensitive areas of a mobile device isn't only for Androids.

It's used across platforms to stay compliant with privacy laws. Here's how Path requests permission to access the contacts on a user's iOS device:

Path iOS Permissions Dialog: Allow for Contacts

The more permissions your app requests, the more likely it is that you'll be dealing with sensitive information and that your permissions will be deemed dangerous.

Include a Privacy Policy even if you do not collect personal data

Even if your Android app doesn't request any dangerous permissions, remember that you'll still need a Privacy Policy in place if your app collects any personal information from users.

Even if you don't collect any personal information and aren't required to have a Privacy Policy, it can never hurt to include one anyway that lets users know that their data won't be touched.

Users appreciate the transparency and clarity, and it can help keep you compliant with privacy laws as they grow and change with the digital world.

Here's how Ecquire does it:

Ecquire, The Worlds Greatest Privacy Policy

To recap, your Android app will need a Privacy Policy in place if it:

  • Collects any personal information from or about users via the app, or
  • Requests permission to access sensitive areas of the mobile device.

This Privacy Policy must be linked:

  • To your app's listing page in the Google Play Store, and
  • Within your app itself.

These easy steps will keep you compliant with international laws, Google's policies, and Android's platform requirements. It will also give your app users the transparency they want when it comes to knowing how their personal information and personal mobile devices are used by you and your app.

Other Categories:

Sara Pegarella

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.