Privacy Policy for Android Apps

If your Android app collects personal information (and it's highly likely that it does), you must create a legally compliant Privacy Policy.

Google regularly penalizes developers that fail to maintain a Privacy Policy. A high-profile incident occurred in 2017 when Google threatened to permanently remove non-compliant apps from the Play Store. A similar incident occurred in 2019.

In this article, you'll learn:

• Whether your Android app needs a Privacy Policy
• How privacy law applies to your Android app
• How to create an Android app that complies with Google's terms, and the law
• Where you need to display your Privacy Policy
• How to comply with Google's "prominent disclosure" requirements

We'll also show you how to create a legally-compliant Privacy Policy for your mobile app that you can use right away to satisfy global privacy laws and Google's requirements.

Does My Android App Need a Privacy Policy?

Yes, your Android app almost certainly needs a Privacy Policy. One major reason that you need a Privacy Policy for your Android app is that Google requires it. You also need a Privacy Policy by law.

Google's Transparency Requirements

Google is taking action to ensure that all Android developers are transparent and legally-compliant. Failing to maintain a valid Privacy Policy for your app could be a violation of Google's terms. Google makes this very clear in its Developer Policy Center on a page dedicated to "Privacy, Security and Deception."

It includes a clause about user data that states that developers must be transparent in their handling of user data by disclosing important details about the collection and use of the data:

Google doesn't explicitly say that every app requires a Privacy Policy. But most apps do. Take a look at this excerpt from the Android SDK Terms and Conditions:

And here's part of Google's Developer Distribution Agreement. You agree to these terms when you publish your app on the Google Play Store:

Personal and Sensitive Information

Here's how Google defines "personal and sensitive information" in its Developer Policy Center. If you collect personal and sensitive information, you need to comply with Google's transparency requirements.

These terms require you to have a Privacy Policy if you collect:

• Usernames
• Passwords
• Any other login information
• Financial and payment information
• Authentication information
• Phonebook, contacts, SMS, and call-related data
• Microphone and camera data
• Sensitive device or usage data
• Any personal information (or "personally identifiable information")

The last point is important. "Personal information" is a very broad term. Privacy laws differ in how they define "personal information." Depending on where your users live, you'll have different standards to meet.

And while we're on the subject of privacy law, Google can impose some harsh penalties on those whose apps fail to comply with the law.

Here's a section of the Developer Distribution Agreement describing Google's "Legal Takedown" process:

If Google determines that your app has broken the law, or even if someone alleges it, Google can:

• Remove your app from the Google Play Store
• Force you to refund any customer that purchased your app in the past year (or longer)

As well as complying with Google's terms, you must obey the law. Below, we're going to look at which privacy laws might apply to you.

We're going to focus on how these laws define personal information. This will help you understand whether your app collects personal information. If your app collects personal information, you need a Privacy Policy.

United States Privacy Law

If your app is accessible in the United States, you'll need to obey California's strict privacy laws. These privacy laws protect all California residents, so they apply to any app accessible in the US (unless you can find some way to block 40 million Californians).

The broadest Californian privacy law, which applies to all commercial app developers, is the California Online Privacy Protection Act (CalOPPA). Under CalOPPA, the following types of information are personal information:

• First and last name
• Address, including a street name and the name of a city or town
• Email address
• Phone number
• Social security number
• Other identifying contact details
• Cookies or any other user data an app collects (if you store it alongside one of the other types of information above)

CalOPPA requires that you maintain a Privacy Policy disclosing how you collect and use personal information. It applies to anyone operating a commercial website or app that's accessible in California.

Many larger businesses also have to comply with the California Consumer Privacy Act (CCPA). The CCPA was amended and expanded by the CPRA.

If you qualify as a business under the CCPA (CPRA), you'll need to think much more broadly about whether your app collects personal information.

The CCPA (CPRA) defines personal information as:

"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

This includes all the types of information above, plus many more examples, including:

• Cookies (regardless of whether you store them alongside people's names or contact details)
• ID numbers such as the Android ID
• IP address
• Phone number
• Location data
• Data about a person's sex, race, nationality, etc.

All sorts of apps use these types of data, including all apps that use personalized advertising.

The CCPA (CPRA) has much more extensive Privacy Policy requirements than CalOPPA. See our article on creating a CCPA (CPRA) Privacy Policy for more information and specific guidance.

European Union Privacy Law

If your app is accessible in the European Union (including the UK), you'll need to obey the EU General Data Protection Regulation (GDPR). The GDPR has a broad definition of personal information, just like the CCPA (CPRA).

The GDPR applies to anyone offering goods or services in the EU or engaging in the "profiling" of people in the EU.

Profiling means building up a profile of a person's preferences or character by observing their behaviors and choices. If your app uses Google Ads, you're engaged in profiling.

Google offers developers a choice between two types of ads:

• Personalized ads which track users' behavior and build up a profile of their preferences over time.
• Non-personalized ads which don't store any information about users' preferences but do measure engagement with ads.

Google states that even apps that use its non-personalized ads fall under the scope of EU privacy law so you'll need a Privacy Policy even if you choose to display non-personalized ads in the EU.

Other Privacy Laws

Most countries have a generally-applicable privacy law, including:

• Canada (Personal Information and Privacy of Electronic Documents Act)
• Australia (Privacy Act)
• South Africa (Processing of Personal Information Act)

If your Android app is available in any of these countries, and many more, you need a Privacy Policy under the law.

How to Add a Privacy Policy URL for Your Android App

You can download these instructions as PDF file.

1. Log in to your Google Play Console.

2. In the left menu, click on All apps and then choose the app you wish to work with:

   

3. Click on the app you wish to work with:

   

4. Click on the Start button under the Privacy Policy section:

   

5. On this page, you'll see the field for adding the Privacy Policy URL for your app:

   

   If you do not have a Privacy Policy, you can use our Privacy Policy Generator and create it within minutes. TermsFeed will host your Privacy Policy URLfor free.

   Once you have the Privacy Policy created by TermsFeed, click Copy from the Link to your Privacy Policy section to copy the URL:



6. Paste the Privacy Policy URL in the field box:

   

7. Click Save:

   

8. To see a summary and to manage your Privacy Policy, go back to the App content section in the left menu and scroll up to the Completed section:

   

9. You're done.

What Should I Include in My Android App Privacy Policy?

The contents of your Privacy Policy will depend on:

• What personal information your app collects
• How your app uses personal information
• Google's requirements
• Legal requirements

Google doesn't provide any specific requirements about what to include your Privacy Policy, just that it needs to be "legally adequate."

A good starting point is to consider the following questions:

• What personal information does your app collect? Consider all the types of "personal and sensitive information" we covered above
• Why do you need this personal information?
• How do you use this information?
• Who, if anyone, do you share the information with?

Answer these questions and you could have an acceptable Privacy Policy for a basic Android app.

To put this in context, let's take a look at some examples of some Privacy Policies from popular Android apps.

Many companies open their Privacy Policy with a brief statement about their commitment to keeping users' personal information safe. This isn't a requirement, but it's a good opportunity to ensure your app looks professional and transparent.

Here's how Tinder opens its Privacy Policy:

This gives a human touch to what can otherwise be a very dry legal document.

When you're disclosing what type of information your app collects, you should also explain why you collect it. Here's an example from Uber:

Uber says a lot in these two sentences. The Uber app collects device location data, in order to:

• Help drivers find Uber users
• Improve Uber's pickup, navigation, and customer support services

And here's how delivery app Just Eat explains how it shares the information it collects:

Note that you don't necessarily need to provide the name of every company you share personal information with. You can just explain what types of companies you share personal information with.

Android App Privacy Policy For EU Users

If your app is accessible in the EU, you'll also need to comply with the strict Privacy Policy requirements of the GDPR. This means you'll also have to disclose:

• Contact details for the app owner
• Your lawful bases for processing personal information
• Details of how you handle data transfers out of the EU (if applicable)
• How long you store personal information
• Information about your users' rights over their personal information, and how they can exercise those rights

Here are some examples of how popular apps make their Privacy Policies GDPR compliant.

Here's some of what Uber says about its lawful bases for processing personal information:

Here's part of Spotify's Privacy Policy, where it explains how long it stores personal information:

Note that Spotify doesn't specify how long it keeps personal information in terms of months or years. The Privacy Policy explains that Spotify deletes a users' personal information when they close their account, unless:

• There is an unresolved issue with the users' account
• There is a legal obligation to retain the information
• They need the information in connection with fraud prevention or security

And here's how WhatsApp tells EU users how they can exercise their rights under the GDPR:

If your app has EU users, it's a good idea to build controls into your app so they can access their data subject rights. WhatsApp lets users access and delete their personal information from within its app, and it uses its Privacy Policy to explain this in the context of GDPR rights.

For more information, see our article on creating a GDPR Privacy Policy.

Where Should I Display My Android App Privacy Policy?

You should host your Privacy Policy online, and provide links in the following places:

• In the Google Play Store with your app listing
• Within your app's menus
• During account setup and login screens
• When taking payments
• Whenever you collect personal information

Ensure you take every reasonable step to present your Privacy Policy to your users whenever it's relevant.

Let's look at some examples of how some popular Android apps make their Privacy Policy easily accessible to users.

Google Play Store

It's essential to provide a link to your Privacy Policy within your listing on the Google Play Store. You can do this via your Developer Console.

Here's some basic guidance from Google on how to link to your Privacy Policy on the Google Play Store:

For more information, see our article on How to Add a Privacy Policy URL to Google Play.

App Menus

Keep a link to your Privacy Policy prominently displayed in your app's menus so your users can access it whenever they want to read it.

Here's how Google Maps integrates its Privacy Policy into its side menu:

If you have a Legal, About, Settings or other type of menu where users will intuitively know to look for information like your Privacy Policy, add your policy there.

Device Access Request

When an app requires access to a user's device storage or functions, this will usually result in the app collecting personal information from the device.

Therefore, you should provide a link to your Privacy Policy before the user agrees to this. This way, the user can understand how you'll handle their personal information and make an informed choice.

Below you can see how Google Files presents its Privacy Policy when requesting access to personal information from the user's device:

Sign-In Screen

When your user signs into their account on a device, their personal information is transmitted from your servers to that device. This is why it's important to provide privacy information when a user signs into their account.

Here's how Microsoft displays a link to its Privacy Policy when inviting the user to sign in:

You should also link to your Privacy Policy if a user is already signed in and is invited to make significant changes to their account information.

This how The Guardian displays a link to its Privacy Policy in an account upgrade screen:

Point of Sale

If you sell products via your app, you probably use a third-party payment processor to do this. Even so, you should still provide a link to your Privacy Policy before your user completes a purchase.

Here's how Amazon links to its Privacy Policy at the point of sale:

It's better to over-link your Privacy Policy rather than not make it accessible enough. Make it always available in a menu, as well as at select points throughout your app when you do things like request access permission, collect personal information directly or allow transactions to be completed.

Do I Have to Comply With Google's Prominent Disclosure Rules?

As well as creating a Privacy Policy for your Android app, you may also need to make a "prominent disclosure," also known as an "in-app disclosure."

This means creating a pop-up message within your app to:

• Inform your users about the information you're collecting
• Ask for their consent to collect the information

You must provide a prominent disclosure where:

• You collect personal or sensitive information, and
• Your users might not expect you to collect this data

Google provides some examples of how developers may violate the prominent disclosure requirement:

To put this in context, here's a hypothetical example:

A camera app is likely to require access to the user's camera, so you may not need a prominent disclosure for this.

The camera app might also allow users to share photos with their contacts. Users might not expect a camera app to access their contacts list. Therefore, a prominent disclosure might be required.

Google has two sets of rules about the prominent disclosure requirement:

• Rules about how you provide information to your users
• Rules about how you ask for consent

Providing Information

Google requires that in-app disclosures be displayed in the normal usage of the app without requiring a user to navigate to a menu or settings section of the app. Placing it in a Privacy Policy, Terms and Conditions or other disclosures not related to the collection of personal or sensitive data is not adequate.

The disclosure must provide the following information:

• Description of the data collected
• Explanation of how the data will be used

Here's an example from BBC iPlayer:

BBC iPlayer makes the disclosure in the correct way. The disclosure is:

• Within the app itself
• Part of the normal usage of the app
• Not part of a Privacy Policy
• Not included with any other disclosures

The disclosure also provides the required information, i.e.:

• What information the app is collecting
• How BBC iPlayer will use the data

Earning Consent

Google requires that in-app disclosures include a request for consent that's presented in a clear, unambiguous way and requires the user to make an affirmative user action in order to give consent.

An affirmative user action could include ticking a checkbox or tapping to accept. Navigating away from the disclosure is not considered consent.

Personal or sensitive data cannot be collected prior to consent being correctly obtained.

Here's an example from Malwarebytes:

This appears to comply with Google's rules around earning consent via a prominent disclosure:

• It presents a clear and unambiguous request
• It requires affirmative action (tapping a button)
• It doesn't auto-expire
• The app does not begin collecting the information until the user has consented
• Navigating away from the disclosure doesn't result in consent

Summary of Your Privacy Policy for Android Apps

If your app collects personal information, it's crucial that you create a Privacy Policy.

Your Privacy Policy should explain, at a minimum:

• What personal information your app collects
• Why you need this personal information
• How you use this personal information
• Who, if anyone, you share the personal information with

Remember, there are additional requirements if:

• Your app has users in the EU
• Your app collects personal information in ways your users might not expect

Display your Privacy Policy whenever you wish to collect personal information from your users. Include it in your app store listing as well.