Last updated on 24 May 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
In this article, you'll learn:
It includes a clause about user data that states that developers must be transparent in their handling of user data by disclosing important details about the collection and use of the data:
And here's part of Google's Developer Distribution Agreement. You agree to these terms when you publish your app on the Google Play Store:
Here's how Google defines "personal and sensitive information" in its Developer Policy Center. If you collect personal and sensitive information, you need to comply with Google's transparency requirements.
The last point is important. "Personal information" is a very broad term. Privacy laws differ in how they define "personal information." Depending on where your users live, you'll have different standards to meet.
And while we're on the subject of privacy law, Google can impose some harsh penalties on those whose apps fail to comply with the law.
Here's a section of the Developer Distribution Agreement describing Google's "Legal Takedown" process:
If Google determines that your app has broken the law, or even if someone alleges it, Google can:
As well as complying with Google's terms, you must obey the law. Below, we're going to look at which privacy laws might apply to you.
If your app is accessible in the United States, you'll need to obey California's strict privacy laws. These privacy laws protect all California residents, so they apply to any app accessible in the US (unless you can find some way to block 40 million Californians).
The broadest Californian privacy law, which applies to all commercial app developers, is the California Online Privacy Protection Act (CalOPPA). Under CalOPPA, the following types of information are personal information:
Many larger businesses also have to comply with the California Consumer Privacy Act (CCPA). If you qualify as a business under the CCPA, you'll need to think much more broadly about whether your app collects personal information.
The CCPA defines personal information as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This includes all the types of information above, plus many more examples, including:
All sorts of apps use these types of data, including all apps that use personalized advertising.
If your app is accessible in the European Union (including the UK), you'll need to obey the EU General Data Protection Regulation (GDPR). The GDPR has a broad definition of personal information, just like the CCPA.
The GDPR applies to anyone offering goods or services in the EU or engaging in the "profiling" of people in the EU.
Profiling means building up a profile of a person's preferences or character by observing their behaviors and choices. If your app uses Google Ads, you're engaged in profiling.
Google offers developers a choice between two types of ads:
Most countries have a generally-applicable privacy law, including:
A good starting point is to consider the following questions:
To put this in context, let's take a look at some examples of some Privacy Policies from popular Android apps.
This gives a human touch to what can otherwise be a very dry legal document.
When you're disclosing what type of information your app collects, you should also explain why you collect it. Here's an example from Uber:
Uber says a lot in these two sentences. The Uber app collects device location data, in order to:
And here's how delivery app Just Eat explains how it shares the information it collects:
Note that you don't necessarily need to provide the name of every company you share personal information with. You can just explain what types of companies you share personal information with.
Here are some examples of how popular apps make their Privacy Policies GDPR compliant.
Here's some of what Uber says about its lawful bases for processing personal information:
And here's how WhatsApp tells EU users how they can exercise their rights under the GDPR:
When an app requires access to a user's device storage or functions, this will usually result in the app collecting personal information from the device.
When your user signs into their account on a device, their personal information is transmitted from your servers to that device. This is why it's important to provide privacy information when a user signs into their account.
This means creating a pop-up message within your app to:
You must provide a prominent disclosure where:
Google provides some examples of how developers may violate the prominent disclosure requirement:
To put this in context, here's a hypothetical example:
A camera app is likely to require access to the user's camera, so you may not need a prominent disclosure for this.
The camera app might also allow users to share photos with their contacts. Users might not expect a camera app to access their contacts list. Therefore, a prominent disclosure might be required.
Google has two sets of rules about the prominent disclosure requirement:
The disclosure must provide the following information:
Here's an example from BBC iPlayer:
BBC iPlayer makes the disclosure in the correct way. The disclosure is:
The disclosure also provides the required information, i.e.:
Google requires that in-app disclosures include a request for consent that's presented in a clear, unambiguous way and requires the user to make an affirmative user action in order to give consent.
An affirmative user action could include ticking a checkbox or tapping to accept. Navigating away from the disclosure is not considered consent.
Personal or sensitive data cannot be collected prior to consent being correctly obtained.
Here's an example from Malwarebytes:
This appears to comply with Google's rules around earning consent via a prominent disclosure:
Remember, there are additional requirements if: