24 December 2020
If you're developing an app that requests camera access, you're asking your users to place a lot of trust in you.
You also enter into some perilous territory regarding privacy law and your agreements with service providers that make your app function.
When requesting such sensitive access to a user's device, you must ensure you do everything right to respect their privacy and fulfill your legal obligations.
There are two main reasons for this: privacy law, and the terms of your mobile platform provider.
There are many other locations with similar privacy laws. For more information, see our article: Privacy Laws By Country.
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
This rule now forms part of Apple's App Store Review Guidelines:
Here's how Snap, maker of Snapchat, discloses its use of camera access, explains its purposes for requesting camera access, and what will happen if consent is withdrawn or refused:
These examples demonstrate how some Privacy Policies refer to camera access, but camera data is likely to appear in a list of many other types of data your app collects, as we'll see below.
You must meet these requirements in order to use these companies' APIs or have your app hosted on their distribution platforms (the Apple App Store and the Google Play Store).
Data from the user's camera is one of many types of user data your app probably collects.
Note, however, that you should only collect the user data you need for a specific purpose. Don't collect excessive or unnecessary data.
All of the above types of user data are considered "personal information" under many privacy laws, including the CCPA and the GDPR.
Here's how Life360 lists the types of user data its app collects, which includes the user's camera roll:
You must explain how your app collects data from the user's device.
Broadly speaking, there are two ways in which an app might collect data from the user:
Many Privacy Policies combine this section with the section above, explaining what types of user data the app collects, and how each type of data is collected.
Here's an example from Contently:
How you draft these clauses is up to you, so long as you include the relevant and required information.
Just as you have explained your purposes for accessing the user's camera, you must also explain how you use all the various types of user data you collect.
Here's how Flipboard does this:
Note that in addition to the broad categories of uses of information we've underlined in this excerpt, Flipboard also goes into detail about the implications for its users.
You probably share user data with third parties such as analytics and advertising providers, payment processors, and cloud storage companies.
Some service providers, including Apple and Google, require you to name their services specifically, and even to include certain information about how they will process the user data they receive.
For example, here's how ResApp Health explains it shares data with Google Analytics for Firebase:
If you're developing an iOS app, Apple has a somewhat complicated additional requirement here, detailed in its App Store Review Guidelines:
Above, Apple requires that you:
Here's how Crazy Labs does this:
Again, it's best to take a conservative approach in this area. If you can store user data on the user's device, do not transfer it to a third party unless it's necessary for a specific, legitimate purpose.
You should explain how long you will store user data.
You should only store user data for as long as you need it to fulfil a specific purpose. This might not be determined in months or years, but instead by reference to a given event (e.g. "we will erase your account data when you delete your account").
Here's how FaceApp explains its data retention period for camera data:
Note that in addition to stating the time period for which photo data will be retained, FaceApp also explains why it stores photo data for that period.
You should explain how users can access or delete the data you hold on them.
Many apps provide controls in the "Settings" menu, allowing users to access and erase their personal information, or withdraw consent for certain activities (such as marketing).
Here's how Spotify explains the various ways in which users can exercise control over their personal information:
Apple only requires you to explain how the user can access their data if you provide a means for them to do so.
However, in the spirit of transparency and good customer service, we'd advise you to comply with data access requests even if you don't "need" to.
We've covered the basic information required for iOS and Android apps under your agreements with Apple and/or Google.
Return to our earlier section on privacy law compliance to check which privacy laws apply to your app. We have guidance on creating Privacy Policies that comply with many major markets.
As noted above, access to a device's camera is, rightly, considered a sensitive permission by both Apple and Google. Therefore, you cannot access the device camera without requesting consent.
We're now going to briefly look at how to do this.
The following guidance from Apple confirms that explicit consent is required to access a device's camera and/or microphone:
Note that you will only need to request consent the first time your app accesses the camera.
The first step to integrate a consent mechanism into your iOS app is to include the NSCameraUsageDescription key in your Info.plist file:
Note that you must include a message explaining the purposes for which your app requires camera access. This is consistent with the GDPR's principle of transparency, and the CCPA's "notice at collection" requirement.
Your app must verify the user's authorization (consent) status before capturing images via the camera, using the AVCaptureDevice authorizationStatus(for:) method.
If the user invokes a function of your app that requires camera access, but they have not authorized this permission request, their status will be AVAuthorizationStatus.notDetermined. Use the requestAccess(for:completionHandler:) to request consent again.
Note that saving media to the device requires a separate permission:
Google provides some basic principles when requesting app permissions:
Note that principles two and three are closely linked to the GDPR's model of consent. Consent must be "freely given." Unnecessarily withdrawing all usage of your app if a user refuses consent would violate this principle.
Requesting camera permission on Android requires that you place a
<uses-permission/> element in your app manifest. Camera access is a "dangerous permission" and thus you must obtain explicit consent before accessing it.
Because you only require consent the first time your app accesses the camera, your app must also check the permission status whenever it accesses the camera:
You must also implement an educational UI to explain why you require camera access:
Explaining why you need a permission makes it more likely that the user will consent, according to research from Carnegie Mellon University.
Explaining why you're collecting personal information is also a legal requirement under certain privacy laws, such as the GDPR and the CCPA.
And here's how the link appears in the Gumtree app: