Privacy Policy for Apps With Camera Access

Privacy Policy for Apps With Camera Access

If you're developing an app that requests camera access, you're asking your users to place a lot of trust in you.

You also enter into some perilous territory regarding privacy law and your agreements with service providers that make your app function.

When requesting such sensitive access to a user's device, you must ensure you do everything right to respect their privacy and fulfill your legal obligations.


My App Has Camera Access: Do I Need a Privacy Policy?

Yes, you must create a Privacy Policy if your app has access to a user's device camera. In fact, you need a Privacy Policy for practically any mobile app.

There are two main reasons for this: privacy law, and the terms of your mobile platform provider.

The Law Requires You to Create a Privacy Policy

If your app requires camera access, it can collect personal information from your users. This puts you within the scope of many privacy laws that require you to create a Privacy Policy.

  • United States: Laws such as the California Online Privacy Protection Act (CalOPPA) require developers to create a Privacy Policy.
  • European Union (EU): The General Data Protection Regulation (GDPR) requires app developers to create a Privacy Policy, and the ePrivacy Directive regulates how you access device information.
  • United Kingdom (UK): Despite Brexit, the GDPR still applies in the UK, along with the Privacy in Electronic Communications Regulations (PECRs) (which regulate device access) and the Data Protection Act 2018.
  • Canada: The Personal Information and Privacy of Electronic Documents Act (PIPEDA) requires all private sector organizations to create a Privacy Policy.

If you are based in or have users in any of the above jurisdictions, you must create a Privacy Policy by law if your mobile app requests camera access.

There are many other locations with similar privacy laws. For more information, see our article: Privacy Laws By Country.

Apple and Google Require Developers to Create a Privacy Policy

Whether you're creating an app for iOS, Android, or both, you need a Privacy Policy under the terms of your agreements with Apple and/or Google.

Apple has required a Privacy Policy for all apps submitted to its App Store since October 2018.

This rule now forms part of Apple's App Store Review Guidelines:

Apple App Store Review Guidelines: Data Collection and Storage clause - Privacy Policy general requirement

As part of its User Data Policy, Google requires all developers whose apps collect "personal and sensitive information" (which includes camera data) to create a Privacy Policy:

Google Play Console Help: User Data - Personal and Sensitive Information section

If you distribute your app via any other third party platforms, always check the terms of your agreement with them to see if a Privacy Policy is required. It likely will be.

Apps With Camera Access: Step-By-Step Privacy Policy Guide

Apps With Camera Access: Step-By-Step Privacy Policy Guide

Here's how we're approaching this guide to creating a Privacy Policy for apps with camera access:

  • First, we'll explain how you should disclose to users how and why your app uses camera access
  • Second, we'll explain the other information you need to include under your agreements with Apple and/or Google

This might not be all you need to include in your Privacy Policy, so we'll be reminding you at the end of this section that you may need to include additional information based on which privacy laws you need to comply with.

Disclosing Your Use of Camera Access

Disclosing Your Use of Camera Access

Your Privacy Policy must explain that your app accesses the user's camera. This disclosure, in itself, is likely to form a relatively small part of your Privacy Policy.

When explaining how you access the user's camera, your Privacy Policy should include the following information:

  • A disclosure of the fact that your app requests camera access
  • An explanation of your purposes for requesting camera access
  • An explanation that you request consent for camera access
  • Information about revoking consent, and what might happen if consent is withdrawn
  • If you have users in the EU, European Economic Area, or the UK: Your "lawful basis" for requesting camera access (which must be "consent," under Apple and Google's terms)

Here's how Snap, maker of Snapchat, discloses its use of camera access, explains its purposes for requesting camera access, and what will happen if consent is withdrawn or refused:

Snap Privacy Policy: Information we collect - Camera and photos - use and access explained

Here's how eBay covers its app's camera/photos access, within a short-form Privacy Policy accessible from the app:

eBay Mobile Privacy and Legal Notice: Collection of photos - Does the app request this - sections highlighted

These examples demonstrate how some Privacy Policies refer to camera access, but camera data is likely to appear in a list of many other types of data your app collects, as we'll see below.

Additional Information Required By Apple and Google

Additional Information Required By Apple and Google

As mentioned, Apple and Google have some specific Privacy Policy requirements.

You must meet these requirements in order to use these companies' APIs or have your app hosted on their distribution platforms (the Apple App Store and the Google Play Store).

Types of User Data You Collect

Data from the user's camera is one of many types of user data your app probably collects.

Note, however, that you should only collect the user data you need for a specific purpose. Don't collect excessive or unnecessary data.

Your Privacy Policy should make reference to any and all types of user data collected by your mobile app, which may include:

  • IP address
  • Operating system
  • Device ID
  • Location
  • Any information volunteered by the user, including name, alias, email address, login details, payment info

All of the above types of user data are considered "personal information" under many privacy laws, including the CCPA and the GDPR.

However, even if you're not covered by either of these laws, you must still make reference to this data in your Privacy Policy.

Here's how Life360 lists the types of user data its app collects, which includes the user's camera roll:

Life360 Privacy Policy: Information we collect automatically through the use of technology clause - Photo and camera roll section highlighted

How You Collect User Data

You must explain how your app collects data from the user's device.

Broadly speaking, there are two ways in which an app might collect data from the user:

  • Automatically (e.g. by using cookies and other technologies)
  • Voluntarily (e.g. when the user creates an account)

Many Privacy Policies combine this section with the section above, explaining what types of user data the app collects, and how each type of data is collected.

Here's an example from Contently:

Contently Privacy Policy: Information we collect directly from you clause excerpt

How you draft these clauses is up to you, so long as you include the relevant and required information.

How You Use the User Data You Collect

Just as you have explained your purposes for accessing the user's camera, you must also explain how you use all the various types of user data you collect.

Here's how Flipboard does this:

Flipboard Privacy Policy: How We Use Your Information clause excerpt

Note that in addition to the broad categories of uses of information we've underlined in this excerpt, Flipboard also goes into detail about the implications for its users.

How You Share User Data

You probably share user data with third parties such as analytics and advertising providers, payment processors, and cloud storage companies.

In your Privacy Policy, you need to be fully transparent about your data-sharing practices. Explain what types of data you share with what types of companies, and why.

Some service providers, including Apple and Google, require you to name their services specifically, and even to include certain information about how they will process the user data they receive.

For example, here's how ResApp Health explains it shares data with Google Analytics for Firebase:

ResApp Health Privacy Policy: Type of Information we Collect clause - Mobile app use of Google Analytics and cookies section

This disclaimer contains some mandatory information that Google's terms require developers to include when using Analytics for Firebase. For more information, see our article Privacy Policy for Firebase.

If you're developing an iOS app, Apple has a somewhat complicated additional requirement here, detailed in its App Store Review Guidelines:

Apple App Store Review Guidelines: Privacy Policy and third party protection requirement

Above, Apple requires that you:

  • Adhere to Apple's requirements when collecting, using, and storing user data
  • Require all third-party recipients of user data to offer equally good protection to any user data you share with them
  • Confirm this in your Privacy Policy

Here's how Crazy Labs does this:

Crazy Labs Apps Privacy Policy: Third Party Providers clause

Again, it's best to take a conservative approach in this area. If you can store user data on the user's device, do not transfer it to a third party unless it's necessary for a specific, legitimate purpose.

How Long You Retain User Data

You should explain how long you will store user data.

You should only store user data for as long as you need it to fulfil a specific purpose. This might not be determined in months or years, but instead by reference to a given event (e.g. "we will erase your account data when you delete your account").

Here's how FaceApp explains its data retention period for camera data:

FaceApp Privacy Policy: Retention clause

Note that in addition to stating the time period for which photo data will be retained, FaceApp also explains why it stores photo data for that period.

How Users Can Access or Delete Their Data

You should explain how users can access or delete the data you hold on them.

Many apps provide controls in the "Settings" menu, allowing users to access and erase their personal information, or withdraw consent for certain activities (such as marketing).

Here's how Spotify explains the various ways in which users can exercise control over their personal information:

Spotify Privacy Policy: Your rights and preferences: Giving you choice and control clause excerpt - Resources section

Providing access to personal information is a key requirement of many privacy laws, such as the GDPR in the EU, the CCPA in the US, and PIPEDA in Canada.

Apple only requires you to explain how the user can access their data if you provide a means for them to do so.

We've included this as a "core" section of your Privacy Policy, but there may be businesses that technically do not need to cover this.

However, in the spirit of transparency and good customer service, we'd advise you to comply with data access requests even if you don't "need" to.

Additional Information Required By Privacy Law

We've covered the basic information required for iOS and Android apps under your agreements with Apple and/or Google.

But your Privacy Policy obligations may not end there. Different privacy laws have different rules regarding what you must include in your Privacy Policy. In many cases, these legal obligations go beyond what Apple and Google require.

Return to our earlier section on privacy law compliance to check which privacy laws apply to your app. We have guidance on creating Privacy Policies that comply with many major markets.

Getting Consent for Camera Access

As noted above, access to a device's camera is, rightly, considered a sensitive permission by both Apple and Google. Therefore, you cannot access the device camera without requesting consent.

We're now going to briefly look at how to do this.

The following guidance from Apple confirms that explicit consent is required to access a device's camera and/or microphone:

Apple Developer Documentation: Requesting Authorization for Media Capture - Explicit user permission section

Note that you will only need to request consent the first time your app accesses the camera.

The first step to integrate a consent mechanism into your iOS app is to include the NSCameraUsageDescription key in your Info.plist file:

Apple Developer Documentation: Requesting Authorization for Media Capture - Configure App Info plist File section

Note that you must include a message explaining the purposes for which your app requires camera access. This is consistent with the GDPR's principle of transparency, and the CCPA's "notice at collection" requirement.

Your app must verify the user's authorization (consent) status before capturing images via the camera, using the AVCaptureDevice authorizationStatus(for:) method.

If the user invokes a function of your app that requires camera access, but they have not authorized this permission request, their status will be AVAuthorizationStatus.notDetermined. Use the requestAccess(for:completionHandler:) to request consent again.

Note that saving media to the device requires a separate permission:

Apple Developer Documentation: Requesting Authorization for Media Capture - Request Authorization Before Saving Captured Media section

Google provides some basic principles when requesting app permissions:

Android Developers Guides: Request App Permissions - Basic principles list

Note that principles two and three are closely linked to the GDPR's model of consent. Consent must be "freely given." Unnecessarily withdrawing all usage of your app if a user refuses consent would violate this principle.

Requesting camera permission on Android requires that you place a <uses-permission/> element in your app manifest. Camera access is a "dangerous permission" and thus you must obtain explicit consent before accessing it.

Because you only require consent the first time your app accesses the camera, your app must also check the permission status whenever it accesses the camera:

Android Developers Guides: Request App Permissions - Determine whether your app was already granted permission section

You must also implement an educational UI to explain why you require camera access:

Android Developers Guides: Request App Permissions - Explain why your app needs permission section

Explaining why you need a permission makes it more likely that the user will consent, according to research from Carnegie Mellon University.

Explaining why you're collecting personal information is also a legal requirement under certain privacy laws, such as the GDPR and the CCPA.

Where to Place Your Privacy Policy in Your App

Where to Place Your Privacy Policy in Your App

Once you've created your Privacy Policy, you must make it easily accessible from within the app itself.

Most developers place a link to the latest version of their Privacy Policy hosted on their website. This link is available via the "Settings" or "About" menu within the app.

Here's how the Privacy Policy link appears in the "About" menu of the Microsoft Teams app:

Microsoft Teams app About menu with Privacy and Cookies link highlighted

And here's how the link appears in the Gumtree app:

Gumtree app About menu with Privacy Policy and Terms of Use link highlighted

Summary

Here are the core steps you must take when creating a Privacy Policy for your app with camera access:

  • Describe the types of data your app collects, including that it requests camera permission
  • Explain how your app collects user data, including via the camera
  • Explain how you use the data your app collects
  • Explain how you share the data your app collects
  • Disclose how long you retain the data your app collects
  • Explain how users can access and/or delete the data your app collects
  • Check which privacy laws you must comply with, and include any additional information required

Make sure you get consent before accessing the user's camera, and place an easily accessible link to your Privacy Policy within your app.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.