It's highly likely that you will need to comply with privacy law if you develop or publish a mobile app.
United States (US): Most notably, laws such as the California Online Privacy Act (CalOPPA) and the California Consumer Privacy Act (CCPA)
Notice that Google's definition of personal and sensitive information is very broad. It includes "personally identifiable information," which is another way of saying "personal information."
Contacts, call or SMS information
Microphone or camera data
Device or app usage data
Releasing your app on both iOS and Android? Apple and Google have slightly different requirements, but you don't need two separate Privacy Policies.
Steps 1-4 from either the iOS or Android app guidance, and
We're going to break those requirements down into six steps:
1. Check Which Privacy Laws Apply to You
2. Identify What Data Your App Collects
This means listing all user data you collect via your app, whether you think it's "personal information" or not.
Here's a good example from journaling app Reflectly.
First Reflectly lists the personal information it collects:
Reflectly also lists some other sorts of data its app collects:
3. Explain How You Collect User Data
You must explain how your app collects user data.
There are two broad ways in which your app might collect user data:
Your users might provide their data voluntarily, for example by setting up an account or granting device permissions.
Your app might collect users' data automatically, for example by recording and sending you information about how they use the app.
Here's how DisplayIO explains these two methods of data collection to its users:
4. Explain How You Use User Data
You must explain exactly how you use the data your app collects.
Think very carefully about what you're doing with all the data your app collects. Be very clear about what you're doing with this information. And if you collect data that you don't need, stop collecting it.
5. Confirm Recipients of User Data are Compliant with Apple's Policies
You must provide certain information about any third parties with whom you share user data.
Let's remind ourselves of Apple's exact requirements:
That point we've highlighted above is effectively two rules in one.
You must ensure that any third parties with whom you share data comply with Apple's rules, and
This ties in with other agreements you have with Apple, such as the Developer Program License Agreement, which requires you to take responsibility for the actions of your business partners if you share data with them.
6. Explain Your Data Retention and Deletion Policies
Again, let's remind ourselves of Apple's exact requirements.
This is more complicated than it first appears. This requirement implies that you must:
Create policies that determine how long you store user data and under what circumstances you'll delete it
Provide a method for your users to revoke consent or request deletion of their data
Here's an example of a simple data retention policy clause from Pitchero:
Pitchero explains that it will retain its users' data for as long as they are active users, and it will delete user data after three years of inactivity. It also notes what the procedure is for non-registered users.
If you ask for your users' consent when you collect their data (Apple insists that you do request consent under most circumstances), you must allow them to revoke consent. You must also provide a way for them to revoke consent (change their minds).
Here's how Fitbit explains several ways in which its users can revoke consent via settings it provides in its mobile app:
At Step 1, select the Mobile app option and click "Next step":
Answer the questions about your mobile app and click "Next step" when finished:
Answer the questions about your business practices and click "Next step" when finished: