19 February 2020
It's highly likely that you will need to comply with privacy law if you develop or publish a mobile app.
Depending on where your business is based, and where your users are based, you might need to comply with several of these laws, and perhaps many more.
These rules apply whether you have a business presence in these places or not.
Personal information can be a person's name or email address. It can be their username or device ID. Or it can even be data about how they use your app. For more information, see our article What Is Personal Information Under Privacy Laws?
Notice that Google's definition of personal and sensitive information is very broad. It includes "personally identifiable information," which is another way of saying "personal information."
Releasing your app on both iOS and Android? Apple and Google have slightly different requirements, but you don't need two separate Privacy Policies.
We're going to break those requirements down into six steps:
This means listing all user data you collect via your app, whether you think it's "personal information" or not.
Here's a good example from journaling app Reflectly.
First Reflectly lists the personal information it collects:
Reflectly also lists some other sorts of data its app collects:
You must explain how your app collects user data.
There are two broad ways in which your app might collect user data:
Here's how DisplayIO explains these two methods of data collection to its users:
You must explain exactly how you use the data your app collects.
Think very carefully about what you're doing with all the data your app collects. Be very clear about what you're doing with this information. And if you collect data that you don't need, stop collecting it.
You must provide certain information about any third parties with whom you share user data.
Let's remind ourselves of Apple's exact requirements:
That point we've highlighted above is effectively two rules in one.
This ties in with other agreements you have with Apple, such as the Developer Program License Agreement, which requires you to take responsibility for the actions of your business partners if you share data with them.
Here's an example from Crazy Labs:
Again, let's remind ourselves of Apple's exact requirements.
This is more complicated than it first appears. This requirement implies that you must:
Here's an example of a simple data retention policy clause from Pitchero:
Pitchero explains that it will retain its users' data for as long as they are active users, and it will delete user data after three years of inactivity. It also notes what the procedure is for non-registered users.
If you ask for your users' consent when you collect their data (Apple insists that you do request consent under most circumstances), you must allow them to revoke consent. You must also provide a way for them to revoke consent (change their minds).
Here's how Fitbit explains several ways in which its users can revoke consent via settings it provides in its mobile app:
It's good to provide a way for users to delete their data from within your app. Here's an example from the Intuit QuickBooks Self-Employed app:
We're going to break those requirements down into five steps:
You should identify what types of data your app collects.
The data you collect might include:
Here's how Overhaul explains what data it collects:
You must explain how your app collects data.
Your Android app probably collects user data in two main ways:
Here's how Fitlink explains what data it collects from its users directly:
Here's how Animoto explains what data its app collects automatically from its users:
Now you've told your users what data you collect and how you collect, you need to explain how you use their data.
Here's an example from SoundCloud:
This is just a small excerpt from the long list SoundCloud provides. Think carefully about how you use any information your app collects.
Google requires that you explain:
Here's how Manage does this:
Note how, after each bullet-point, Manage provides information about:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
Here's an example from the BBC iPlayer app:
This link will then display in your App Store listing once your app is published.
Google explains how to do this on its "Upload an App" page.
This link will then display in your Google Play Store listing once your app is published.
|Mandatory for iOS apps||Mandatory for Android apps|
|Check which privacy laws apply to you||✔||✔|
|Identify what data your app collects||✔||✔|
|Explain how you collect user data||✔||✔|
|Explain how you use user data||✔||✔|
|Confirm recipients of user data are compliant with Apple's policies||✔||✗|
|Explain your data retention and deletion policies||✔||✗|
|Explain how you share user data||✗||✔|