How to Write a Mobile App Privacy Policy

How to Write a Mobile App Privacy Policy

As frequent users of internet-related media, especially mobile or web apps, we are all familiar with pop-up windows with privacy information; however, even though we are bombarded with privacy notices on a daily basis, there is still a lack of clarity on what exactly this privacy information is and what it should contain to comply with all applicable provisions of law and to avoid discouraging users at the same time. You will find this article essential if you are looking for tips on how to write a mobile app privacy policy for your product.

• Reading this article will provide you with comprehensive information, including:
• What a privacy policy is.
• Whether you need a privacy policy in your mobile app.
• A review of worldwide privacy laws.
• App Store privacy requirements.
• Google Play privacy requirements.
• Third-party service providers requirements.
• Why it is so important to have a decent privacy policy.
• How to write a mobile app privacy policy.
• What to include in a mobile app privacy policy.
• Where to place your mobile app privacy policy.

What is a privacy policy?

Privacy policy is a document containing information on how your mobile app handles the personal information of its users. Privacy policy may be a document of legal importance if it is required to be drafted by certain laws. This does not necessarily mean that it should be written fully in legal language. On the contrary, privacy policy is a document intended primarily for users of your app, which means it should be easy to understand, written in plain language, user-oriented and user-friendly. Can this be made consistent with legal requirements? Without a hitch: some of the applicable privacy laws require all information intended for users to be very clear and even not too long.

For instance, in 2019, the French supervisory authority fined Google LLC and Google France SARL for lack of transparency in the processing of personal data and failure to provide adequate information regarding such processing (the case was processed under the GDPR).

CNIL (Commission Nationale de l’Informatique et des Libertés) alleged that information regarding personal data processing provided by Google to its users was not sufficiently transparent, and thus could not be considered accessible and comprehensible.

In a nutshell, Google had not properly implemented rules arising from the GDPR. CNIL also pointed out that information was dispersed in many documents, for instance, to obtain full information about processing for the purposes of advertisement targeting, the user had to take five confusing steps, and for the purposes of geolocalization – even six.

Go to the section “How to write a mobile app privacy policy?” to see our advice on avoiding mistakes made by Google.

A quick look at research
If you are interested in not only the legal but also the scientific basis of a mobile app privacy policy, here is some data:

• 89% of users say that policies are too long;
• 41% of people are still unsure what the terms mean, despite being mentioned in 87% of policies.

And at the same time, 81% of Americans feel as if they have little control over data collected about them by companies and 59% of them have very little or no understanding of what companies do with the data collected.

Considering the level of users’ awareness of mobile products’ privacy issues and the significance of protection of their personal data, an adequate and reliable privacy policy for your mobile app is a perfect tool to make sure your users are well informed about why the data is collected, making them feel that their personal data is well secured and their rights respected.

1. A survey conducted by Addictivetips.com in 2020.
2. A survey conducted by Pew Research Centre (“Americans and privacy”) in 2019.

Do I need a privacy policy?

If you are looking for a short answer to this question, then yes. A privacy policy is needed regardless of the place where you run your business or the type of app you are planning to build.

Besides the fact that a well written privacy policy is a great tool to reach out to your users and address their privacy concerns, as mentioned above, a privacy policy is often a legal requirement which can arise from applicable privacy laws, app stores’ requirements or third-party service providers’ requirements.

Privacy Laws Around the World

Following the GDPR, many privacy regulations around the world have restricted the permitted use of collected users’ data. With GDPR being the first step in the unification of standards of processing of personal data, the next steps towards addressing privacy issues are the following data privacy laws. All of them impose several information obligations on businesses, the main difference being only in the scope of these obligations.

GDPR (Europe & possible extraterritorial applicability)

The General Data Protection Regulation is considered to be the most complex piece of regulation with many obligations imposed on entities collecting or indirectly using users’ personal data. We mentioned some of them in our article on 5 Key Legal Issues to Consider in your Mobile App Development in 2021. GDPR does not state a clear obligation to provide users with a privacy policy, but rather imposes many information obligations which should be delivered to users. The most popular way and, at the same time, the most convenient for users, is to pack it in one document, namely a privacy policy. Please remember that GDPR applies if you address your services to users which may be residents of the EU, regardless of the location of your seat.

In terms of a privacy policy, GDPR requires to include in it information about, among others:

Who collects the personal data (identity of the controller).

• The purposes and legal basis of processing of personal data.
• The source of the personal data.
• Information about the rights of users under GDPR.
• For how long the data will be stored.
• To whom the data is transferred, if applicable.

The Privacy Act of 1988 (Australia)

The Australian Privacy Act applies to the residents of Australia and regulates the way their personal information is handled. On the basis of this act, the users are allowed to:

• know why personal information is being collected,
• know how personal information will be used;
• know to whom personal information will be disclosed;
• make complaints and ask for access.

APPI (Japan & possible extraterritorial applicability)

The Act on Protection of Personal Information, following the example of GDPR, is applicable when your app may be used by Japanese residents, regardless of the location of your seat. An obligation to publish a privacy policy is directly indicated in APPI.

PIPEDA (Canada)

Under the PIPEDA Fair Information Principle (“Openness”), businesses’ practices should be clear, easy to understand and readily available. In particular, users should be informed about:

• the identity of the entity accountable for privacy issues;
• contact information;
• how to gain access to their personal data;
• how to make a complaint about their personal data;
• any legal documents in your organization that may have an impact on their personal data;
• which personal data information is disclosed to third parties and why.

PDPA (India & possible extraterritorial applicability)

The Personal Data Protection Act is applicable to personal data processed in connection with any business pursued in India, even if your enterprise is not physically present in India. As strong inspirations from GDPR are visible in PDPA, the information obligations are similar, including:

• purposes of the processing of personal data;
• identity and contact details;
• legal basis of processing;
• source of the personal data;

App Stores Requirements

App Store (Privacy policy for iOS Apps)

App Store requirements regarding privacy can be found in “App Store Review Guidelines” available here and in “Apple Developer Program License Agreement” which can be found here; however, the most useful to app owners and developers are these recently published official Apple’s guidelines on privacy policies of mobile apps, which can be found here. Let’s sum up the requirements in terms of privacy policy for mobile apps and its contents:

• All apps must include a link to their privacy policy (necessary, whether you collect personal data or not).
• The privacy policy must include, among others, the type of data collected, how the data is collected, how it is used, for how long will the data be stored, information about tracking, and a confirmation that any third-party service providers (such as analytical or marketing tools) will provide accurate protection of users’ data.

If you want to find out about the technical details of how to add a privacy policy to your mobile app, check out our article “How to Submit App to the App Store – Guide for App Owners”.

Google Play (Privacy policy for Android Apps)

Google Play requirements regarding privacy policy are available in “The Google Play Developer Distribution Agreement,” which can be found here and in Google’s developer Policy Center.

To sum up, Google requires you as an app owner to include privacy policy in your app and in Google Play Console. This is a necessary step even if your data does not access any users’ data. This privacy policy must include:

• A clear information about how the app accesses personal data of users, how it collects, uses and disclose such data.
• The identity of the developer and contact details in case of privacy issues.
• Types of personal data collected.
• Types of entities to which the data is disclosed.
• Rules of storage and erasure of personal data.

If you want to find out about the technical details of how to add a privacy policy when publishing your Android apps, check out our article “How to Publish an App on Google Play | Guide & Checklist for App Owners”.

Third-party service providers’ requirements

Third-party service providers may establish different requirements for privacy policies, depending on its purpose, such as analytical or marketing purposes, and terms and conditions. Let’s see what it looks like when it comes to Facebook Retargeting and Google Analytics.

Facebook Retargeting

In their Terms, Facebook requires to share with the users of your app all the accurate and relevant information about collecting data by Facebook’s business tools, by at least providing a link accessible inside your app settings or any privacy policy that links to:

• a clear explanation that Facebook may collect or receive information from your app;
• how users can opt-out of the collection and use of information for ad targeting;
• where a user can access the mechanism for exercising such a choice.

Google Analytics

Google Analytics’ Terms of Service requires you as an app owner to specifically post a privacy policy which notifies users about:

• the use of cookies;
• identifiers for mobile devices;
• the use of Google Analytics and how it collects and processes data.

Summary – why is it so important to include a privacy policy in your mobile app?

As you can see, a well written, comprehensive, and clear privacy policy is not only a nice addition, but a must-have when you are planning to publish your own app on the App Store or Google Play. Let’s sum up the advantages of a good privacy policy:

• you comply with legal obligations and you are not exposed to any financial penalties or legal repercussions;
• you follow an industry-specific good practice;
• you show your users that your business respects their privacy;
• you ensure your users that their data is safely stored and processed;
• you have no non-compliance issues when publishing the app in app stores;
• it is a business opportunity to connect with users and ensure them that your business is transparent and can be trusted.

What should a Privacy Policy look like?

Given our professional experience with mobile app users, we advise that your privacy policy:

• is written in a user-friendly, plain way (if it is not necessary, avoid using any legal or technical jargon);
• is divided into clear sections;
• includes a cookie policy and third-party service providers’ information;
• contains only true and verified information.

How to write your mobile app privacy policy – what to include? We suggest the following sections and information to include in them:

A short introduction

A short introduction is a great way to present your business values concerning users’ privacy and the importance of safety of users’ personal data. Here, it is also a good place to indicate what privacy regulations you considered when creating the policy.

Identity of the app owner & contact details

If you own a limited company business, indicate full business details and the address of your enterprise. If you are a sole trader or an individual, state your full name. In both cases, include the mail and e-mail address.

What data is collected (types of data) and why (purposes of processing)

In a clear and plain way, list all types of data that your app collects – consider not only obvious data, such as information used upon registration, but also data used for analytical or marketing purposes. Then, describe why you need this data and how your app is going to use it (for what purposes).

Legal basis of processing (required by GDPR, APPI and PDPA)

Legal bases of processing are different under different regulations, so, depending on which one applies to you, list all the legal bases of the processing of users’ personal data. For instance, under GDPR, these are the most used ones:

• Consent of the data subject (when a user consents to the processing of their personal data).
• Legitimate interest (when the entity processing personal data has a vital interest in processing it, but only if the data has been legally obtained).
• Contractual basis (when the data is necessary for the conclusion or performance of a contract).

Data retention and how to erase data

Make sure to inform your users about how long their data will be stored (and why; try to be specific about this period and its rationale), and what steps they need to take to erase their data. You can make a step-by-step guide, for instance, how to delete their account, and what will be the consequences of such erasure.

Information about the right to opt-out

The right to opt-out is a mechanism which allows users to decide whether they wish for their data to continue being processed for a certain purpose. Different privacy regulations approach it differently, for instance:

• under GDPR, the users have a right to withdraw consent to their processing, at any time, and a right to object to any specific kind processing of their data (e.g. for marketing purposes);under CCPA, users have a right to object to selling their personal data in certain situations.

Information about the disclosure of personal data (data recipients)

Inform the users of your mobile app about all the entities with which you share their data. If you can name them, it is a good practice to make a list containing business details, links to their privacy policies, etc.; however, it is often not possible to trace all service providers, then, it is OK to just mention the categories of data recipients, such as legal advisors or IT services providers.

Transfer of personal data to other countries

Some regulations put emphasis on informing about the transfer of personal data outside the country it was collected in (under GDPR, outside the European Economic Area, etc.). It is a good practice to inform the users of your mobile app about the location in which their data is processed or stored, and why.

Information about profiling

If you use data of users for the purposes of profiling mechanisms, inform the users about it and make sure you have a legal basis for the profiling and that the users are informed about the opt-out right.

Users’ rights regarding their personal data

Make a list of all the rights the users are entitled to and inform the users on how they can exercise their rights (e.g. by contacting you at your e-mail address).

Cookie policy

When it comes to the cookie policy, include information about what cookies are, why you use them and what types of cookies your app uses. Also, make sure to describe to the users in a plain way how they can change their cookie preferences.

Information about third-party service providers

If you use any third-party services, such as Google Analytics or Facebook Retargeting, make sure to check the terms and conditions of such service providers. They may require you to include specific information in your privacy policy. It is a good practice to include a link to their privacy policies in a document intended for the users of your app.

Where to place your mobile app privacy policy?

Now that your privacy policy is ready, where should you place it in your mobile app? Obviously, as we mentioned before, in the data uploaded to app stores. Apart from that, the privacy policy should be easily accessible in your app. For instance, European authorities put emphasis on where the policy is placed, especially whether the user needs to take multiple steps to find it and whether these steps are intuitive. A common yet effective way is to place it:

• on the bottom of the app;
• near the “Terms & Conditions” or in the legal section;
• in the settings. In addition, a link to the privacy policy should be always visible on screens on which the app collects consent from the users and on registration or login screens.

Remember to review your privacy policy at least once a year to make sure it is up-to-date and compliant with the latest regulatory changes.

Conclusion

Drafting a privacy policy may be a challenging task, considering that the building of a mobile app may involve many more aspects that need to be taken care of.
We hope that this article has helped you find useful answers. If you have any questions, you can contact the author at [email protected].
Disclaimer: Please consider that all above-mentioned information shall in no way be considered legal advice.

If you need a privacy policy, we will be happy to help you. We can provide you with a privacy policy which:

• is individually drafted;
• is adjusted to the privacy laws of different countries;
• addresses the complexity of your services and your app;
• is ready to be published upon the release of your app.
• Please contact us here

Related posts