Table of contents
- Reading this article will provide you with comprehensive information, including:
- A review of worldwide privacy laws.
- App Store privacy requirements.
- Google Play privacy requirements.
- Third-party service providers requirements.
For instance, in 2019, the French supervisory authority fined Google LLC and Google France SARL for lack of transparency in the processing of personal data and failure to provide adequate information regarding such processing (the case was processed under the GDPR).
CNIL (Commission Nationale de l’Informatique et des Libertés) alleged that information regarding personal data processing provided by Google to its users was not sufficiently transparent, and thus could not be considered accessible and comprehensible.
In a nutshell, Google had not properly implemented rules arising from the GDPR. CNIL also pointed out that information was dispersed in many documents, for instance, to obtain full information about processing for the purposes of advertisement targeting, the user had to take five confusing steps, and for the purposes of geolocalization – even six.
A quick look at research
- 89% of users say that policies are too long;
- 41% of people are still unsure what the terms mean, despite being mentioned in 87% of policies.
And at the same time, 81% of Americans feel as if they have little control over data collected about them by companies and 59% of them have very little or no understanding of what companies do with the data collected.
- A survey conducted by Addictivetips.com in 2020.
- A survey conducted by Pew Research Centre (“Americans and privacy”) in 2019.
Privacy Laws Around the World
Following the GDPR, many privacy regulations around the world have restricted the permitted use of collected users’ data. With GDPR being the first step in the unification of standards of processing of personal data, the next steps towards addressing privacy issues are the following data privacy laws. All of them impose several information obligations on businesses, the main difference being only in the scope of these obligations.
GDPR (Europe & possible extraterritorial applicability)
Who collects the personal data (identity of the controller).
- The purposes and legal basis of processing of personal data.
- The source of the personal data.
- Information about the rights of users under GDPR.
- For how long the data will be stored.
- To whom the data is transferred, if applicable.
The Privacy Act of 1988 (Australia)
The Australian Privacy Act applies to the residents of Australia and regulates the way their personal information is handled. On the basis of this act, the users are allowed to:
- know why personal information is being collected,
- know how personal information will be used;
- know to whom personal information will be disclosed;
- make complaints and ask for access.
APPI (Japan & possible extraterritorial applicability)
Under the PIPEDA Fair Information Principle (“Openness”), businesses’ practices should be clear, easy to understand and readily available. In particular, users should be informed about:
- the identity of the entity accountable for privacy issues;
- contact information;
- how to gain access to their personal data;
- how to make a complaint about their personal data;
- any legal documents in your organization that may have an impact on their personal data;
- which personal data information is disclosed to third parties and why.
PDPA (India & possible extraterritorial applicability)
The Personal Data Protection Act is applicable to personal data processed in connection with any business pursued in India, even if your enterprise is not physically present in India. As strong inspirations from GDPR are visible in PDPA, the information obligations are similar, including:
- purposes of the processing of personal data;
- identity and contact details;
- legal basis of processing;
- source of the personal data;
App Stores Requirements
- A clear information about how the app accesses personal data of users, how it collects, uses and disclose such data.
- The identity of the developer and contact details in case of privacy issues.
- Types of personal data collected.
- Types of entities to which the data is disclosed.
- Rules of storage and erasure of personal data.
Third-party service providers’ requirements
Third-party service providers may establish different requirements for privacy policies, depending on its purpose, such as analytical or marketing purposes, and terms and conditions. Let’s see what it looks like when it comes to Facebook Retargeting and Google Analytics.
- a clear explanation that Facebook may collect or receive information from your app;
- how users can opt-out of the collection and use of information for ad targeting;
- where a user can access the mechanism for exercising such a choice.
- identifiers for mobile devices;
- the use of Google Analytics and how it collects and processes data.
- you comply with legal obligations and you are not exposed to any financial penalties or legal repercussions;
- you follow an industry-specific good practice;
- you show your users that your business respects their privacy;
- you ensure your users that their data is safely stored and processed;
- you have no non-compliance issues when publishing the app in app stores;
- it is a business opportunity to connect with users and ensure them that your business is transparent and can be trusted.
- is written in a user-friendly, plain way (if it is not necessary, avoid using any legal or technical jargon);
- is divided into clear sections;
- contains only true and verified information.
A short introduction
A short introduction is a great way to present your business values concerning users’ privacy and the importance of safety of users’ personal data. Here, it is also a good place to indicate what privacy regulations you considered when creating the policy.
Identity of the app owner & contact details
If you own a limited company business, indicate full business details and the address of your enterprise. If you are a sole trader or an individual, state your full name. In both cases, include the mail and e-mail address.
What data is collected (types of data) and why (purposes of processing)
In a clear and plain way, list all types of data that your app collects – consider not only obvious data, such as information used upon registration, but also data used for analytical or marketing purposes. Then, describe why you need this data and how your app is going to use it (for what purposes).
Legal basis of processing (required by GDPR, APPI and PDPA)
Legal bases of processing are different under different regulations, so, depending on which one applies to you, list all the legal bases of the processing of users’ personal data. For instance, under GDPR, these are the most used ones:
- Consent of the data subject (when a user consents to the processing of their personal data).
- Legitimate interest (when the entity processing personal data has a vital interest in processing it, but only if the data has been legally obtained).
- Contractual basis (when the data is necessary for the conclusion or performance of a contract).
Data retention and how to erase data
Make sure to inform your users about how long their data will be stored (and why; try to be specific about this period and its rationale), and what steps they need to take to erase their data. You can make a step-by-step guide, for instance, how to delete their account, and what will be the consequences of such erasure.
Information about the right to opt-out
The right to opt-out is a mechanism which allows users to decide whether they wish for their data to continue being processed for a certain purpose. Different privacy regulations approach it differently, for instance:
- under GDPR, the users have a right to withdraw consent to their processing, at any time, and a right to object to any specific kind processing of their data (e.g. for marketing purposes);under CCPA, users have a right to object to selling their personal data in certain situations.
Information about the disclosure of personal data (data recipients)
Inform the users of your mobile app about all the entities with which you share their data. If you can name them, it is a good practice to make a list containing business details, links to their privacy policies, etc.; however, it is often not possible to trace all service providers, then, it is OK to just mention the categories of data recipients, such as legal advisors or IT services providers.
Transfer of personal data to other countries
Some regulations put emphasis on informing about the transfer of personal data outside the country it was collected in (under GDPR, outside the European Economic Area, etc.). It is a good practice to inform the users of your mobile app about the location in which their data is processed or stored, and why.
Information about profiling
If you use data of users for the purposes of profiling mechanisms, inform the users about it and make sure you have a legal basis for the profiling and that the users are informed about the opt-out right.
Users’ rights regarding their personal data
Make a list of all the rights the users are entitled to and inform the users on how they can exercise their rights (e.g. by contacting you at your e-mail address).
Information about third-party service providers
- on the bottom of the app;
- near the “Terms & Conditions” or in the legal section;
We hope that this article has helped you find useful answers. If you have any questions, you can contact the author at [email protected].
Disclaimer: Please consider that all above-mentioned information shall in no way be considered legal advice.
- is individually drafted;
- is adjusted to the privacy laws of different countries;
- addresses the complexity of your services and your app;
- is ready to be published upon the release of your app.
- Please contact us here