
When you develop and distribute an Android app, you'll need to get user permissions for some actions and to access data. Some of these permissions involve handling personal information. Often this will mean you must publish a Privacy Policy, either to meet the rules of the Google Play Store or to comply with a privacy law. You can also highlight your Privacy Policy in the app itself when you request the permission, whether or not you are distributing it in the Play Store.
Here's what you need to know about Android permissions and legal requirements.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. What are Android Permissions?
- 2. Why Do Android Permissions Have Privacy Policy Implications?
- 3. Which Android Permissions Could Involve Personal Information?
- 4. What Privacy Laws Could Relate to Android Permissions?
- 5. Google Play Store Rules
- 5.1. Adding The Privacy Policy Link to Your Store Listing
- 5.2. Adding A Privacy Policy Link in Your Android App
- 5.3. Requirements for an Android App Privacy Policy
- 6. Highlighting Privacy Policies in the Android Platform
- 7. Summary
What are Android Permissions?
Permissions are the way the Android system controls an app's access to a user's device and data. They are a broad set of categories that mean a user knows what access they are granting when installing an app.
In some cases, users can grant some permissions while withholding or withdrawing others, though this may limit an app's functionality.
Here's an example of a permissions notification that requests access to a variety of things and requests users grant permission for the access:
Why Do Android Permissions Have Privacy Policy Implications?
Many Android permissions involve granting the app (and in turn its developer) access to personal information. A range of platform rules and laws govern how and why you can use this personal information and what you must tell customers about this use. Often these laws define personal information as anything relating to an identifiable individual.
Which Android Permissions Could Involve Personal Information?
Two main categories of Android permission involve data that can count as personal information under platform rules or laws:
- Permissions to access data on a device. Examples include accessing call logs, SMS message content, contacts, a calendar, or internet browsing history.
- Permissions that inherently gather personal data such as monitoring the device’s location.
What Privacy Laws Could Relate to Android Permissions?
If you use Android permissions, the data you access or collect could trigger privacy laws in many countries.
A key example is the General Data Protection Regulation (GDPR). This law applies across the European Economic Area and is mirrored in the United Kingdom's national laws. It will cover your app unless all of the following apply:
- Your app has a geo-block that guarantees nobody in a country covered by the GDPR can access and install it.
- You and your business have no presence in a country covered by the GDPR (including local offices or subsidiaries).
- Your app does not involve any personal data processing (such as in a data server) in a country covered by the GDPR.
If you are covered by the GDPR and your app collects or uses any personal information, you need to publish a Privacy Policy.
The GDPR specifically requires that you publish details including:
- What personal information you collect
- Why and how you use the personal information
- Who, if anyone, you share the personal information with
- How you’ll protect the personal information if it goes to a country not covered by the GDPR
- How long you keep the personal information
- How you keep the personal information secure
- The legal rights of the data subject (the person the personal information is about) and how to exercise them
- The lawful basis under which you process the personal information (for example, that you have user consent or that it’s in your “legitimate interests”)
- Your contact details and those of your data protection officer
Instagram's Privacy Policy explicitly details the user's legal rights:
Several other countries including Brazil and the UAE have privacy laws with a similar scope and requirements to the GDPR. Other countries including Australia and Canada have privacy laws for businesses that operate in those countries and handle personal information about people in those countries.
In the U.S., the federal COPPA rule means you must publish a Privacy Policy if you aim your app at children aged under 13 or know that they are using it.
The U.S. also has a range of state laws that cover personal information, in some cases requiring you to publish a Privacy Policy if you collect or process personal information.
Google Play Store Rules
Most Android developers will distribute their apps in the Google Play Store. If you do this, Google requires that you publish a Privacy Policy. The rules on making app users aware of this policy are as follows:
- You must always include a link to the Privacy Policy link in your store listing. This is the case for any app.
- You must also link to the Privacy Policy from within your app if your app requests access to sensitive permissions or data.
- You must also link to the Privacy Policy from within your app if it targets children, regardless of the data or permissions it requests.
Let's break this down in a bit more detail.
Adding The Privacy Policy Link to Your Store Listing
While adding your app to the store, you'll need to answer specific questions about the app's data use. Google then uses this information to produce the "Data safety" section of your app's listing in the Google Play Store.
This section, as shown here in the app store listing for WhatsApp, is a brief overview that lets the user tap or click through to see more detail:
This additional detail page includes details of data the app collects:
The Data Safety section does not replace the requirement to publish a standalone Privacy Policy. In fact, one of the mandatory questions asks for the URL of your Privacy Policy, which will normally be hosted on your own website. The Data Safety section will then automatically include a link to this URL.
This URL must be valid and publicly accessible, and the Privacy Policy must specifically cover your app. It must not be a PDF document or an editable format.
Open AI's Play Store listing for the ChatGPT app includes a Privacy Policy link:
This points to the appropriate version of the Privacy Policy based on the user's location and that of the Google Play store in their country. However, OpenAI makes it easy to switch to other versions of the Privacy Policy based in different countries:
Adding A Privacy Policy Link in Your Android App
As noted, you must include a Privacy Policy link within the app itself if it targets children or if it collects sensitive information. This could be because the information is inherently sensitive (eg financial or medical information), or because you request a sensitive Android permission.
Google says a non-exhaustive list of sensitive data is:
"personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call-related data, health data, Health Connect data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data."
The Bluesky app, which may request access to the camera or location details for some features, includes a clear link to its Privacy Policy:
Requirements for an Android App Privacy Policy
Google has specific rules for what you include in the linked Privacy Policy. This applies to all apps in the Play Store, not just those targeting children or collecting sensitive data.
The Policy must include the following:
- Developer information and a privacy point of contact or a mechanism to submit enquiries.
- Disclosing the types of personal and sensitive user data that your app accesses, collects, uses and shares; and any parties with which any personal or sensitive user data is shared.
- Secure data handling procedures for personal and sensitive user data.
- The developer's data retention and deletion policy.
- Clear labelling as a privacy policy (for example, listed as 'privacy policy' in title).
The Policy must also specifically mention either the name of the app, the name of the developer/development company, or both.
All of this information must be in the Privacy Policy, even if it's already mentioned in the Data Safety section of your Play Store listing.
Shopify's Privacy Policy, linked to from its Play Store listing page, details the types of data it collects. It's a dedicated policy for app users:
Etsy details how it decides how long to keep data:
Highlighting Privacy Policies in the Android Platform
Some Android developers choose not to use the Google Play store. In this situation you can, and should, highlight your Privacy Policy in the app itself if you request permissions involving sensitive actions. It's not mandatory but is listed by Android as best practice. It will also significantly increase the chances a user will agree to the permission.
You can highlight your Privacy Policy in two ways:
- Showing an on-screen explanation whenever you ask for permission.
- Using the dedicated Android Privacy Dashboard (which appears on all apps running on Android 12 or later) to explain why you request permission to access permission location data, a microphone or a camera.
You can set this up on-screen explanations in the code of your app, as explained by Android at here. The technical details of how to add information to the Android Privacy Dashboard can be found here.
In both cases, an on-screen message may be too limited to fully explain how and why you use any personal information collected as a result of the permission. Including a link to your Privacy Policy is an excellent idea.
Summary
Requesting specific permissions in Android can trigger specific requirements for how you highlight a Privacy Policy. However, a combination of Google's rules and privacy laws means having and highlighting a Privacy Policy for your app is always sensible and often mandatory.
Privacy laws such as the GDPR require a Privacy Policy if your app uses any personal information, for example collecting an email address, tracking a user's location or accessing their data. You must make people aware of this Privacy Policy.
Google's rules for the Play Store mean you must always have a Privacy Policy and provide the URL to appear in the store listing for the app. If you request sensitive permissions or your app targets children, you must also include a link to the Privacy Policy in the app itself.
Even if you don't use the Google Play Store, you can (and should) use an on-screen message in the app itself to explain why you need the user to grant a permission. With the location data, microphone and camera permissions, you can also provide an explanation that appears in the Android Privacy Dashboard that's automatically built into the app in Android 12 and later. These explanations are a great place to link to your Privacy Policy.