- 1. Privacy Policies Required by Law
- 2.1. Data Collection and Storage
- 2.2. Prominent Disclosure
- 2.3. Consent
- 2.4. Permissions and Necessary Data
- 2.5. Deceptive Behavior
- 2.6. Sharing of Data
- 2.7. Sensitive Data Access
- 2.8. Children
- 3.1. What Data is Collected
- 3.2. How Data is Used
- 3.3. Storage of Data
- 3.4. Sharing Data
- 3.5. Security of Data
- 3.6. Processing of Payments/Financial Data
- 3.7. User Rights
- 3.8. Cookies
- 3.9. Do Not Track Signals (DNTs)
- 3.10. Children
- 3.12. Contact Information
- 4.1. Google Play Page
- 4.2. Within Your Android App
- 4.2.1. Settings Page
- 4.2.2. Pop-Ups
- 4.2.3. About Page
- 4.2.4. Check Out Page
- 5. Summary
Privacy Policies Required by Law
Most laws have a broad definition of "personal information" to encompass as much data as possible. Personal information can be email addresses, home addresses, Social Security Numbers, gender, IP addresses, and geographical information.
- The General Data Protection Regulation (GDPR) is the strictest privacy law in the world and protects the private information of residents of the European Union.
- The California Online Privacy Protection Act (CalOPPA) was enacted to protect the private information of California citizens.
- California Consumer Privacy Act (CCPA) is a recently enacted law that "grants new rights" to California residents regarding their data.
A note to remember is these laws apply to any app that collects the personal information of the residents. For example, if your company is based in Asia and you collect the data from a citizen in California, you must still comply with California laws.
In addition to laws, your app must comply with Google's Developer policies.
Below are the major guidelines you need to be aware of.
Data Collection and Storage
By agreeing to Google's Developer Distribution Agreement you are promising to protect the "privacy and legal rights of users" when you collect data:
Google requires all apps must be "transparent" when it comes to how they collect and store personal data.
- What data is collected
- What the data is used for
- Who the data is shared with
- How the data is protected
- User rights
Your app must include a request for consent to collect information in a "clear and unambiguous way."
The user must provide consent in an "affirmative" way such as an I Accept button or checkbox for the consent to be acceptable:
Permissions and Necessary Data
A request to use data must be "necessary" for the app to run and collected for "limited purposes." Permission requested for undisclosed features is not allowed and data collection should only be used for what the user granted permission for.
If you need to use data for another purpose, then you must receive permission again:
Google strictly prohibits apps from engaging in deceptive behavior. Examples of this would be misleading claims and deceptive changes to device settings:
Sharing of Data
Oftentimes apps use third-parties to help run their app, process payments, and analyze systems and functions (i.e., Google Analytics). If your app shares its users' data, you must notify users of this disclosure and to whom you share the data with:
Sensitive Data Access
Google places additional restrictions on apps that collect sensitive data. "Sensitive data" can include financial/payment information, SMS contacts, and microphone and camera sensor data.
There are a few activities and restrictions you'll need to be aware of if you collect sensitive data:
- Financial Payments: You must never publicly disclose the sensitive financial or personal identification numbers of users.
- Non-Public Phonebook Contacts: Google doesn't allow the unauthorized disclosure of this data.
- Anti-Virus Functionality: If your app contains anti-virus functionality you must disclose this, along with how and why the data is used.
Google's Developer Policy states if your app's audience is children or is a combination of adults and children, you must comply with additional regulations. For apps whose audience is only children, you must be a part of Google's Designed for Families Program. Apps that have a mixed audience have the option to participate in the program.
For apps that choose not to participate in the program, they must still comply with Google's other requirements.
Apps must include in their Privacy Policies what data is collected from children and the APIs and SDKs the app uses.
Google's Family Policy Requirements remind apps that in addition to complying with these regulations, they must comply with other laws, specifically the Children's Online Privacy Protection Act (COPPA).
What Data is Collected
Evernote helps users organize and manage ideas by collecting a user's images, text, and other data that the company considers to be "content." Its Policy states the data it collects with specific examples:
How Data is Used
Your app must only collect data that is used for the necessary functions of the app. This is required by both Google and laws to protect users from the misuse of their information.
Pinterest provides a very robust list of ways it uses data for "legitimate interests." It breaks down legitimate interests into recommending pins, maintaining product and safety features, ads, and customization of accounts:
Storage of Data
You must disclose how long you will store a user's data in your systems. You don't have to give a specific timeframe but can state you reserve the right to store the data for "as long as necessary."
Snapchat also includes a section stating it can't promise certain information will be deleted in a certain timeframe:
If you share or disclose data to third-parties you must disclose this to users. Whether you are sharing it within your app or to outside parties, users must be notified.
If available, links to third-parties' own Privacy Policies or services/features should be included.
Poshmark includes a section about how personal information will be disclosed if the app is merged with another company or is sold:
Security of Data
Ibotta uses a simple security disclosure that provides the ways it implements to protect a user's private data:
In contrast, Grubhub includes a slightly longer section that includes the methods the company uses to protect the information, such as physical, administrative, and technological protections:
Processing of Payments/Financial Data
If you have an e-commerce app or your app processes payments, you must disclose to users what information you collect to conduct this service and whether you share the information with third-party processors.
This is especially important since the enactment of the GDPR and the CCPA, which both added/elaborated on user's rights.
The GDPR requires users to have the right to:
- Be informed
- Withdraw consent
- Erasure of their information in some cases
- Restrict your processing of their data in some circumstances
The CCPA went into effect at the beginning of 2020 and granted new rights to California users including the rights to:
- Know what information is collected
- Delete collected information
- Opt-out of the sale of information
- Non-discrimination when they exercise a right
Twitter provides a whole section that advises how users can access/rectify their data, delete data, and object/restrict consent with links to where users can do this on their accounts:
Airbnb goes into detail into each specific right explaining what each right is and how users can practice their rights:
With these recently enacted laws, you can include these provisions in your general User Rights section or create separate sections for California consumers and EU consumers as Domino's Pizza does here:
You can see how separating out the rights for each location of user is helpful to meet legal requirements as well as help users find relevant information quickly:
Do Not Track Signals (DNTs)
CalOPPA requires apps that collect the data of California residents to include a "Do Not Track Signal" clause that states how the app handles these signals.
DNT requests are a way users can request companies to not track their online activity. Apps do not have to respond to DNT requests or settings, but they must state how they respond to them.
The clause does not have to be long or complicated. It must simply notify the user of the app's practices like DoorDash does here:
Lyft advises users that their browser may offer DNT options, but that Lyft itself does not support DNT requests:
This is a requirement for any app that collects data from children under the age of 13. COPPA makes it unlawful for any app to access this data without the consent of a parent or legal guardian.
Starbucks notes its app is not intended for children under 13 with a link parents may contact if they believe Starbucks has collected their child's data:
A note to remember is that users should be allowed to consent to the amended policy. This can be either clicking on an "I Accept" button in an email or pop-up or by continued use of the app.
Relaxio states it will inform users of any "material changes" by posting on the app and advises users to regularly check the policy for any changes:
All Privacy Policies should include your contact information for users to reach out to if they have questions or concerns. This typically includes an address, email address, phone number, and links to help or support centers.
Google Play Page
On a computer, the link will typically be included under the "Developer" section of the page along with other links users can access for more information about the app.
Within Your Android App
The most common place is on the Settings page of your app since most people will look there first to find out more information about the app.
You can also put the link on the About page on your app.
Check Out Page
This is required by Google's Developer Policies and various laws. You must include a link to the policy in Google Play's database and in the app itself.
- Disclose what data is collected
- Disclose how the data is secured
- Disclose who the data is shared with
- Advise users of their rights
Link it within your app's Google Play Store listing, as well as within your app itself.