If you are developing an app for an Android phone, you must have a Privacy Policy. Countless data protection laws around the world and Google itself requires this of app developers.

Let's take a look at the Privacy Policy obligations you'll need to comply with for your Android app.


Privacy Policies Required by Law

Before even addressing what Google requires for your Privacy Policy, you should be aware that there are multiple laws across the world that require you to include a Privacy Policy.

A Privacy Policy is designed to notify users of what information an app collects, how it collects the data, and why.

Most laws have a broad definition of "personal information" to encompass as much data as possible. Personal information can be email addresses, home addresses, Social Security Numbers, gender, IP addresses, and geographical information.

All of these laws require apps to provide a Privacy Policy when user data is collected. There are a few, in particular, you should pay attention to that could affect your app:

  • The General Data Protection Regulation (GDPR) is the strictest privacy law in the world and protects the private information of residents of the European Union.
  • The California Online Privacy Protection Act (CalOPPA) was enacted to protect the private information of California citizens.
  • California Consumer Privacy Act (CCPA) is a recently enacted law that "grants new rights" to California residents regarding their data.

A note to remember is these laws apply to any app that collects the personal information of the residents. For example, if your company is based in Asia and you collect the data from a citizen in California, you must still comply with California laws.

Google's Requirements for a Privacy Policy

Google's Requirements for a Privacy Policy

In addition to laws, your app must comply with Google's Developer policies.

The Google Play Developer Distribution Agreement and Developer Privacy Center require your app to have a Privacy Policy.

Below are the major guidelines you need to be aware of.

Data Collection and Storage

By agreeing to Google's Developer Distribution Agreement you are promising to protect the "privacy and legal rights of users" when you collect data:

Google Play Developer Distribution Agreement: Section with requirement to protect privacy and rights and provide privacy notice

Google requires all apps must be "transparent" when it comes to how they collect and store personal data.

This means your Privacy Policy must include:

  • What data is collected
  • What the data is used for
  • Who the data is shared with
  • How the data is protected
  • User rights

Prominent Disclosure

Your Privacy Policy must be "prominently disclosed." It must be included in locations where users expect and don't expect to provide their personal information:

Google Play Console Help: User Data - Prominent Disclosure and Consent Requirement: Disclosure Requirements excerpt

Your app must include a request for consent to collect information in a "clear and unambiguous way."

The user must provide consent in an "affirmative" way such as an I Accept button or checkbox for the consent to be acceptable:

Google Play Console Help: User Data - Prominent Disclosure and Consent Requirement: Consent Requirements excerpt

Permissions and Necessary Data

A request to use data must be "necessary" for the app to run and collected for "limited purposes." Permission requested for undisclosed features is not allowed and data collection should only be used for what the user granted permission for.

If you need to use data for another purpose, then you must receive permission again:

Google Play Console Help: Permissions - Introduction section

Deceptive Behavior

Google strictly prohibits apps from engaging in deceptive behavior. Examples of this would be misleading claims and deceptive changes to device settings:

Google Play Console Help: Deceptive Behavior - Introduction section

An app must include within its Privacy Policy accurate statements of its systems and how a user should expect the app to run.

When an app makes changes to its systems, users must be notified. The process for how changes are made must also be included in the Privacy Policy.

Sharing of Data

Oftentimes apps use third-parties to help run their app, process payments, and analyze systems and functions (i.e., Google Analytics). If your app shares its users' data, you must notify users of this disclosure and to whom you share the data with:

Google Play Developer Program Policy: Privacy, Deception and Device Abuse section - Personal and Sensitive Information clause - Privacy Policy and data shared excerpt

Sensitive Data Access

Google places additional restrictions on apps that collect sensitive data. "Sensitive data" can include financial/payment information, SMS contacts, and microphone and camera sensor data.

There are a few activities and restrictions you'll need to be aware of if you collect sensitive data:

  • Financial Payments: You must never publicly disclose the sensitive financial or personal identification numbers of users.
  • Non-Public Phonebook Contacts: Google doesn't allow the unauthorized disclosure of this data.
  • Anti-Virus Functionality: If your app contains anti-virus functionality you must disclose this, along with how and why the data is used.

Children

Google's Developer Policy states if your app's audience is children or is a combination of adults and children, you must comply with additional regulations. For apps whose audience is only children, you must be a part of Google's Designed for Families Program. Apps that have a mixed audience have the option to participate in the program.

For apps that choose not to participate in the program, they must still comply with Google's other requirements.

Apps must include in their Privacy Policies what data is collected from children and the APIs and SDKs the app uses.

Google's Family Policy Requirements remind apps that in addition to complying with these regulations, they must comply with other laws, specifically the Children's Online Privacy Protection Act (COPPA).

What to Include in Your Privacy Policy

What to Include in Your Privacy Policy

Not every Privacy Policy fits every app. It's important to tailor your policy to fit your specific app and its functions.

What Data is Collected

Typically, this is the first clause of your Privacy Policy. It discloses that the app collects data and what type of data is collected.

Evernote helps users organize and manage ideas by collecting a user's images, text, and other data that the company considers to be "content." Its Policy states the data it collects with specific examples:

Evernote Privacy Policy: What Information Does Evernote Collect clause - Information collected list excerpt

Evernote's Privacy Policy also advises that it collects emails and names when a user logs into Evernote using their Google Apps credentials and other third-party partners:

Evernote Privacy Policy: What Information Does Evernote Collect clause - Third parties excerpt

How Data is Used

Your app must only collect data that is used for the necessary functions of the app. This is required by both Google and laws to protect users from the misuse of their information.

Pinterest provides a very robust list of ways it uses data for "legitimate interests." It breaks down legitimate interests into recommending pins, maintaining product and safety features, ads, and customization of accounts:

Pinterest Privacy Policy: What we do with the info we collect clause

Storage of Data

You must disclose how long you will store a user's data in your systems. You don't have to give a specific timeframe but can state you reserve the right to store the data for "as long as necessary."

Snapchat has an extensive storage data section because of its collection of a variety of data. Its Privacy Policy advises that some images are deleted immediately or are stored for longer, depending on the type of image. Personal information is stored longer than photos, such as account info and location data:

Snapchat Privacy Policy: List excerpt of How Long We Keep Your Information clause

Snapchat also includes a section stating it can't promise certain information will be deleted in a certain timeframe:

Snapchat Privacy Policy: How Long We Keep Your Information clause - Data retention time excerpt

Sharing Data

If you share or disclose data to third-parties you must disclose this to users. Whether you are sharing it within your app or to outside parties, users must be notified.

If available, links to third-parties' own Privacy Policies or services/features should be included.

Niantic's Privacy Policy for Pokemon GO includes a clause that explains it doesn't disclose information unless for specific reasons including to service providers, other players (for live events), third parties, and for the protection of others:

Niantic Privacy Policy: Who we share information with clause

Poshmark includes a section about how personal information will be disclosed if the app is merged with another company or is sold:

Poshmark Privacy Policy: Our Disclosure of Your Personal Data and Other Information clause - Business Transferees section

Poshmark's Privacy Policy additionally includes that it will disclose data when a user logs into a third-party service using the Poshmark credentials the user has consented to share:

Poshmark Privacy Policy: Our Disclosure of Your Personal Data and Other Information clause - Third Party Services section

Security of Data

Your Privacy Policy must include a section on how you will secure and protect a user's data.

Ibotta uses a simple security disclosure that provides the ways it implements to protect a user's private data:

Ibotta Privacy Policy: Security of Personal Information clause

In contrast, Grubhub includes a slightly longer section that includes the methods the company uses to protect the information, such as physical, administrative, and technological protections:

Grubhub Privacy Policy: How We Store and Protect Your Information

The internet is not foolproof when it comes to data protection. When creating your Privacy Policy, include a statement that reminds users you will use all safeguards, but sometimes things happen and users also need to take protective steps as Venmo does here:

Venmo Privacy Policy: How we protect and store personal information - Security clause

Processing of Payments/Financial Data

If you have an e-commerce app or your app processes payments, you must disclose to users what information you collect to conduct this service and whether you share the information with third-party processors.

Wish's Privacy Policy states it uses third-parties to help with services, such as payment processing and shares collected data with those parties to perform those functions:

Wish Privacy Policy: Information Sharing - Service Providers and Agents section

User Rights

Your Privacy Policy must have a section detailing user rights and how they can access or change their data collection settings.

This is especially important since the enactment of the GDPR and the CCPA, which both added/elaborated on user's rights.

The GDPR requires users to have the right to:

  • Be informed
  • Withdraw consent
  • Erasure of their information in some cases
  • Notification
  • Restrict your processing of their data in some circumstances

The CCPA went into effect at the beginning of 2020 and granted new rights to California users including the rights to:

  • Know what information is collected
  • Delete collected information
  • Opt-out of the sale of information
  • Non-discrimination when they exercise a right

Twitter provides a whole section that advises how users can access/rectify their data, delete data, and object/restrict consent with links to where users can do this on their accounts:

Twitter Privacy Policy: Managing Your Personal Information With Us clause

Airbnb goes into detail into each specific right explaining what each right is and how users can practice their rights:

Airbnb Privacy Policy: User Rights clause

With these recently enacted laws, you can include these provisions in your general User Rights section or create separate sections for California consumers and EU consumers as Domino's Pizza does here:

Dominos Pizza Privacy Policy: California rights clause

You can see how separating out the rights for each location of user is helpful to meet legal requirements as well as help users find relevant information quickly:

Dominos Pizza Privacy Policy: EU user rights clause

Cookies

If your app uses Cookies to collect and store data, then you are required to include a Cookies section in your Privacy Policy. If you have customers in the EU, you must have a separate Cookies Policy from your general Privacy Policy.

Roblox explains in its "Cookies and Similar Technologies" section that it uses Cookies and what Cookies are:

Roblox Privacy and Cookie Policy: Cookies and Similar Technologies clause - Cookies excerpt

Canva has users all over the world and is required to have a completely separate Cookies Policy that states how and why it uses Cookies and how users can control/disable Cookies settings:

Canva Cookies Policy introduction clause

Do Not Track Signals (DNTs)

CalOPPA requires apps that collect the data of California residents to include a "Do Not Track Signal" clause that states how the app handles these signals.

DNT requests are a way users can request companies to not track their online activity. Apps do not have to respond to DNT requests or settings, but they must state how they respond to them.

The clause does not have to be long or complicated. It must simply notify the user of the app's practices like DoorDash does here:

DoorDash Privacy Policy: DNT Disclosure clause

Lyft advises users that their browser may offer DNT options, but that Lyft itself does not support DNT requests:

Lyft Privacy Policy: Your Rights and Choices Regarding Your Data clause - DNT section

Children

This is a requirement for any app that collects data from children under the age of 13. COPPA makes it unlawful for any app to access this data without the consent of a parent or legal guardian.

Starbucks notes its app is not intended for children under 13 with a link parents may contact if they believe Starbucks has collected their child's data:

Starbucks Privacy Policy: Children's Privacy clause

Spotify advises it has a separate service for kids called "Spotify Kids," but the main app is not directed towards children. The Privacy Policy states Spotify does not knowingly collect data from children under the age of 13, and provides ways parents may contact Spotify if their children are using the app:

Spotify Privacy Policy: Children clause

Changes/Updates to the Privacy Policy

Your Privacy Policy should also include a section about changes or updates to your policy. You should include a statement that you will notify users of any changes. While not required, including the method can be helpful.

In WhatsApp's Privacy Policy, it states users will be notified of any amendments and it will update its "Last Modified" date for users to easily find out when the most recent changes were:

WhatsApp Privacy Policy: Updates to our Policy clause

A note to remember is that users should be allowed to consent to the amended policy. This can be either clicking on an "I Accept" button in an email or pop-up or by continued use of the app.

Relaxio states it will inform users of any "material changes" by posting on the app and advises users to regularly check the policy for any changes:

Relaxio Privacy Policy: Date of Last Revision and Effective Date - Updates clause

Contact Information

All Privacy Policies should include your contact information for users to reach out to if they have questions or concerns. This typically includes an address, email address, phone number, and links to help or support centers.

Instacart has a section at the end of its Privacy Policy providing links for additional services and contact information, including an email address and phone number users can use if they have questions:

Instacart Privacy Policy: Contact Information clause

All of the above clauses should be included in your Android App's Privacy Policy to satisfy Google's requirements as well as requirements of applicable privacy laws.

Where to Place Your Privacy Policy Link

There are many places you can place your Privacy Policy link. However, you must make sure the link is clear and easily accessible. You can not hide the link in other policies or notifications.

Google requires that your link is included in the Privacy Policy, Google Play's site, and you must include it in the app as well.

Google Play Page

Apps must include a link to their Privacy Policy on the main Google Play page viewers can access on a computer or through the Google Play app on their phone.

On a computer, the link will typically be included under the "Developer" section of the page along with other links users can access for more information about the app.

Instagram includes a link to its Privacy Policy, its website, and an email for tech support:

Instagram app Google Play Store listing with Privacy Policy link highlighted

Within Your Android App

Under Google's Developer Policies, you must include a link to your Privacy Policy somewhere within your app. Luckily, there are multiple places you can do this.

Settings Page

The most common place is on the Settings page of your app since most people will look there first to find out more information about the app.

Snapchat includes a link to its Privacy Policy in the app's Settings page that takes you directly to the Privacy Policy.

Snapchat Android app Settings menu with Privacy Policy highlighted

Pop-Ups

Including a link in pop-ups or notifications when a user opens the app is another good place to link your Privacy Policy. These pop-ups can be about updates to the policy or when you first log into the app.

Snapseed includes a link to its Privacy Policy three times in a pop-up notifying users that the app's policy has changed:

Snapseed Android app Notification about updated Terms of Service and Privacy Policy

About Page

You can also put the link on the About page on your app.

Lightroom is a subset of Adobe. A link to Adobe's Privacy Policy is included in the "About Lightroom" page inside the Lightroom app:

Lightroom Android app About screen with Privacy Policy link highlighted

Check Out Page

It's a good idea to include a link to your Privacy Policy on the checkout page if you have an e-commerce component to your Android app.

To make sure you get "clear and unambiguous" consent from the user, include an "I Accept" button the user can consent to before checking out or a statement that says by clicking "Order" you are accepting the Privacy Policy.

Etsy includes a statement that by clicking the "Place Your Order" button you are accepting the app's Privacy Policy:

Etsy Place Order button with agree to Privacy Policy and link highlighted

Summary

If you developed an app for an Android phone and collect your users' personal data, you must include a Privacy Policy.

This is required by Google's Developer Policies and various laws. You must include a link to the policy in Google Play's database and in the app itself.

Here are a few things to remember when drafting your Privacy Policy:

  • Disclose what data is collected
  • Disclose how the data is secured
  • Disclose who the data is shared with
  • Advise users of their rights
  • Make your Privacy Policy easily accessible and clear

Link it within your app's Google Play Store listing, as well as within your app itself.