If you are developing an app for an Android phone, you must have a Privacy Policy. Countless data protection laws around the world and Google itself requires this of app developers.
Let's take a look at the Privacy Policy obligations you'll need to comply with for your Android app.
- 1. Privacy Policies Required by Law
- 2. Google's Requirements for a Privacy Policy
- 2.1. Data Collection and Storage
- 2.2. Prominent Disclosure
- 2.3. Consent
- 2.4. Permissions and Necessary Data
- 2.5. Deceptive Behavior
- 2.6. Sharing of Data
- 2.7. Sensitive Data Access
- 2.8. Children
- 3. What to Include in Your Privacy Policy
- 3.1. What Data is Collected
- 3.2. How Data is Used
- 3.3. Storage of Data
- 3.4. Sharing Data
- 3.5. Security of Data
- 3.6. Processing of Payments/Financial Data
- 3.7. User Rights
- 3.8. Cookies
- 3.9. Do Not Track Signals (DNTs)
- 3.10. Children
- 3.11. Changes/Updates to the Privacy Policy
- 3.12. Contact Information
- 4. How to Create a Privacy Policy
- 5. Where to Place Your Privacy Policy Link
- 5.1. Google Play Page
- 5.2. Within Your Android App
- 5.2.1. Settings Page
- 5.2.2. Pop-Ups
- 5.2.3. About Page
- 5.2.4. Check Out Page
- 6. Summary
Privacy Policies Required by Law
Before even addressing what Google requires for your Privacy Policy, you should be aware that there are multiple laws across the world that require you to include a Privacy Policy.
A Privacy Policy is designed to notify users of what information an app collects, how it collects the data, and why.
Most laws have a broad definition of "personal information" to encompass as much data as possible. Personal information can be email addresses, home addresses, Social Security Numbers, gender, IP addresses, and geographical information.
All of these laws require apps to provide a Privacy Policy when user data is collected. There are a few, in particular, you should pay attention to that could affect your app:
- The General Data Protection Regulation (GDPR) is the strictest privacy law in the world and protects the private information of residents of the European Union.
- The California Online Privacy Protection Act (CalOPPA) was enacted to protect the private information of California citizens.
- California Consumer Privacy Act (CCPA) and its CPRA amendments grant new rights to California residents regarding their data.
A note to remember is these laws apply to any app that collects the personal information of the residents. For example, if your company is based in Asia and you collect the data from a citizen in California, you must still comply with California laws.
Google's Requirements for a Privacy Policy
In addition to laws, your app must comply with Google's Developer policies.
The Google Play Developer Distribution Agreement and Developer Privacy Center require your app to have a Privacy Policy.
Below are the major guidelines you need to be aware of.
Data Collection and Storage
By agreeing to Google's Developer Distribution Agreement you are promising to protect the "privacy and legal rights of users" when you collect data:
Google requires all apps must be "transparent" when it comes to how they collect and store personal data.
This means your Privacy Policy must include:
- What data is collected
- What the data is used for
- Who the data is shared with
- How the data is protected
- User rights
Prominent Disclosure
Your Privacy Policy must be "prominently disclosed." It must be included in locations where users expect and don't expect to provide their personal information:
Consent
Your app must include a request for consent to collect information in a "clear and unambiguous way."
The user must provide consent in an "affirmative" way such as an I Accept button or checkbox for the consent to be acceptable:
Permissions and Necessary Data
A request to use data must be "necessary" for the app to run and collected for "limited purposes." Permission requested for undisclosed features is not allowed and data collection should only be used for what the user granted permission for.
If you need to use data for another purpose, then you must receive permission again:
Deceptive Behavior
Google strictly prohibits apps from engaging in deceptive behavior. Examples of this would be misleading claims and deceptive changes to device settings:
An app must include within its Privacy Policy accurate statements of its systems and how a user should expect the app to run.
When an app makes changes to its systems, users must be notified. The process for how changes are made must also be included in the Privacy Policy.
Sharing of Data
Oftentimes apps use third-parties to help run their app, process payments, and analyze systems and functions (i.e., Google Analytics). If your app shares its users' data, you must notify users of this disclosure and to whom you share the data with:
Sensitive Data Access
Google places additional restrictions on apps that collect sensitive data. "Sensitive data" can include financial/payment information, SMS contacts, and microphone and camera sensor data.
There are a few activities and restrictions you'll need to be aware of if you collect sensitive data:
- Financial Payments: You must never publicly disclose the sensitive financial or personal identification numbers of users.
- Non-Public Phonebook Contacts: Google doesn't allow the unauthorized disclosure of this data.
- Anti-Virus Functionality: If your app contains anti-virus functionality you must disclose this, along with how and why the data is used.
Children
Google's Developer Policy states if your app's audience is children or is a combination of adults and children, you must comply with additional regulations. For apps whose audience is only children, you must be a part of Google's Designed for Families Program. Apps that have a mixed audience have the option to participate in the program.
For apps that choose not to participate in the program, they must still comply with Google's other requirements.
Apps must include in their Privacy Policies what data is collected from children and the APIs and SDKs the app uses.
Google's Family Policy Requirements remind apps that in addition to complying with these regulations, they must comply with other laws, specifically the Children's Online Privacy Protection Act (COPPA).
What to Include in Your Privacy Policy
Not every Privacy Policy fits every app. It's important to tailor your policy to fit your specific app and its functions.
What Data is Collected
Typically, this is the first clause of your Privacy Policy. It discloses that the app collects data and what type of data is collected.
Evernote helps users organize and manage ideas by collecting a user's images, text, and other data that the company considers to be "content." Its Policy states the data it collects with specific examples:
Evernote's Privacy Policy also advises that it collects emails and names when a user logs into Evernote using their Google Apps credentials and other third-party partners:
How Data is Used
Your app must only collect data that is used for the necessary functions of the app. This is required by both Google and laws to protect users from the misuse of their information.
Pinterest provides a very robust list of ways it uses data for "legitimate interests." It breaks down legitimate interests into recommending pins, maintaining product and safety features, ads, and customization of accounts:
Storage of Data
You must disclose how long you will store a user's data in your systems. You don't have to give a specific timeframe but can state you reserve the right to store the data for "as long as necessary."
Snapchat has an extensive storage data section because of its collection of a variety of data. Its Privacy Policy advises that some images are deleted immediately or are stored for longer, depending on the type of image. Personal information is stored longer than photos, such as account info and location data:
Snapchat also includes a section stating it can't promise certain information will be deleted in a certain timeframe:
Sharing Data
If you share or disclose data to third-parties you must disclose this to users. Whether you are sharing it within your app or to outside parties, users must be notified.
If available, links to third-parties' own Privacy Policies or services/features should be included.
Niantic's Privacy Policy for Pokemon GO includes a clause that explains it doesn't disclose information unless for specific reasons including to service providers, other players (for live events), third parties, and for the protection of others:
Poshmark includes a section about how personal information will be disclosed if the app is merged with another company or is sold:
Poshmark's Privacy Policy additionally includes that it will disclose data when a user logs into a third-party service using the Poshmark credentials the user has consented to share:
Security of Data
Your Privacy Policy must include a section on how you will secure and protect a user's data.
Ibotta uses a simple security disclosure that provides the ways it implements to protect a user's private data:
In contrast, Grubhub includes a slightly longer section that includes the methods the company uses to protect the information, such as physical, administrative, and technological protections:
The internet is not foolproof when it comes to data protection. When creating your Privacy Policy, include a statement that reminds users you will use all safeguards, but sometimes things happen and users also need to take protective steps as Venmo does here:
Processing of Payments/Financial Data
If you have an e-commerce app or your app processes payments, you must disclose to users what information you collect to conduct this service and whether you share the information with third-party processors.
Wish's Privacy Policy states it uses third-parties to help with services, such as payment processing and shares collected data with those parties to perform those functions:
User Rights
Your Privacy Policy must have a section detailing user rights and how they can access or change their data collection settings.
This is especially important since the enactment of the GDPR and the CCPA (CPRA), which both added/elaborated on user's rights.
The GDPR requires users to have the right to:
- Be informed
- Withdraw consent
- Erasure of their information in some cases
- Notification
- Restrict your processing of their data in some circumstances
The CCPA (CPRA) granted new rights to California users including the rights to:
- Know what information is collected
- Delete collected information
- Opt-out of the sale of information
- Non-discrimination when they exercise a right
Twitter provides a whole section that advises how users can access/rectify their data, delete data, and object/restrict consent with links to where users can do this on their accounts:
Airbnb goes into detail into each specific right explaining what each right is and how users can practice their rights:
With these recently enacted laws, you can include these provisions in your general User Rights section or create separate sections for California consumers and EU consumers as Domino's Pizza does here:
You can see how separating out the rights for each location of user is helpful to meet legal requirements as well as help users find relevant information quickly:
Cookies
If your app uses Cookies to collect and store data, then you are required to include a Cookies section in your Privacy Policy. If you have customers in the EU, you must have a separate Cookies Policy from your general Privacy Policy.
Roblox explains in its "Cookies and Similar Technologies" section that it uses Cookies and what Cookies are:
Canva has users all over the world and is required to have a completely separate Cookies Policy that states how and why it uses Cookies and how users can control/disable Cookies settings:
Do Not Track Signals (DNTs)
CalOPPA requires apps that collect the data of California residents to include a "Do Not Track Signal" clause that states how the app handles these signals.
DNT requests are a way users can request companies to not track their online activity. Apps do not have to respond to DNT requests or settings, but they must state how they respond to them.
The clause does not have to be long or complicated. It must simply notify the user of the app's practices like DoorDash does here:
Lyft advises users that their browser may offer DNT options, but that Lyft itself does not support DNT requests:
Children
This is a requirement for any app that collects data from children under the age of 13. COPPA makes it unlawful for any app to access this data without the consent of a parent or legal guardian.
Starbucks notes its app is not intended for children under 13 with a link parents may contact if they believe Starbucks has collected their child's data:
Spotify advises it has a separate service for kids called "Spotify Kids," but the main app is not directed towards children. The Privacy Policy states Spotify does not knowingly collect data from children under the age of 13, and provides ways parents may contact Spotify if their children are using the app:
Changes/Updates to the Privacy Policy
Your Privacy Policy should also include a section about changes or updates to your policy. You should include a statement that you will notify users of any changes. While not required, including the method can be helpful.
In WhatsApp's Privacy Policy, it states users will be notified of any amendments and it will update its "Last Modified" date for users to easily find out when the most recent changes were:
A note to remember is that users should be allowed to consent to the amended policy. This can be either clicking on an "I Accept" button in an email or pop-up or by continued use of the app.
Relaxio states it will inform users of any "material changes" by posting on the app and advises users to regularly check the policy for any changes:
Contact Information
All Privacy Policies should include your contact information for users to reach out to if they have questions or concerns. This typically includes an address, email address, phone number, and links to help or support centers.
Instacart has a section at the end of its Privacy Policy providing links for additional services and contact information, including an email address and phone number users can use if they have questions:
All of the above clauses should be included in your Android App's Privacy Policy to satisfy Google's requirements as well as requirements of applicable privacy laws.
How to Create a Privacy Policy
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
Where to Place Your Privacy Policy Link
There are many places you can place your Privacy Policy link. However, you must make sure the link is clear and easily accessible. You can not hide the link in other policies or notifications.
Google requires that your link is included in the Privacy Policy, Google Play's site, and you must include it in the app as well.
Google Play Page
Apps must include a link to their Privacy Policy on the main Google Play page viewers can access on a computer or through the Google Play app on their phone.
On a computer, the link will typically be included under the "Developer" section of the page along with other links users can access for more information about the app.
Instagram includes a link to its Privacy Policy, its website, and an email for tech support:
Within Your Android App
Under Google's Developer Policies, you must include a link to your Privacy Policy somewhere within your app. Luckily, there are multiple places you can do this.
Settings Page
The most common place is on the Settings page of your app since most people will look there first to find out more information about the app.
Snapchat includes a link to its Privacy Policy in the app's Settings page that takes you directly to the Privacy Policy.
Pop-Ups
Including a link in pop-ups or notifications when a user opens the app is another good place to link your Privacy Policy. These pop-ups can be about updates to the policy or when you first log into the app.
Snapseed includes a link to its Privacy Policy three times in a pop-up notifying users that the app's policy has changed:
About Page
You can also put the link on the About page on your app.
Lightroom is a subset of Adobe. A link to Adobe's Privacy Policy is included in the "About Lightroom" page inside the Lightroom app:
Check Out Page
It's a good idea to include a link to your Privacy Policy on the checkout page if you have an e-commerce component to your Android app.
To make sure you get "clear and unambiguous" consent from the user, include an "I Accept" button the user can consent to before checking out or a statement that says by clicking "Order" you are accepting the Privacy Policy.
Etsy includes a statement that by clicking the "Place Your Order" button you are accepting the app's Privacy Policy:
Summary
If you developed an app for an Android phone and collect your users' personal data, you must include a Privacy Policy.
This is required by Google's Developer Policies and various laws. You must include a link to the policy in Google Play's database and in the app itself.
Here are a few things to remember when drafting your Privacy Policy:
- Disclose what data is collected
- Disclose how the data is secured
- Disclose who the data is shared with
- Advise users of their rights
- Make your Privacy Policy easily accessible and clear
Link it within your app's Google Play Store listing, as well as within your app itself.
