If your mobile app collects and uses personal information from people who use it, you need to have a Privacy Policy.
This is a requirement from three different sources:
Here's why your mobile app needs a Privacy Policy, what to include in your mobile app Privacy Policy and examples of policies.
A Privacy Policy is a legal agreement between you and your users. It's where you let users know important information about your data collection practices including:
Personal information is defined as any information that can be used to identify a user, including but not limited to data such as an email address, mailing address, financial account information, first and last name or IP address.
When apps are involved, personal information can include any of the above, as well as geolocation information, contact lists, app inventory lists, calendars, and access to cameras and microphones.
As noted above, there are 3 sources of the Privacy Policy requirement: International laws, mobile app stores and third party app services.
Laws around the world require that if your website/mobile app collects and uses personal information from users, you must provide users with access to a Privacy Policy.
Note that while most of these laws started with the goal of protecting internet and website users, they now apply to mobile apps because the two are so closely related. Often, a mobile app is just the mobile version of the standard website.
Also, because the laws were created with an aim towards protecting consumer privacy, they are interpreted to be broad in scope to offer maximum protection. This means they will apply to mobile apps as well as websites, and the laws have been updated to reflect this.
There isn't one main law that requires a Privacy Policy in the US, but rather a number of federal and state laws that call for one. They include the following:
In Canada, there's the Personal Information Protection and Electronic Documents Act (PIPEDA). This law requires that you give notice and obtain consent if your Canadian-based website/mobile app collects personal information from users.
In the EU, the Data Protective Directive applies to websites and mobile apps that collect and use personal information from users and requires a Privacy Policy.
Additional and similar laws can be found around the world including in Australia, Southeast Asia, the UK and others.
All of the main mobile app stores require that if your app collects and uses personal information, you must include a Privacy Policy, usually both within your app and in the app store listing.
Apple's App Store Review Guidelines states that "Apps that collect user or usage data must have a privacy policy..."
The iOS Developer Program License document states that developers "must provide clear and complete information to users regarding Your collection, use and disclosure of user or device data, e.g., a link to Your privacy policy on the App Store."
For Android app developers, the Google Play Developer Policy Center says that if your app handles personal or sensitive user information, your app must post a privacy policy both within your app and in the Play Developer Console.
If your app is going to be listed in the Windows Phone Store and it "accesses, collects or transmits personal information," you need to have a Privacy Policy both on the app's app store description page and within the app itself.
If your app uses analytics, advertising, developer platform services or other third party services, it's very likely that you'll need a Privacy Policy. The Terms and Conditions agreements for these services will typically require you to have a Privacy Policy if you use the service.
The Google Analytics Terms of Service agreement states that developers "must post a Privacy Policy."
If you use Google advertising services such as AdMob, Google's Behavioral Policies will apply. These policies let developers know that "your app's privacy policy may need to be updated to reflect the use of personalized advertising...served via the Google Mobile Ads SDK."
Firebase by Google is commonly used by app developers. It has an analytics feature as well as other features and services that all fall under the scope of the Google APIs Terms of Service.
A section of the Google APIs Terms of Service deals with User Privacy and API Clients. It says that developers "will provide and adhere to a privacy policy for your API Client..."
Mixpanel's Terms of Use agreement requires that developers who use this service "provide appropriate notices" to users about the collection and use of personal information by the app.
It further states that "appropriate notices may include notice in the form of a privacy policy."
If your app collects and uses personal information, you're likely going to be required by laws, app stores that distribute your app and any third party services your app utilizes to have a Privacy Policy for your app.
While the specific language of every mobile app's Privacy Policy will differ depending on the app's own unique data collection practices, here's what generally needs to be included in your Privacy Policy, at minimum:
In this clause, let your users know what types of information your app collects. This can include information a user provides during account registration, profile information, communications information, etc.
It can also include more technical personal information such as log data, information collected by cookies, user device information.
If your mobile app requests special permissions like access to a camera, contacts list and geolocation data, you should include this in your Privacy Policy as information that your app may collect.
After you let users know what information you collect, let them know how you use it. It's typical to see a clause with a list of ways that an app uses information it collects.
Be thorough and accurate here. You can include links to adjustable preferences settings, your Terms and Conditions or other resources that may help a user understand why and how you're using the collected information.
It's possible to combine both of these sections (What information you collect and how you use it) into one clause about "Collection and Use."
This may work best for less complicated apps that don't collect a large amount of information.
Even if you mention cookies in the clause about what information your app collects, you can and should still mention cookies use in its very own separate clause.
This is because cookies use is at the center of a few international privacy laws such as the EU Cookies Directive and adequately disclosing your use of cookies is very important. In some cases, you may even need a separate Cookies Policy.
At minimum, disclose your cookies usage thoroughly in your Privacy Policy.
This clause is usually short and rather general. It's standard to see a business simply say that "reasonable safeguards" are taken to protect data, that encryption is used to protect financial information, and that the business can't guarantee 100% security.
If a user is responsible for any security measures, such as by protecting her username and password data, you can mention that here as a reminder for the user to be proactive with account and app security.
This clause can include general information and doesn't need to specifically list out the names of every third party that may access the information. It's enough to say that you may share information with third party analytics or advertising services, or with affiliates of the business.
Being general is a good choice because you won't need to update your Privacy Policy if you switch advertising services or bring in a new third party analytics service.
Many privacy laws require that users are given access to the information you collect about them and are able to update it or request that you update it for them.
You can either provide a contact where users can email you with requests, or provide some sort of user interface where a user can log in and make changes himself.
From time to time, you'll probably need to update your Privacy Policy. While not every single update will be material and something that would matter to your users, some of these changes will be.
Let users know that you may change your policy, and how you will let them know when you do make material changes.
Spotify lets users know that when material changes are made, users will be provided with a prominent notice or with a notice by email. In some cases, Spotify will give advanced notice of a change.
This is the last date of the update and can usually be found at the very top of a Privacy Policy.
While your mobile app may benefit from additional terms, or need them, this list is a great place to start. It covers the most common legally required clauses that your mobile app Privacy Policy will need.