Monday 25 March 2019

Privacy Policy

Let us go through this systematically. Feel free to skip a section you might already know enough about.

1) Do I have to include a privacy policy in my Android app?

That depends on what your app is doing. Consider that you are always on the safer side including a link or a full page view of your privacy policy.
It is very likely that you are required by law to include a privacy policy into your Android app.
Easy check: Am I collecting/storing/sharing personal information like email, names or sensitive data such as payments information or am I using a third party service that accesses that information?
You are likely using a third party service in your app that requires you to add a privacy policy. In addition to any legal requirements, third parties often require a privacy policy as an additional prerequisite to use a specific service. Check in your service provider’s terms. A very popular third party service that requires you to post a privacy policy in their TOS is Google Analytics (they also have a mobile solution).

2) Am I required by the Google Play Store to post a privacy policy?

You may get away with not posting a privacy policy, but don’t be deceived, this doesn’t mean it’s not required in your situation. If you use dangerous permissions like the camera, contacts, audio, accounts and phone state you will get mail by Google. Count on it. 
Since February 2017 Google enforces a strict privacy policy requirement on apps requesting sensitive permissions and user data. There are quite a few places in the Google Play Store documentation that points out that requirement.
If you want to read up the statements by Google in their documentation and terms, you can find them below following the links or by reading the excerpts shown.
From the Developer Console Help: 
Adding a privacy policy to your app’s store listing helps provide transparency about how you treat sensitive user and device data.
The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared. Google is unable to provide you with legal advice and you should consult your own legal representative.
  • For apps that request access to sensitive permissions or data (as defined in the user data policies): You must link to a privacy policy on your app’s store listing page and within your app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
  • For apps in the Designed for Families program: You must link to a privacy policy on your app’s store listing page and within your app, regardless of your app’s access to sensitive permissions or data. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
  • For other apps: You’re not required to post a privacy policy.
In other words, it is very unlikely that you are not covered by any of the requirements set out either by the Platform (Play Store), third party service providers or any of the privacy regulations. How do you add and edit that privacy policy on the Play Store?

3) How do I add/edit my privacy policy on the Play store? (source)

  1. Log into your Google Play Developer Console
  2. Next, select All Applications and select the application whose privacy policy you’d like to edit.
  3. After that, select Store Listing.
  4. Then, scroll to the section marked Privacy Policy and enter the URL where you have the privacy policy hosted online – generate your privacy policy here.
  5. Lastly, be sure to click Save or update.

4) What if I don’t want to add a privacy policy at this time?

If you do not want to add a privacy policy at the moment very first moment you create the app, you can check the box next to Not submitting a privacy policy URL at this time (see screenshot above) on the Store Listings screen of your application in the Google Play Developer Console. Follow the instructions above to view that screen.

5) What if I’m using sensitive/dangerous Android permissions?

Google has started to enforce proper privacy policy disclosures for sensitive permissions in apps (or also if your app makes use of any user data at all, for instance using Admob). A good example of a data type are location permissions that allow accessing the device location such as follows:
Design pattern supplied by the Permissions Pattern Library
You might be using other dangerous/sensitive permissions like access to the camera, contacts, audio, accounts and phone state. In this case you are required to have your privacy policy in place properly and also incorporate text disclosing your use of these permissions.
If any of the following permissions look familiar to you, check out the guide for incorporating these permissions into your privacy policy:
  • READ_CALENDAR
  • WRITE_CALENDAR
  • CAMERA
  • READ_CONTACTS
  • WRITE_CONTACTS
  • GET_ACCOUNTS
  • ACCESS_FINE_LOCATION
  • ACCESS_COARSE_LOCATION
  • RECORD_AUDIO
  • READ_PHONE_STATE
  • CALL_PHONE
  • READ_CALL_LOG
  • WRITE_CALL_LOG
  • ADD_VOICEMAIL
  • USE_SIP
  • PROCESS_OUTGOING_CALLS
  • BODY_SENSORS
  • SEND_SMS
  • RECEIVE_SMS
  • READ_SMS
  • RECEIVE_WAP_PUSH
  • RECEIVE_MMS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
Of course, do not forget that these sensitive permissions aren’t the only trigger for a privacy policy requirement.

6) About Prominent Disclosure requirements

This part in Google’s User Data policy is key: “If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
If you collect and transmit personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface with your app, then you need add prominent disclosures. You can read more about prominent disclosures it here.

7) An example privacy policy for Android Apps?

A lot of people ask for sample privacy policies for apps. Let’s start with the legal minimum requirements. A good starting point is the California Online Privacy Protection act (CalOPPA), and even better Europe’s minimum requirements since they are more refined:

CalOPPA minimum requirements:

Provide info about the personally identifiable information (PII) like:
  • a description of the types of PII collected and disclosed by the operator;
  • a description of the process by which a consumer can access and request changes to his or her PII, if available;
  • a description of the process by which the operator will notify consumers of material changes to the privacy policy; and
  • an effective date

EU Privacy Directives minimum requirements:

Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
  • who you are (identity and contact details),
  • what precise categories of personal data the app wants to collect and process,
  • why the data processing is necessary (for what precise purposes),
  • whether data will be disclosed to third parties (not just a generic but a specific
    description to whom the data will be disclosed),
  • what rights users have, in terms of withdrawal of consent and deletion of data

8) How to actually write a privacy policy for your Android Google Play app

Since iubenda and mobile apps are international practically by definition, let us take some hints from two relevant diverse entities far apart from each other:
Privacy on the Go” by the Attorney General of California and the “Orientierungshilfe zu den Datenschutzanforderungen an App-Entwickler und App-Anbieter” the document produced by the German data protection agencies (which we’ll summarize in English).

From Privacy on the Go:

  • “Make the privacy policy clear and understandable by using plain language and a format that is readable on a mobile device”
  • “One format is a layered notice that highlights the most relevant privacy issues.”
  • “Another format is a grid or “nutrition label for privacy” that displays your privacy practices by data type.”
  • “Graphics or icons can help users to easily recognize privacy practices and settings.”
  • “Privacy icons will be most effective if they are widely used and consumer comprehension is supported by an awareness campaign.”
The most important takeaway is, that it is ok, even encouraged, to be creative. Don’t forget to back the creativity up with the actual readable full version of your policy.

From Orientierungshilfe zu den Datenschutzanforderungen an App-Entwickler und App-Anbieter:

“Wegen der beschränkten Display-Größe mobiler Endgeräte sind die Datenschutzhinweise vom App Anbieter derart zu gestalten, dass der Nutzer jederzeit ohne großen Aufwand die gewünschten Informationen erhalten kann. Als besonders benutzerfreundlich hat sich dabei die Einteilung in Kapitel, welche einzeln geöffnet werden können, herausgestellt. Darüber hinaus kann es auch genügen, die wesentlichen Inhalte der Datenschutzerklärung wiederzugeben und für darüber hinausgehende Informationen gut sichtbar auf weitere Erläuterungen sowie die vollständige Datenschutzerklärung zu verlinken. Was die wesentlichen Inhalte der Datenschutzerklärung sind, bestimmt sich anhand des Funktionsumfangs der App.”
In the section Lesbarkeit (readability), the data protection authorities outline that, because of the small screen real-estate, it is particularly useful to create small “categories that can be opened one by one”.
The most important takeaway here is, that a layered approach is state of the art and explicitly welcomed by the data protection authorities for mobile apps.
We think these are very solid guidelines to be creative within. Let us show you what we did with it at iubenda for mobile apps:

9) iubenda’s Approach of Generating an Android Privacy Policy

This post gives you all the information for getting started to write your privacy policy. Here’s where iubenda’s privacy policy generator will come in very handy:
In Short

Since we’ve launched our mobile apps privacy policy generator we’ve started to publish guides on how to submit your app to the app stores with a privacy policy. You are reading the guide on the Android Play Store by Google. 
All our (other) guides can be found here:
Other related interesting reading: 

4 comments:

  1. I cannot see the microSD Card in File Manager | File Explore. Do you have any suggestions on how to get the software to see the drive? I am attempting to use: File Manager, Inshot Inc.version 1.0.3.3 installed from google.play.com to move files and it gives me this message: Please choose the root directory of external SD card
    (67cb55e0-1e9c-414a-b2e7-7dd338261bb4) to grant permission to operate.


    Do you have any idea on how to use File Manager| File Explorer to see the microSD and transfer files to it via the move and paste buttons? Please contact me at ejeremy879@gmail.com. Thanks and have a great day!

    ReplyDelete
  2. sabasohailqueen5336lahore@gmail.com

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete