Privacy Policies for Apps: This is how it’s done!

February 15, 2017 Leave a comment
Google is currently taking action against apps violating the Play Store’s User Data Policy. As The Next Web reports, in most cases apps are missing the required privacy policy. Developers are prompted to resolve the issues by March 15, 2017. Otherwise, the company has announced it will limit the visibility of concerned apps in the store or even remove violating apps completely.

Data privacy and apps is a topic that often leads to insecurities for developers and publishers entering the German and EU markets, and we’d like to take this opportunity to give an overview on how you can prevent Google from sanctioning your titles, and more generally what app developers and publishers have to consider regarding privacy policies in Germany and the EU.

 What is a Privacy Policy under EU law, and when do you need one?

Apps regularly access personal data, including the device’s advertising ID, location data, contact information, calendar events, financial details or photos. Under European law, providers are required to inform about the collection, processing and utilization of such data openly and transparently. A privacy policy (or, as we Germans call it, Datenschutzerklärung) is not only almost always legally required, but also highly recommended as it helps build a basis of trust. A privacy policy however cannot replace user consent – which is required for the processing of most personal data – as it has a purely informative role in European law.

German law requires providers to inform about the nature, scope and purposes of the gathering and use of personal data as well as the processing of data outside of the EU/EEA at the beginning of the usage procedure in a generally comprehensible manner. This requirement also applies to foreign providers that are located outside of the EU/EEA.

A notable exemption from this requirement are “offline-only apps”, as they do not gather or use personal data. Specific legal requirements apply to telecommunication services such as messengers as well as apps that only transmit broadcasting services. We recommend to include a corresponding note in the description for apps that do not process any personal data.

What do you need to include in your privacy policy?

Privacy policies should explain to users in detail why your app is collecting the respective data and how you are dealing with it. It is especially important to explain why your app requires specific permissions, e.g. why you are accessing his address book or need details on his location. Therefore, it is generally not sufficient to link to an existing privacy policy you might already have for your website.

The information must be provided to the users before the first data collection. Furthermore, the policy must be accessible at all times from within your app. In your policy, you should address the following topics:

  • Name, address and contact information of the responsible body
  • Description of the data gathered by the app, including location data (and the level of granularity)
  • Description of the device’s functions or sensors accessed by your app
  • Explanation of the purpose of the gathering of the respective data
  • Designation of third parties that data is transferred to
  • Purpose of the data transfer to third parties
  • Description how the user can control the collection, processing and utilization of his data
  • If applicable: short explanation, what consequences refusing consent may have for the use of the app or specific functions
  • Information on processing of data outside of the European Economic Area (“EEA”) and, if applicable, the compliance measures in place (e.g. EU-US Privacy Shield, EU model clauses, etc.)

In addition to a privacy policy, a complete imprint (legal notice containing among others the full corporate name, address and contact information) is also required for apps under German law.

Tracking and Social Plugins

When using popular tracking solutions like Google Analytics to analyse user behavior, it is important to focus on an implementation that is compliant with data privacy regulations. The best-practice requirements are the same as for websites: IP addresses must be anonymized, the provider should sign a data processing contract (for compliance with German regulations, this must be in writing, i.e. ink on paper!) and your privacy policy must inform about the usage.

It is an often overlooked fact that users must also be given a possibility to opt out of the tracking. We recommend implementing this feature in the settings of your app and including a link to the corresponding option in your privacy policy.

Social plugins, e.g. “like” or “tweet” buttons, are a controversial topic from a privacy point of view. Apart from the required mention in the privacy policy, we recommend using a wrapper solution like the German “Shariff” project when including such buttons.

App store requirements – what to do?

For android apps distributed via the Play Store, Google requires the privacy policy to be posted in the designated field in the Play Developer Console and within the app itself. These requirements are essentially the same as those by German law. Another requirement is that apps are required to use encryption when transmitting personal data (HTTPS). The key element is on transparency regarding the usage of personal data:

If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Additional requirements are imposed on apps that

  • handle financial or payment information or government identification numbers,
  • handle non-public phone book or contact information, or
  • contain anti-virus or security functionality, such as anti-virus, anti-malware or security-related features.

For Apple, the respective guidelines can be found in the Developer Program License Agreement as well as the App Store Review Guidelines. These also include the requirement that apps should only require a log-in if they include significant account-based features.

Guidelines for Mobile Apps

In 2014, a working group reuniting all German Data Protection Authorities (“DPAs”) published guidelines for developers of mobile games and apps. The 33-page document defines legal requirements for apps and also addresses the underlying technical framework. Disregarding the guidelines can carry fines of up to EUR 300,000 and lead to considerable brand damage. These requirements will become even stricter with the new GDPR.

We have provided an overview on the requirements in this special: “Game Developers Watch Out! German Data Protection Authorities Publish Guidelines for Mobile Apps”.

Print Friendly
Konstantin Ewald

Konstantin Ewald

Partner at Osborne Clarke
Konstantin Ewald is a Partner and Head of Digital Business at Osborne Clarke, Germany. He advises leaders in the digital media and software industry throughout Europe and the US on all matters of digital media and IT law as well as IP/technology-related transactions.

Add a Comment: