Data privacy and apps is a topic that often leads to insecurities for developers and publishers entering the German and EU markets, and we’d like to take this opportunity to give an overview on how you can prevent Google from sanctioning your titles, and more generally what app developers and publishers have to consider regarding privacy policies in Germany and the EU.
German law requires providers to inform about the nature, scope and purposes of the gathering and use of personal data as well as the processing of data outside of the EU/EEA at the beginning of the usage procedure in a generally comprehensible manner. This requirement also applies to foreign providers that are located outside of the EU/EEA.
A notable exemption from this requirement are “offline-only apps”, as they do not gather or use personal data. Specific legal requirements apply to telecommunication services such as messengers as well as apps that only transmit broadcasting services. We recommend to include a corresponding note in the description for apps that do not process any personal data.
The information must be provided to the users before the first data collection. Furthermore, the policy must be accessible at all times from within your app. In your policy, you should address the following topics:
- Name, address and contact information of the responsible body
- Description of the data gathered by the app, including location data (and the level of granularity)
- Description of the device’s functions or sensors accessed by your app
- Explanation of the purpose of the gathering of the respective data
- Designation of third parties that data is transferred to
- Purpose of the data transfer to third parties
- Description how the user can control the collection, processing and utilization of his data
- If applicable: short explanation, what consequences refusing consent may have for the use of the app or specific functions
- Information on processing of data outside of the European Economic Area (“EEA”) and, if applicable, the compliance measures in place (e.g. EU-US Privacy Shield, EU model clauses, etc.)
Tracking and Social Plugins
App store requirements – what to do?
If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
Additional requirements are imposed on apps that
- handle financial or payment information or government identification numbers,
- handle non-public phone book or contact information, or
- contain anti-virus or security functionality, such as anti-virus, anti-malware or security-related features.
For Apple, the respective guidelines can be found in the Developer Program License Agreement as well as the App Store Review Guidelines. These also include the requirement that apps should only require a log-in if they include significant account-based features.
Guidelines for Mobile Apps
In 2014, a working group reuniting all German Data Protection Authorities (“DPAs”) published guidelines for developers of mobile games and apps. The 33-page document defines legal requirements for apps and also addresses the underlying technical framework. Disregarding the guidelines can carry fines of up to EUR 300,000 and lead to considerable brand damage. These requirements will become even stricter with the new GDPR.
We have provided an overview on the requirements in this special: “Game Developers Watch Out! German Data Protection Authorities Publish Guidelines for Mobile Apps”.