Do I Need a Privacy Policy for My Mobile App?

James Chiodo, Certified Information Privacy Professional CIPP/US

Mobile applications entertainment.Yes, a mobile app privacy policy is required by law.

A mobile app that collects information from its user is not only required by U.S. and global privacy laws to have a privacy policy, but is also required to comply with the terms of service from companies like Google, the App Store, Facebook, and Google Play Store.

The App Store requires a privacy policy for iOS Apps. Apple requires this for all apps that collect personal information from users.

Google requires mobile app developers and website owners to have a privacy policy with specific disclosures.

Facebook also requires mobile app developers to have a privacy policy in their mobile app.

The Digital Advertising Alliance has privacy policy disclosure requirements for mobile app and website operators who use online behavioral advertising.

The Federal Trade Commission (FTC) has many privacy regulations and guidelines for mobile apps.

Mobile apps have come under close examination by the Federal Trade Commission (FTC) and other regulatory agencies because of the way they collect some personal information without the user’s knowledge. A mobile app that tracks a user’s location by using geolocation tracking without express consent from the user would be one example.

Collecting Users’ Information
Be clear about disclosing your information gathering and sharing practices to your users. Disclose exactly what information you collect, what you do with it, and what third parties you share it with. If you share your users’ information with other companies, inform users about the sharing practices of those companies.

Keep track of the information that you collect and store. Practice data reduction: don’t keep users’ information that is not required. If your app doesn’t need a user’s contact information, do not ask to collect it. Remember, any information you don’t collect is information you don’t need to protect.

Children’s Privacy
Is Your Mobile App Geared Towards Children Under the Age of 13?

If so, you fall under the strict Children’s Online Privacy Protection Act (COPPA) and will have additional requirements. Even if your app is not geared towards children under 13, you still have to be careful. Irrespective of the type of mobile app you have, if you knowingly collect personal information from children under the age of 13, COPPA applies to you.

You are required to get consent from the parents before you can gather personal information from children. To comply with COPPA you are required to clearly disclose how you collect and use information from children and directly notify parents of your practices. You are also required to keep personal information collected from children secure and confidential.

Even if you don’t collect information from children directly but use third party APIs or ad networks that collect children’s personal information through your app, COPPA still applies to you.

What Constitutes Personal Information for Children?
COPPA defines personal information as a child’s first name, last name, telephone number, screen or username, address, a persistent identifier that can identify a user across different websites over time. This would include a device identifier, serial number, cookies, or an IP address. Even when collecting sensitive information from adults such as geolocation, financial, or medical information, it’s important to get their express consent before you collect such information.

Keeping Your Users’ Information Secure
The law requires you to take reasonable measures to protect your users’ information against common and known security risks. However big or small your online business be, you should limit access to customer and user information within your company. If third parties have access to your users’ information, make sure that they comply with strict privacy standards. When you no longer need your users’ information, make sure that you dispose of it safely. Knowing all this, you should not collect information that is not required for your online business.

Your challenge as a mobile app owner is to create a privacy policy and disclosures that comply with U.S. and global privacy laws and with the terms of service from companies such as Google, Yahoo, Facebook, and others.

A Checklist for Mobile App Developers

  • Identify personal information which your mobile app collects and uses.
  • Do not collect personal information that is not needed for your app to function.
  • If your main mobile app function is not associated with a social media network like Twitter, Facebook, etc., you must let users login without providing their social media login information.
  • Be aware and disclose the information that third-party code or analytics collect within your mobile app.
  • Disclose personal information and data you intend to share with third parties such as service providers, advertising networks, and companies who provide analytics.
  • If you share personal information and data with third parties, how will they use them?
  • Have privacy controls within your app so that users can make or change the type of personal information that you collect according to your privacy policy.
  • Use a shorter privacy policy for your mobile app highlighting your most important privacy and data gathering practices
  • Make your privacy policy easily readable on a mobile device.
  • Use icons to communicate important privacy collection methods.
  • Make available a longer more comprehensive general privacy policy on your website.
  • Disclose all information that you collect when the app is not in use.
  • Make sure that your app encrypts personal information before transmitting and storing it.

Linking Your Privacy Policy to Your Mobile App

1.  Always follow the Clear and Conspicuous guidelines.
2.  Have a prominent privacy policy link on your mobile app menu.
3.  Have a privacy policy link easy to find on your mobile app store page.
4.  Make sure that users can read your privacy policy before they download your mobile app.
5.  If possible, also provide a link to your more comprehensive website privacy policy.

Just-in-Time Disclosures
Before your mobile app accesses sensitive information from users you should provide a just-in-time disclosure to get their affirmative express consent. Such information might include a user’s geolocation, photos, videos, audios, and friends. This gives your users a chance to make a choice before such information is automatically collected.

Here is a sample just-in-time disclosure that Nissan uses:


The Federal Trade Commission (FTC) suggests that if you are collecting geolocation data from users, you…

  • Make obvious if users’ location is being tracked when the mobile app is not in use.
  • Give users the option of not allowing or turning off continuous geolocation tracking.
  • Provide users with a just-in-time disclosure and get express consent if you share geolocation data with third parties.
  • All disclosures should be made clear and understandable and avoid overly complicated technical and legal language so that an average person can understand it.

Posting Your Privacy Policy and Disclosures
It is not enough to have a privacy policy and the right disclosures. The law also requires you to post your documents correctly on your website and in your mobile app.

The Clear and Conspicuous regulations apply to mobile apps
Privacy policies, disclaimers, and other disclosures are required by law to be displayed in your mobile app in a clear and conspicuous place obvious to your users. The link to these documents should be of at least the same size font as the surrounding text and links, preferably in a contrasting color or a larger font.

At a minimum, the link to your privacy policy should be like the sample below, all capital letters and or a different text color than the other links would be best.


The Clear and Conspicuous rule can be distilled down to this:
What is the likelihood that a user of your mobile app will see the link to your privacy policy without having to scroll down or search for it? Putting your privacy policy in a hard to find place on your mobile app or app store page will likely not comply with current laws and regulations.

Click here for a complete explanation of the clear and conspicuous guidelines.

Avoid Free Privacy Policies and Generators
Trying to draft your own privacy policy or use free templates or policy generators from the Internet is a bad idea. The free privacy policies and generators on the Internet do not comply with privacy laws and regulations. And in some cases they contain language that can increase your legal liability to both users and regulatory agencies.

It takes a skilled privacy professional to draft an accurate and legally compliant privacy policy for your mobile app. There is no one size fits all policy, it needs to be customized specifically for your app and kept up to date.




New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More