The 5 Most Important Terms in Your App Privacy Policy

App privacy policy doesn't need to be complicated, but you need to know how to protect your company.

App legal issues don’t need to be complicated, but you need to know how to protect your company.

– This is a guest post by Aaron George, fellow app developer and founder of LawKick –

You’ve probably heard all the buzz about privacy issues online these days. The rise of the Internet, and especially of mobile devices, has connected people like never before and allowed people to interact in new ways and broadcast their lives to millions of people around the world. That’s why privacy has become such a big concern lately.

As an indie app developer, you may not be aware of how these privacy issues affect your apps, but you should be. In fact, you might actually be required by law to have a privacy policy. And even if not technically required, you still might be exposing yourself to fines and penalties if you don’t.

At this point you’re probably wondering, what exactly does a privacy policy for an app look like? This post lays out the 5 most important terms in a privacy policy for an app.

1. What Information is Collected

The purpose of a privacy policy is really about creating transparency between the provider of an app or internet based service and the users. The law wants to prevent any shady practices by companies who are collecting information from users for illegitimate purposes.

A privacy policy is basically the company’s statement about what rights they have, and what rights the user has regarding information collection and privacy. So the first thing you must share in your privacy policy is what information you collect from users when they are using your app. This can be broken down into two main categories: personally identifiable information (PII) and non-PII.

Examples of PII:

  • Name

  • Birthday

  • Sex

  • Email

  • Phone

  • Location/Address

  • Billing Info

  • UDID (unique device identifier)

Examples of non-PII:

  • IP Address

  • Operating System

  • Referring Source

  • Mobile Carrier

  • Interactions with the App or Service (pages visited, links clicked, other actions)

Your privacy policy should disclose all relevant types of information that are collected during use of your app.

2. How the Information is Used

The next key term in an app privacy policy is how the information is used. For each item of information that your app collects, you should explicitly state what you or your company does with that information.

If you don’t have any server side databases and you don’t have sign up forms or use Facebook Connect, and your users can just pick up the app and start using it, you may not be collecting any information at all. This is often the case for simple games, e.g. Flappy Bird.

However, most developers like to use analytics to analyze how users interact with an app. This is what helps you iterate and make improvements over time. If you use any analytics service like MixPanel, Flurry, etc. you are collecting usage info from your users, and this would be something you should disclose in your privacy policy.

Oftentimes, the information collection and information use terms are combined into one long provision in the privacy policy. For example, see Twitter’s privacy policy for a good example. They break it down by listing each type of information collected, and then below it explaining how they use that information.

3. Information Disclosure and Sharing Policies

The real concern about sharing and disclosure of information deals with PII. People generally are uncomfortable with any company that is reselling their personal information for a profit, or otherwise sharing it without their knowledge or permission.

For the average indie app developer, PII disclosure and sharing may not be much of an issue. Chances are you are not collecting and selling or disclosing personal information from your users. If you are, you absolutely must state this in your privacy policy.

Your apps would be sharing or disclosing information with third party services such as analytics services or outside service providers that you may work with. This is rarely PII, but it still needs to be disclosed.

4. The App Privacy Policy Relating to Children Under Age 13

Be particularly careful about this one because there are serious legal issues and penalties if you are collecting PII from children under the age of 13, even if it happens unknowingly. Non-PII is ok to collect.

You may notice that internet services like Facebook, Twitter, Gmail, LinkedIn, etc. don’t even let you sign up unless you’re 13 or older, and this is why. The law is very concerned about predators preying on children via any interactive websites or apps.

Do not collect PII if you develop kids’ apps! The only way to legally do so is to comply with the COPPA requirements, which are extremely difficult to meet (that’s why even Facebook, Twitter, Instagram, etc. are unwilling allow users under 13).

If your app would be likely to attract children for any reason at all, and you collect PII from users, you need to take steps to prevent children from using the app. The best way to do so is to use Facebook or a similar authentication service, because they already require users to be 13 or older for you.

If you are developing games, this issue can be especially problematic because games inherently attract children. If you collect PII, make sure your privacy policy clearly states that your app is not intended for users under age 13, and when users sign up you should ask them to input their birthday and deny access to any children that try to sign up.

Trust me. You do not want to face a $50,000 penalty like these guys did.

5. How Users Can Update Their Info or Ask Questions, and How the App Privacy Policy is Updated

Lastly, because privacy policies are all about transparency, it’s important to inform your users about how and when the privacy policy is updated and how they can ask questions or update their information.

Users should have the ability to edit or remove their PII from any web service or app. You should let them know exactly how they may do so in your privacy policy.

Also, provide an email address for them to contact you in the case of questions or concerns. And finally, you should let them know that the privacy policy may change from time to time and if it does, how you will inform them about the changes.

Summary

Yes, these privacy issues are kind of a headache to deal with. But it’s really important to be aware of them, especially if your app company is growing and you’re gaining more and more users. When you grow, the natural tendency becomes to collect more data and use it to your advantage, and that’s where privacy concerns might arise.

You don’t necessarily need a lawyer to draft your privacy policy, but it’s often a good idea. You can do draft one yourself with enough research. Just be cautious and look at a bunch of privacy policies from related companies to get ideas about what issues you might be facing.

If you have questions or concerns about potential privacy issues within your app, it’s best to consult with a lawyer that works in the internet privacy field as soon as possible. You do not want to pay the price down the road for a privacy violation that could’ve been dealt with early on.

Aaron George is an entrepreneur with a background in app development and law. He’s also an active blogger and the co-founder of LawKick. LawKick is a platform enabling people to connect with lawyers online and get price quotes for free. Make sure to check out Aaron’s previous post, Top 5 Legal Issues Facing App Developers. Connect with Aaron here: http://about.me/aarongeorge