Android Permissions That Need a Privacy Policy
Most Android apps need a Privacy Policy. The very limited exception is when your app does not handle any personal or sensitive data, and this is rare. It’s typically best to assume that your app needs a Privacy Policy to comply with Google rules and global privacy laws.
As a developer, it’s crucial that you know when you need a Privacy Policy and how to write a Privacy Policy for your apps. To help, this article breaks down how a Privacy Policy works and how developers may create a Google-compliant Privacy Policy for Android apps.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. What is a Privacy Policy?
- 2. When is a Privacy Policy Required for an App?
- 3. When Does Google Play Store Require a Privacy Policy?
- 4. What are Android App Permissions?
- 5. What App Permissions Require a Privacy Policy?
- 6. How Do You Obtain Permissions for Android Apps?
- 7. How to Display Your Android Privacy Policy
- 7.1. Adding Your Privacy Policy to the Google Play Store Listing
- 7.2. Displaying Your Privacy Policy Within the App
- 8. Do Laws Require a Privacy Policy?
- 8.1. European Union: General Data Protection Regulation (GDPR)
- 8.2. USA/California: California Online Privacy Protection Act (CalOPPA)
- 8.3. Australia: Australian Privacy Principles (APP)
- 8.4. Canada: Personal Information Protection and Electronic Data Act (PIPEDA)
- 9. What May Happen if You Don’t Use Android Permissions and a Privacy Policy?
- 10. Summary
What is a Privacy Policy?
A Privacy Policy is a type of legal document. It’s a statement, or disclosure, of your privacy practices. It explains, at a minimum, the following information:
- What type of personal information you collect
- Why you collect this data
- How you use or process the data
- What rights users have to control your use of their personal data
In other words, it sets out the various ways that you collect, manage, and store any data which may be used to personally identify an individual.
Privacy Policies promote transparency. They help users understand what happens to any data they share with a company across various channels, including apps and mobile devices.
WarnerMedia’s Privacy Policy summarizes this point well:
Let’s now consider when you might require a Privacy Policy as an Android app developer.
When is a Privacy Policy Required for an App?
Typically, you need a Privacy Policy if:
- Your app processes any amount of personal or sensitive data, or
- Your app is likely to be used by children (this is a Google requirement)
What is considered “personal” or “sensitive” data varies depending on which privacy laws apply. We will cover this in more detail below, but generally, we can define these categories of data as follows:
- Personal data: Any information which could be used to identify a living individual. Examples include email addresses, login details, location data, and IP addresses
- Sensitive data: A special category of personal data which is inherently more sensitive e.g. biometric data, criminal convictions, and religious affiliations
If in doubt, treat data as personal information and ensure that you have a Privacy Policy. It’s best to err on the side of caution.
When Does Google Play Store Require a Privacy Policy?
Google specifies when developers must provide users with a Privacy Policy. You must have a Privacy Policy if your app requires personal data such as names, addresses, and login information.
You also need a Privacy Policy to use runtime permissions.
If your app requires such permissions to work, then you need to disclose:
- What permissions you require
- Why you require these permissions
- What data you will collect
- How the data is processed
Finally, you need a Privacy Policy if you use permissions which are not immediately obvious based on your app’s functionality.
For example, if you require access to a user’s calendar, but this isn’t obvious from the app store listing, then you need to:
- Request permission to access this component
- Prominently display your Privacy Policy
Here is what Google Play Store says about such prominent disclosure requirements:
What are Android App Permissions?
“Permissions” are requests to access certain parts of a user’s device. For example, an app might request access to:
- Camera
- Photos
- Microphone
- Videos
Here’s an example:
Apps might also request access to data or even other apps, including:
- Calendar
- Contacts
- Identifiers
- Location data
- Messages
- Sensors
Here’s an example of how an app can request location data:
You can view the full list of Android permissions on the developer platform.
For our purposes, what matters is that to protect users’ privacy, you may need express and informed permission to access these device components.
What App Permissions Require a Privacy Policy?
Google groups permissions into two broad categories: normal and runtime permissions.
- Normal Permissions: Normal permissions give your app access to data which has little to no impact on a user’s privacy.
- Runtime Permissions: Runtime permissions, or “dangerous” permissions, are more sensitive. They allow your app to perform more sensitive actions that could impact a user’s privacy.
Device components which could fall under the “dangerous” category include the device microphone and camera.
In simple terms, you may not need specific consent to run “normal” permissions through your app. However, since runtime permissions may rely on access to personal data, you do need permission to use these tools.
Meaning, if you use runtime permissions, you will need a Privacy Policy for your Android app. And when you upload your app for review, you may need to explain why your app needs these permissions to run effectively.
This is part of Google’s commitment to protecting user privacy through limiting data processing.
How Do You Obtain Permissions for Android Apps?
If you want to rely on certain Android app permissions, then you need to follow certain steps as outlined by Google.
First, you need to draft a legally-compliant Privacy Policy. You must publish it online so that you can include a hyperlink with your app submission.
Secondly, you must complete the Google permission request process. This involves declaring what permissions you require and why.
- If your app relies on dangerous permissions, you’ll need to complete a Permissions Declaration Form. This is displayed automatically if your app falls into this category.
- It could take a few weeks for Google to approve your app based on completion of this form. To expedite the process, provide as much information as possible and limit the permissions your app relies on.
Further information regarding what to expect is set out in Google’s support center.
To summarize:
- You may not need a Privacy Policy to rely on “normal” permissions. However, since most apps will process at least some personal data, you most likely do need a Privacy Policy.
- You will need a Privacy Policy to use dangerous or sensitive runtime permissions.
- If your app relies on permissions which are not obvious or apparent, you will also need a Privacy Policy.
In short, most Android app permissions will require the use of a Privacy Policy.
How to Display Your Android Privacy Policy
Users must understand what they’re consenting to before consent may be considered valid. It must, therefore, be easy for users to find, read, and agree to your Privacy Policy.
You should display your Privacy Policy in the two locations, at minimum:
- Within your Google Play Store app listing
- Within the app itself
Adding Your Privacy Policy to the Google Play Store Listing
Google makes it simple for you to upload and display Privacy Policies. When you send your app for review, simply provide the URL for your Privacy Policy.
- From the Play Console, go to the App content page
- Select Start from under ‘Privacy policy’
- Enter the Privacy Policy URL and save your changes
It will then be displayed appropriately within the store listing after approval.
Here’s an example from Dice Dreams.
Under the “Data Safety” section, there’s a list of the types of data processed by the app. When you click “See details” you can scroll down and click a link to view the developer’s Privacy Policy:
Displaying Your Privacy Policy Within the App
There should be an option to review the Privacy Policy within your app. This could be within an app menu, like so:
What’s important is that the link works, it’s easy to find, and it’s intuitive i.e. it’s obvious what the link is to.
Do Laws Require a Privacy Policy?
One of the key reasons why every Android app should have a Privacy Policy is that global privacy laws generally require developers to have a privacy disclosure of some sort.
This is because if you process personal data, then you need to be transparent about what data you process and why.
The easiest way to do this is through a written statement such as a Privacy Policy.
Although there are various privacy rules around the world, the four most significant laws are as follows.
European Union: General Data Protection Regulation (GDPR)
Under the GDPR, you must disclose your data privacy practices if you process personal data. In practical terms, this means having a Privacy Policy and displaying it somewhere obvious within your Android app.
The GDPR applies even if you’re a developer based outside of the EU. If you have users within the EU, the regulation applies.
Given the global trend towards data transparency, every Android app should have a Privacy Policy included as standard.
USA/California: California Online Privacy Protection Act (CalOPPA)
Under this extensive privacy law, if your app or website could “conceivably” process personal information, then you need a Privacy Policy. You must also display the Privacy Policy somewhere conspicuous so that it’s easy for users to find:
Most Android apps used by Californians will fall into this category.
Australia: Australian Privacy Principles (APP)
Australia’s main privacy law is the Australian Privacy Act 1988. This Act contains 13 Privacy Principles which companies must comply with if the Act applies to them.
- The Act applies if you buy or sell personal information, or you have an annual turnover of $3 million or more, and you carry on business in Australia. This includes if Australians use or download your Android app.
- If the Act applies to you, then the Principles state that you must manage personal data in a transparent, open way. In other words, you must have a Privacy Policy.
Canada: Personal Information Protection and Electronic Data Act (PIPEDA)
According to PIPEDA, you typically need a user’s informed, meaningful consent when you’re processing personally identifiable information.
Consent is only “meaningful” if users understand what data you’re collecting and how you will use it. In other words, unless they know what they’re consenting to, then it’s not meaningful consent.
Part of obtaining informed and meaningful consent is to have and display a Privacy Policy disclosing your data practices (aka informing users). As with CalOPPA, most Android apps used by Canadians will fall under PIPEDA’s jurisdiction.
What May Happen if You Don’t Use Android Permissions and a Privacy Policy?
Failing to cover your Android permissions with a Privacy Policy may have serious consequences.
- If you don’t have a Privacy Policy when you need one, then you’re violating the Google Service Agreements you agreed to before using the platform. Google can remove your app and, in serious cases, prevent you from uploading apps in the future.
- Users need to know they can trust you with their personal data. Failing to publish a Privacy Policy can damage this trust and your reputation. Users may be less likely to download your apps.
- You could face additional sanctions, such as fines, if you violate relevant global privacy laws. These fines can be costly, especially to new and emerging developers.
Ensure that you understand which permissions trigger the need for a Privacy Policy and publish one accordingly.
Summary
Android app developers must be transparent about how they use, process, and collect personal data. This means that every Android app on the Google Play store should have a Privacy Policy or disclosure.
Remember, global privacy laws will compel most app developers to have a Privacy Policy for their Android apps.
And, unless a very limited exception applies, Google requires every app within the Google Play store to have a Privacy Policy.
With these points in mind, here are some best practices for seeking permissions and displaying your Privacy Policy:
- Limit how many permissions you use. Where possible, find ways to restrict how much personal information you collect.
- If an app feature requires a permission, be transparent about the purposes and how the data collected will be processed.
- Don’t request permissions when the app starts up. Request permission at the point when it’s required. This helps users better understand how data is collected and processed as they use your app.
- Display your Privacy Policy somewhere obvious, such as within your Google Play Store listing and in-app menus.
