Why your app needs a privacy policy

Written on 3 Aug 2017

Google has required developers to include a privacy policy in their Play Store product descriptions for quite a while, but the company has only recently started really enforcing this rule in its terms. Where product descriptions are not compliant, Google has restricted app visibility or even removed the app from the Play Store altogether.

What is a privacy policy, anyway?

Under European law, a privacy policy is not so much a contractual document entitling the operator of the game to process personal data in a certain way. It is a mandatory notice informing the user of what happens with their data – but it remains the responsibility of the game operator to separately obtain consent, to the extent it is required.

Mobile games routinely access a variety of information, such as the marketing ID of the device, location information, sometimes even address books, the device’s camera and microphone, and other data that the user may have stored. The privacy policy must inform users about all this information, including the purpose for which it is collected.

What does the policy need to contain?

The privacy policy needs to explain what data is collected for what purpose – including the question of why the app needs access to certain sensor data (such as the camera or GPS). This may appear obvious in a location-based augmented reality game, but there may be reasons other games require such information as well, e.g. to optimize PvP matching. This also means that it will normally not be sufficient to re-use a privacy policy created for a simple website or non-mobile online game.

In particular, the privacy policy should address the following points:

  • Name and contact information of the data controller
  • Data being collected, including granularity of location data (if applicable)
  • Device functionalities and sensors the app requires access to
  • Explanation of the purpose for which this information is collected
  • Third parties with whom the information is shared (if any)
  • Purpose of such sharing
  • User’s (statutory) opt-out and other rights regarding collection, processing and use of their personal information
  • Transfer and use of information outside the EU/EEA, and if applicable, the additional protections put in place (like EU model clauses or Privacy Shield)

What do the distribution platforms require on top?

Google requires Android developers to make the privacy policy accessible both in the Play developer Console and within the app itself. This is in line with the requirements of EU and German law. Also, Apps may transmit user information only via secure encrypted protocols, such as HTTPS.

Particular emphasis is placed on transparency: If the app collects and transmits user information in a manner that is not clearly describe in the Play Store product description or the app’s user interface, then the app must obtain active consent from the user any time it wants to collect/transmit such information.

Additional requirements apply if the app processes any payment information or certain other types if sensitive data.

Apple has similar provisions in its Developer Program License Agreement and the App Store Review Guidelines. These rules also require transparent information about the collection and use of personal data. Obligations to register separately to use a game are frowned upon if it is possible to use the game (or other app) without such mechanisms.