Most countries have privacy laws that require you to include a privacy policy – a statement of your data collection as a disclosing service to your visitors or users – as a website owner or app developer. It’s important to understand that this is a global phenomenon and there are mostly a few similar criterions that trigger such a requirement.
Usually the trigger is the collection or sharing of personal information like names, emails, images or any other means of identifying a returning user (the way ad networks serve targeted advertising for example). “Commercial” is an often used trigger for privacy policies, which is generally defined broadly in order for it to cover a wide range of cases.
An operator of a commercial Web site or online service that collects personally identifiable informationthrough the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site.
The term “Operator of a commercial Web site or online service” usually includes a very wide spectrum of people, as well as app developers (as communicated by the Attorney General of California).
Under CalOPPA, the collection of Personally Identifiable Information is very broadly defined to cover “individually identifiable information about an individual consumer” and includes a consumer’s first and last name, home or other physical address, email address, telephone number, and Social Security number.
In addition, PII includes any other identifying information that permits the physical or online contacting of a specific California consumer, as well as other user-related information maintained in personally identifiable form.
CalOPPA is potentially quite disruptive in reach and is not limited to California’s borders. Even if your Web site or online service isn’t run from California, it may still impact and collect personal information from customers who are California residents. And hence it is very likely that the regulations of the CalOPPA extend to you as well.
If your service is also made for children you must comply with the Children’s Online Privacy Protection Act (COPPA), which requires that operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13: must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
Europe has a very well developed privacy law sector. The relevant legal framework in the European Union is the General Data Protection Regulation (GDPR) and the ePrivacy directive (2002/58/EC, as revised by 2009/136/EC) also known as Cookie Law.
Generally speaking, under these laws users that fall within their scope need to be informed about the personal data processing/collection occurring via websites/online/apps. Personal data in the European sense has been defined very broadly:
Personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Complying with these laws generally requires that your data collection process be based on a legitimate and lawful reason, transparent and that you honestly disclose to your users and facilitate consent where required. The best way to meet your disclosure requirements is via a readable, understandable and easily accessible privacy policy, which at a minimum informs users about: who you are (identity and contact details), what data you process, why the data processing is necessary (for what precise purposes), whether data will be disclosed to third parties (not just a generic but a description specific to whom the data will be disclosed), what the users’ rights are.
What you can learn from these two examples is that the legal landscape and legislations involved can be confusing. Our approach to help you stay compliant no matter where you are is very simple:
Since most third party services you end up using in your app like mobile analytics or ad networks also need to follow the law, many require you to use a privacy policy within their terms of service. A good example for this is Google Adsense.
In the app store economy you are offering “apps” through platforms that may additionally require you to add a privacy policy to the actual sales page or app submission process. In which case non-compliance will result in a denial of your app being listed.
The Attorney General of California and the six big application platform owners (Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion) signed an agreement in 2012 to make apps compliant with California’s privacy laws resulting in the continued need for developers to become privacy policy compliant.
Amazon has already followed suit and made your app’s privacy policy a requirement in their app store.
Copy and paste is one way used by many to avoid paying thousands of $/€ (and more…) to get legal counsel.
You can find a lot of templates that help you getting started. But however most of what you can find online describes another case entirely, and not your own, which is the only reason why you are required to create a privacy policy. You are to disclose exactly why you are processing data and for what purpose. Failure of doing so may get you in the same sort of trouble that you were trying to avoid.
Additionally, from time to time laws are amended and updated. It’s therefore also important to ensure that your policies meet the latest requirements.
For these reasons, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is specific to your particular situation, up to date and being maintained remotely by our legal team.
