Some data privacy legislation, like the General Data Protection Regulation (GDPR), require privacy policies for mobile apps that collect data, but they may also be mandated by app hosting platforms themselves, including Apple and Google.
Read on to learn if you need a mobile app privacy policy, what the requirements are for iOS and Android and, how to add one to your app.
A mobile app privacy policy informs people about your data collection practices and discloses how your app gathers, stores, and uses personal information.
Privacy policies for mobile apps should be accessible at all times and explicitly detail:
Clear, conspicuous, and easy-to-read privacy policies are mandated by all of the following data privacy laws from around the world:
Additionally, some app hosting platforms like Apple and Google require developers to post a privacy policy before publishing mobile apps.
Personal information is a legal category of data protected by several data privacy laws. While the technical definition changes under each rule, it typically refers to any information that can directly or indirectly identify an individual.
To know if your app collects personal information, conduct a privacy audit to identify each step within your app that requires PI, which might include the following instances:
To ensure you don’t miss anything, take into consideration:
Here’s a helpful checklist of data questions to answer as you conduct your audit to create a compliant mobile app privacy policy:
The simple answer is yes.
You need a privacy policy if your mobile app falls under the following situations:
A privacy policy for your app isn’t just a way to meet legal requirements. It’s also a good way to:
Recently, we’ve seen an increase in data breaches, so it makes sense that privacy is a growing concern among consumers. Posting a mobile app privacy policy helps ease your users’ concerns and give them confidence in your app because they’ll know their personal information is safe.
Just take a look at these alarming data privacy statistics emphasizing the importance for companies to be honest about their data collection practices:
Transparency builds trust. Retain more customers by publishing a privacy policy for your app.
As data protection laws related to mobile applications continue to expand, the definition of PI can change, and privacy policies are a great place to explain that information to your consumers.
For example, the CPRA came into force on January 1, 2023, and introduced a new category of sensitive personal information subject to stricter privacy requirements.
Similarly, ways to determine an individual’s identity through an IP address have progressed far enough that it was added to the GDPR’s list of protected personal information.
Even if your mobile app does not collect PI, which is hard to imagine in today’s digital world, you should have a privacy policy.
Yes, you’re required to post a privacy policy when developing apps for iOS.
Regardless of if you fall under any privacy laws, Apple mandates in their App Store Review Guidelines that all mobile app developers must include a privacy policy in an iOS application.
We’ve highlighted the relevant text in a screenshot for you below.
Yes, as of April 22, 2022, every application published by the Google Play Store must have a privacy policy that declares how it collects, protects, and handles private user data.
Below, see a screenshot of Android’s mobile app privacy policy guidelines from the Google Play Console help center.
Currently, all of the following data privacy laws from across the globe impact or require you to have a privacy policy:
Let’s discuss the requirements of each of these laws in the following sections.
If your app is available to those in the EU, you’re subject to comply with the GDPR. Compliance starts with a comprehensive mobile app privacy policy that details what, how, when, with whom, and where data is collected.
Below, see an example of how the Walt Disney Company complies with the GDPR rules by creating an easy-to-read menu that can be quickly found and understood.
The GDPR also mandates that businesses give users the capability to revoke consent, and access or delete data.
Below see how Google outlines easily accessible methods for their users to export their data or delete it entirely.
Ignoring the GDPR and not having a privacy policy for your app can get you fined up to €24 million ($23 million) or 4% of your app’s annual global revenue.
In January 2023, the California Privacy Rights Act (CPRA) amended the California Consumer Privacy Act (CCPA), and together these make a single data privacy law that regulates how businesses worldwide can handle the personal information of California residents.
Under the amended CCPA, businesses must provide app users with a privacy policy that discloses:
All companies that serve California residents must comply with the CCPA as amended if they:
The CCPA with the CPRA amendments carries fines of $2,500 per unintentional violation, up to $7,500 per intentional violation, or any violation involving minors.
Consumers also have the right to pursue private legal action against you if their data is breached or their login credentials have been compromised due to your lack of security measures.
The original US law that privacy policies was the California Online Privacy Protection Act or CalOPPA. It applies to any business, including those running mobile apps.
According to CalOPPA, a privacy policy for a mobile application must:
Failure to comply with CalOPPA results in fines of up to $2,500 per each individual violation, meaning fines over a quarter of a million dollars can easily be levied against a small mobile app company that reaches only 100 users per week.
In January 2023, the US state of Virginia introduced the Consumer Data Privacy Act (CDPA), requiring mobile app developers to post a clear, reasonably accessible, and meaningful privacy notice.
To comply with the CDPA, your mobile app privacy policy must specify all of the following:
Your app falls under the CDPA if you do business in Virginia and meet one of the following:
Fines for non-compliance include potential injunctions and civil penalties up to $7,500 per violation, plus attorney fees.
To help protect children’s privacy and keep them safe online, the Federal Trade Commission (FTC) enforces the Children’s Online Privacy Protection Act (COPPA), which requires websites, mobile apps, and other online services to post compliant privacy policies and obtain consent from parents before collecting PI from minors.
COPPA is why many websites and apps don’t allow users under 13 to access the content or register an account.
In addition to requiring privacy policies, COPPA imposes fines on companies that fail to follow the guidelines. In 2019, YouTube was issued a COPPA fine of $170 million for illegally harvesting children’s personal data and targeting ads at kids without consent from legal guardians.
The Privacy Rights for California Minors in the Digital World Act, also called the Eraser Button law, applies to websites and mobile applications that allow users under 18 to register and post content.
It states that these websites and mobile apps must allow users under 18 to remove their content or information whenever they want and they must be clearly informed of their rights to do so.
The Student Online Personal Information Protection Act or SOPIPA applies to the online collection of the personal information of K-12 students in California.
The law states that any information gathered from students cannot be used for targeted advertising and can’t be sold or disclosed without express authorization.
To help you make a privacy policy for an iOS app, we’ve created this step-by-step guide following the requirements outlined by Apple.
Let’s go over each step in more detail.
When developing a mobile app for iOS, you need to follow the guidelines outlined by Apple and any relevant data privacy laws your business falls under, so you must determine what those laws are.
The highlighted text in the screenshot below comes from Apple’s App Store Review Guidelines and clearly states that it’s your responsibility to identify what data your app collects.
To do this, perform a privacy audit following the instructions we covered previously. Once you’ve determined all types of information you collect from users, you can move on to Step 3.
As part of their App Store Review Guidelines, Apple still requires that you explain how and why your app collects and uses personal data, even if you don’t fall under any data privacy laws.
To comply, include these details within a clause in your mobile app privacy policy.
Below, see how Uber explains what information their app collects, how it collects that data, and all uses of the data in their iOS app privacy policy.
Apple states that it’s up to the app developer to confirm if third parties your app shares data with provide the same level of privacy protection and comply with the App Store Review Guidelines, shown for you in the screenshot below.
Put a clause in your mobile app privacy policy that clearly explains who you share the data with and what privacy precautions they provide over that user data.
To abide by Apple’s App Store Review Guidelines, you must also explain your data retention and deletion policies and inform consumers how they can redact consent or request to delete their data.
Look at the screenshot below to read the exact phrasing from Apple.
You can achieve this by creating distinct clauses in your app’s privacy policy that explains how long you securely store data, how users can request to delete that data, and how they can update their opt-out preferences.
Below, see how Zoom handles their data retention clause in their mobile app privacy policy.
Once you’ve made your iOS mobile app privacy policy, you should post it in the following places:
Common places to put a privacy policy within a mobile app include a Legal page, within the account Settings, or on an About page. Whenever possible, you should also link to your privacy policy wherever any data collection occurs, like:
You’re required to link to your privacy policy in the App Store itself, which must be hosted in a URL.
To do this, paste the link to your privacy policy in the Privacy Policy URL field in your App Store Connect dashboard. Once approved, your iOS app will be able to officially go live.
To help you post a compliant privacy policy for Android apps, we’ve outlined steps to follow when publishing an app on the Google Play Store.
When developing an app for an Android device, you must follow the guidelines outlined by the Google Play Store and any data privacy laws that apply to you.
So take the time to research and identify all relevant laws that affect how your app collects, stores, and uses personal user data.
According to Google’s Developer Policy Center, all app developers must clearly and accurately complete a Data Safety Section that details the collection, use, and sharing of personal data.
As shown in the screenshot below, it’s your responsibility to maintain the accuracy of that information and keep it up-to-date.
Google clearly states that app developers are responsible for disclosing the access, collection, use, handling, and sharing of personal user data, as shown in the screenshot below.
Later on, they distinctly state that all apps must post a privacy policy link that comprehensively explains the relevant details, shown below.
So even if you don’t fall under any privacy laws or your app doesn’t collect PI, you still need a privacy policy stating as much for your app to pass Google’s security and privacy requirements.
Like Apple, Google also states that it’s up to the app developer to verify that any third parties that gain access to user data comply with the policies outlined in their Developer Policy Center, shown in the screenshot below.
Put this information in a clause in your privacy policy and explain what process you use to ensure the services your app relies on also protect and respect your users’ data.
Here’s an example of this type of clause from TikTok, who hosts an app on the Google Play Store.
Google also explains how app developers must handle collecting, processing, and using sensitive personal information, which refers to a category of data that is more vulnerable than basic personal information.
Some data privacy legislation, like the GDPR and the amended CCPA, have stricter requirements for collecting and using this type of data, and users have more rights over how and if that information gets tracked or used.
Google’s policies, pictured below in a screenshot, seem to reflect these guidelines.
If you’re developing Android apps, pay close attention to the policy change timeline outlined in the Updates to Google Play Policies, as they’re updated frequently.
The screenshot below explains new requirements Google is introducing throughout 2023.
According to Google’s guidelines, pictured in the screenshot below, you must display your Android app privacy policy in the designated field within the Play Console and link to it within the app itself.
According to their guidelines, your mobile app’s privacy policy must be hosted on an active, publicly accessible, non-geofenced URL that is non-editable, so this means no PDFs.
You can host your policy on a page on your website or use a Privacy Policy Generator that hosts it for you, like ours.
Then, follow these four easy steps:
Remember, you also need to post a link to your privacy policy URL in the app itself or at least share the text version of the policy. So we recommend putting it on a Legal page, About page, or within the app’s Settings.
Depending on the type of app you create, you might also consider posting it wherever any data collection occurs, including any payment screens or new user account creation pages.
To make your app’s privacy policy comprehensive and user-friendly, it should contain the following information in distinct clauses:
Let’s further discuss these clauses in the next sections.
Privacy policies often begin by explaining the types of data that an app collects from users. Be as detailed as possible about the PI you collect.
In the screenshot below, see a great example of this clause from Spotify’s privacy policy. They structure the PI they collect into categories within an easily readable table.
The Spotify example above presents a sweeping model for structuring such a clause within your privacy policy for mobile apps.
In addition to revealing the type of data you collect, you must explain how it gets used, which must fit the specific legal basis outlined by data privacy regulations like the GDPR.
Be sure to organize this information in a clear, understandable way, perhaps by using a table or a bullet list.
Below, see an example of this clause from Uber’s mobile app privacy policy.
If you share data with third-party services, your mobile app privacy policy must reveal how and why.
Third-party tools and providers can enhance your apps through:
See how Twitter’s privacy policy outlines the kinds of data they share with third-parties.
If you use similar services, like Google Analytics, disclose those details in a clause in your app’s privacy policy, or you risk non-compliance with regulations like the GDPR.
You must outline how users can control their personal information in a clause within your mobile app privacy policy.
Control over a user’s data has become a key concern for online businesses as they strive to comply with regulations like the GDPR and the amended CCPA. Almost by default, privacy policies have become instruction manuals for how users can exercise their data rights.
Include steps your users can take to access, transfer, change, delete, correct, amend, export, or limit the use of their information.
Below, see another example from Zoom, as they clearly describe the rights users have under the CCPA and other laws.
Establish a process for how you’ll inform your app users about any changes you make to your privacy policy, and explain those details in a specific clause.
Data privacy laws change often, and as a result, you may need to update your policy.
Publish the date of the last changes near the top of your policy, and reassure users that any significant changes will be presented prominently and emailed to the user.
Below, see the way TikTok explains how they update users about changes to their privacy policy.
You need to explain if your mobile app uses cookies or other trackers, which ones, what data they collect, and why in a clause in your privacy policy because cookies qualify as personal information under legislation like the GDPR and the amended CCPA.
You should also post a cookie policy on your website and link it in your mobile app privacy policy and vice-versa to help consumers find answers to questions regarding their personal information.
Below, see an example clause from the Walt Disney Company, who are careful to inform their users of their tracking policies.
To give users access to your mobile app privacy policy, link to it in the following locations:
Dedicate a space within your mobile app to display your privacy policy so users can easily navigate to it at any time.
Sharing the link like this ensures that users are aware of its presence, that all legal policies are only a few clicks away, and they can consult it at any time without being inconvenienced.
Many developers use an app privacy policy URL to link to the policy within the app itself, and give users access to it by publishing a hyperlink containing the word “privacy.”
Clicking the link opens the privacy policy in a new internet browser window which may be hosted by a third party or part of the company’s website.
If your company has a website, using the same policies for both is good practice.
You can also include a link to your policy on your app’s profile page in whichever app store you choose to sell your product.
Not only is this required by both Apple and Google, but it also allows users to view your policy before downloading your application.
For iOS apps, remember that Apple requires developers to include a link to a privacy policy in the following locations:
This applies to any app developed for Apple, even if you don’t fall under any data privacy laws.
Google requires anyone who develops apps for Android devices to put a privacy policy in the following locations:
According to their guidelines, you must host your privacy policy on an active, publicly accessible, non-editable, and non-geofenced URL.
We’ve outlined several examples of privacy policies for mobile apps in the following sections.
The first mobile app privacy policy example we’re showcasing comes from Instagram. Owned by Meta, they use identical policies for all of their services and mobile applications.
To find their privacy policy in the app, navigate to the Settings section and select About.
Once there, select Privacy Policy to view the current version of the agreement directly within the app itself, screenshotted for you below.
Meta as a whole adopted a more up-front, user-friendly approach to its legal policies in response to public concerns over the sharing of personal information.
The policy is now formatted in a frequently asked questions (FAQ) format, which is easy to read.
Below, see an example of a clause in their policy outlining what information they collect, which even features a short video.
The policy then explains how that personal information gets used by Instagram, Facebook, and Meta, which is still organized in an FAQ style, as shown below.
While adding videos is a nice touch, it’s unrealistic for most businesses. However, when you make your privacy policy for your mobile app, try to be consistent with your formatting, like Instagram.
The next mobile app privacy policy sample comes from Spotify, a music streaming service.
You can find Spotify’s privacy policy in the app by navigating to Settings and selecting About, pictured below.
We like how Spotify organizes the information in their privacy policy using very easy-to-read tables.
Below, see what their clause featuring a table explaining what data they collect looks like through their app.
We also like how Spotify clearly informs their users how they’ll be updated about any changes to the policy, shown for you in the screenshot below.
This is a necessary clause to add to your mobile app privacy policy, especially because under laws like the amended CCPA, you must update your policy at least once every 12 months.
Next, we’ll look at the mobile app privacy policy from Snapchat, a service that is exclusively on mobile devices and allows for taking, editing, and sharing photos.
To navigate to their privacy policy within the app, go to your Settings and scroll down until you see the following options we’ve screenshotted below.
If you click on Privacy Policy, you’ll find that it’s clearly laid out and very approachable.
Below, see an example of Snapchat’s clause explaining what they do with data they collect that is provided by the consumer.
We like how Snapchat includes a clause covering their use of cookies and other trackers directly in their privacy policy, shown below.
Off-screen, there’s a live link to their cookie policy. If your mobile app uses cookies or trackers, understand that some of that data qualifies as personal information under data privacy laws and is subject to legal requirements and guidelines.
Like Snapchat, it’s in your best interest to provide a link to your cookie policy within your privacy policy for your mobile app.
Lastly, let’s consider the Pizza Hut mobile app privacy policy, which you can find within the app by navigating to your Profile and selecting Legal Information.
Once there, you can also access the CCPA-compliant “Do Not Sell My Personal Information” link, pictured below.
Because Pizza Hut has physical locations, they include a clause in their policy outlining what information is collected about their consumers who come into their brick-and-mortar storefronts, shown below.
Pizza Hut includes a clause outlining what parents and guardians can do if they suspect the company accidentally collected information about children, because they don’t target services to minors.
Even if you don’t market to minors, follow Pizza Hut’s lead and put a similar clause in your mobile app privacy policy.
This helps remove liabilities from your plate and creates a straightforward, easy-to-follow process if you ever find out you’ve accidentally collected information about children.
There are a few common ways you can make a mobile app privacy policy, including trying a:
Let’s go over each method in a little more detail.
If you want to create a mobile app privacy quickly and efficiently, use a managed solution like our Privacy Policy Generator.
Privacy policies are long documents that must follow strict legal requirements, and our generator simplifies the entire process for you.
All you need to do is answer a few simple questions about your app, and it’ll create a privacy policy for your app that abides by all of the laws and regulations we covered in this guide.
See a screenshot of our generator below.
Templates are convenient and easy to use. After downloading the policy, you just need to fill in the blanks with information about your mobile app.
We recommend using a template to make a privacy policy for your app, because it benefits you in the following ways:
Remember, if you’re short on time or need help adhering to multiple data privacy laws, try out our Privacy Policy Generator. All you need to do is answer a few questions about your business, and it creates a compliant policy for you in minutes.
If you get stuck, you can always reach out to our support team or hit save and come back at a more convenient time.
You can always try writing your app’s privacy policy on your own, but this is only recommended if you have extensive knowledge about data privacy legislation.
You can access our guide to learn how to write a privacy policy on your own, but we recommend working with a data privacy expert or lawyer.
You can download our free mobile app privacy policy template below in Word Doc, PDF, or Google Doc format.
Before using it, read through the entire mobile app privacy policy template – fill in all of the [brackets], remove any sections that do not apply to your app, and tweak any language as needed.
Below, see some of the most frequently asked questions we get about mobile app privacy policies.
Yes, Apple requires that all iOS apps link to a privacy policy regardless of if you fall under the jurisdiction of any data privacy laws.
Yes, Google requires all Android apps to have a link to a privacy policy and declare how they collect and handle user data in the Data Safety section of the Google Play store.
Some of the data privacy laws that require mobile apps to have privacy policies are the:
Your mobile app privacy policy should include all of the following information in distinct clauses:
Customize your agreement to reflect the unique aspects of your mobile app.
You should update your mobile app privacy policy once every 12 months if you fall under the jurisdiction of the amended CCPA.
Otherwise, update it whenever you change any of your privacy practices.
No, don’t copy someone else’s mobile app privacy policy, as that’s plagiarism, and the policy won’t reflect your privacy practices.
Downloading and customizing a privacy policy template is enough for most mobile apps.
But if your app collects highly sensitive information or requires a more comprehensive privacy policy, consider using a Generator or reaching out to a lawyer or data privacy expert.
You need a privacy policy for your app if it falls under the jurisdiction of data privacy legislation like the GDPR or the CCPA, or if you use third-party app platforms that require privacy policies as a condition for publication.
Legally, your app may also need a privacy policy if it markets to specific demographics, like minors.
If you develop mobile apps, you likely need a privacy policy due to regional data privacy laws or the guidelines outlined by third-party app hosting platforms like Apple and Google.
Even if your app doesn’t collect personal data or isn’t under the umbrella of any legislation, both Apple and Google require you to link to a privacy policy stating as much. It’s clearly outlined in their developer guidelines that all responsibilities and liabilities fall on you, the app developer.
Luckily, privacy compliance doesn’t have to be complicated. You can make a policy that complies with Apple and Google’s developer guidelines in minutes by downloading and customizing our free privacy policy template for mobile apps
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
