Privacy Policies for Mobile Apps: One Size Does Not Fit All

Privacy Policies for Mobile Apps: One Size Does Not Fit All

Jan 15, 2015

Online privacy is a growing concern for us all. As a mobile app owner or developer, you must include a privacy policy in your app that details the information you collect from users and the manner in which that information is stored and used. Although borrowing a privacy policy from a similar app or purchasing a template online may be tempting, doing so can potentially create huge legal and financial liability for your company, and ultimately carries more risk than benefits.

The key to your app’s privacy policy is transparency – say what you do and do what you say when it comes to users’ information. If your app tracks cookies or IP addresses, say so in your privacy policy. If you share information with a third-party company, tell your users and direct them to that company’s data privacy practices or policy.

If your company makes misrepresentations to consumers about its privacy practices, you risk charges by the Federal Trade Commission that can result in consent orders in which the government will regulate your privacy practices for extended periods of time. For example, recently, the popular app “Snapchat” settled FTC charges that its privacy policy statements saying that photo messages disappeared were false. Specifically, the complaint alleged that Snapchat “misrepresented its data collection practices,” such as stating in its privacy policy that it did not track geolocation information, but in practice, transmitting “geolocation information from users of its Android app.” This resulted in a strict FTC consent order with which Snapchat must comply until 2034. Any violations by Snapchat of the numerous directives in the FTC order will result in significant fines of up to $16,000 per violation.

In addition to transparency, your privacy policy should also detail user-customizable privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared. If your app collects sensitive information, such as geolocation data, get the users’ affirmative assent before you collect the data from them.

Keep your users’ data secure. Even if your privacy policy does not detail the security steps your company takes to ensure the protection of user information, under federal law, you still must take “reasonable steps” to keep sensitive data secure. Thus, only collect the information you need, as collecting data without a specific need for it only adds liability to your company for protection of the information.

Don’t forget that your privacy policy must remain accurate over time, so as your information practices change, so too must your privacy policy.

Perhaps most importantly, make sure your privacy policy complies with the Children’s Online Privacy Protection Act (COPPA), which governs the collection of data from children under the age of 13, and the California Online Privacy Protection Act (CalOPPA), which governs any mobile application that may impact a California customer. Failure to comply with FTC regulations, COPPA, and CalOPPA can have dire consequences. For example, in 2013, Path social networking app paid $800,000 to the FTC for collecting children’s personal information without their parents’ consent.

Drafting a privacy policy unique to your app’s data usage and security is imperative, and will protect you from unnecessary legal and financial risk. A technology attorney can ensure your compliance with the laws and regulations about data-usage, and will guide you through the process of learning exactly how your company collects data, how it uses the data, and how it shares the data with others.

Laura Marston is an associate attorney practicing in the areas of software licensing, e-Commerce and technology law. She can be reached at 703.525.4000 or