Uncategorized

Privacy policy generator for websites and apps

This post mainly answers the question how and why you should add a privacy policy to your Windows Phone app.

Since we’ve launched our mobile apps privacy policy generator last week I’ve been wondering how good the documentation was out there regarding “privacy policy for a Windows Phone app” or “privacy policy for an Android app” and “privacy policy for an iOS app”. Since googling the said terms reveals a rather sad picture of useless information I decided to fix it.

Let’s say I want to include a privacy policy into my Windows Phone application: what do I need to do?

In Short

We have a slightly different flow in place for mobile privacy policies than for the web version:

1) Do I have to include a privacy policy in my Windows Phone app?

  1. Well, that depends on what the app is doing. But consider the fact, that you can never be wrong including a link or a full page view of your privacy policy. It is however very likely that you are required by law to include a privacy policy into your Windows Phone creation. Easy CHECK: Am I collecting/storing/sharing personal information like email, names or sensitive data like payments info or using a third party service that accesses my info?
  2. You are likely using a third party service in your app that requires you to add a privacy policy to your app. Additionally to a legal requirement it is often an additional prerequisite to use a specific service. Check in your service provider’s terms. A very popular third party service that requires you to post a privacy policy in their TOS is Google Analytics (they also have a mobile solution).

2) Am I required by the Windows Phone Store to post a privacy policy?

  1. For now (updated 24.3.2014) this is not the case. There is no absolute requirement for a privacy policy to be included for the app to be accepted to be listed. But it’s actually very unlikely that you won’t be covered by one of the following requirements below:
  2. From the App certification requirements for the Windows Store: “If your app has the technical ability to transmit data, you must maintain a privacy policy. You must provide access to your privacy policy in the Description page of your app, as well as in the app’s settings as displayed in the Windows Settings charm”
  3. From the App Developer Agreement: “If your app enables access to and the use of any Internet-based services, or otherwise collects or transmits any user’s personal information, you must maintain a privacy policy. You are responsible for informing customers of your privacy policy (including by submitting that policy to us for display to customers). Your privacy policy must (i) comply with applicable laws and regulations, (ii) inform users of the information collected by your app and how that information is used, stored, secured and disclosed, and (iii) describe the controls that users have over the use and sharing of their information, and how they may access their information. You must also provide access to your privacy policy in the app’s settings as displayed in the Windows settings charm”.
  4. From same App Developer Agreement: The app and your marketing of the app must comply with the laws of each territory or country into which you request distribution of the app. This includes: (i) data protection, privacy and other laws and regulations relating to collection and use of user information by your app (ii) telecommunications laws and (iii) content ratings regulations. If you are required to make any disclosures to consumers prior to sale or download of the app, you must provide those in the app description field. Those may include your full contact information, notice that an app supports in-app purchases, or other disclosures. You must make such notices sufficiently prominent as is required by local law. Your app must not require further export, import or technology control licensing from any government. You must disclose to Microsoft any controlled technology employed, used or supported by your app. You may not use the Windows Store or any services or tools made available for the development of apps for any illegal activity.
  5. From App policies for Windows Phone: The privacy policy of your app must inform users about how location data from the Location Service API is used and disclosed and the controls that users have over the use and sharing of location data. This can be hosted within or directly linked from the app. The privacy policy must be accessible from your app at any time – (2.7.2).
  6. Same App policies I (2.7.4): If your app publishes or makes available location data obtained from the Location Service API to any other service or other person (including advertising networks), your app must implement a method to obtain opt-in consent. To “implement a method to obtain ‘opt-in’ consent,” the app must:
    • provide your privacy policy, which must be persistently accessible from within the app (and may also be made available in app details by populating the Privacy URL field in Dev Center) and must describe how the location information will be accessed, used or shared;
  7. Same App policies II (2.8): If your app (a) accesses or uploads a user’s Contacts, Photos, Phone number, SMS history, Browsing history or any other data reasonably considered personal in nature, or if your app shares any of the foregoing information with third-party services or individuals, or (b) shares any unique device or user IDs, combined with user information, with third-party services or individuals, the app must implement a method to obtain the user’s “opt-in” consent. To “implement a method to obtain ‘opt-in’ consent,” the app must:
    • provide your privacy policy, which must be persistently accessible from within the app (and may also be made available in app details by populating the Privacy URL field in Dev Center) and must describe how the information will be accessed, used or shared;
  8. The California Attorney General is working on making all apps privacy regulations compliant and working on this with the big platform providers like Microsoft. This situation could therefore change down the road.

3) How do I add/edit my privacy policy on the Windows Phone store?

This section explains how you add your privacy policy to the actual app store page for users or customers to preview the data collection practices before downloading:

  1. Log into your Windows Phone Dev Center account
  2. Next, add the link to your privacy policy in the Privacy URL field
  3. Done.

4) An example privacy policy for Windows Phone Apps?

A lot of people ask for sample privacy policies for apps. Let’s start with the legal minimum requirements. A good starting point is the California Online Privacy Protection act (CalOPPA), and even better Europe’s minimum requirements since they are more refined:

CalOPPA minimum requirements:

Provide info about the personally identifiable information (PII) like:

  • a description of the types of PII collected and disclosed by the operator;
  • a description of the process by which a consumer can access and request changes to his or her PII, if available;
  • a description of the process by which the operator will notify consumers of material changes to the privacy policy; and
  • an effective date

EU Privacy Directives minimum requirements:

Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:

  • who you are (identity and contact details),
  • what precise categories of personal data the app wants to collect and process,
  • why the data processing is necessary (for what precise purposes),
  • whether data will be disclosed to third parties (not just a generic but a specific
    description to whom the data will be disclosed),
  • what rights users have, in terms of withdrawal of consent and deletion of data

You can easily google for an example privacy policy for X but chances are you won’t find anything ready-made.
Helpful docs:
1. Privacy on the Go
2. Article 29 Working Group

Our Approach of Generating a Windows Phone Privacy Policy

So here’s where iubenda’s privacy policy generator will come in very handy:
1) Define the services and categories of data collection your app is making use of.
2) Add the services (and categories of data collection like “access to address book”) you are using to your policy and it will generate the full text privacy policy in a condensed easily scannable fashion as well as an entire document your users can read if they want.
3) You can either link to your policy or embed the text into your app.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.