If your Android app collects personal information (and it's highly likely that it does), you must create a legally compliant Privacy Policy.

Google regularly penalizes developers that fail to maintain a Privacy Policy. A high-profile incident occurred in 2017 when Google threatened to permanently remove non-compliant apps from the Play Store. A similar incident occurred in 2019.

In this article, you'll learn:

  • Whether your Android app needs a Privacy Policy
  • How privacy law applies to your Android app
  • How to create an Android app that complies with Google's terms, and the law
  • Where you need to display your Privacy Policy
  • How to comply with Google's "prominent disclosure" requirements

We'll also show you how to create a legally-compliant Privacy Policy for your mobile app that you can use right away to satisfy privacy laws and Google's requirements.


Does My Android App Need a Privacy Policy?

Yes, your Android app almost certainly needs a Privacy Policy. One major reason that you need a Privacy Policy for your Android app is that Google requires it. You also need a Privacy Policy by law.

Google's Transparency Requirements

Google is taking action to ensure that all Android developers are transparent and legally-compliant. Failing to maintain a valid Privacy Policy for your app could be a violation of Google's terms. Google makes this very clear in its Developer Policy Center on a page dedicated to "Privacy, Security and Deception."

It includes a clause about user data that states that developers must be transparent in their handling of user data by disclosing important details about the collection and use of the data:

Google Play Developer Policy Center: Privacy, Security and Deception - User Data section

Google doesn't explicitly say that every app requires a Privacy Policy. But most apps do. Take a look at this excerpt from the Android SDK Terms and Conditions:

Android Developers Terms and Conditions: Use of SDK - Privacy notice requirement clause

And here's part of Google's Developer Distribution Agreement. You agree to these terms when you publish your app on the Google Play Store:

Google Play Developer Distribution Agreement: Privacy notice requirement clause

Personal and Sensitive Information

Here's how Google defines "personal and sensitive information" in its Developer Policy Center. If you collect personal and sensitive information, you need to comply with Google's transparency requirements.

Google Play Developer Policy Center: Privacy, Security and Deception - Section with List of what is Personal and Sensitive Information

These terms require you to have a Privacy Policy if you collect:

  • Usernames
  • Passwords
  • Any other login information
  • Financial and payment information
  • Authentication information
  • Phonebook, contacts, SMS, and call-related data
  • Microphone and camera data
  • Sensitive device or usage data
  • Any personal information (or "personally identifiable information")

The last point is important. "Personal information" is a very broad term. Privacy laws differ in how they define "personal information." Depending on where your users live, you'll have different standards to meet.

And while we're on the subject of privacy law, Google can impose some harsh penalties on those whose apps fail to comply with the law.

Here's a section of the Developer Distribution Agreement describing Google's "Legal Takedown" process:

Google Play Developer Distribution Agreement: Legal takedown clause

If Google determines that your app has broken the law, or even if someone alleges it, Google can:

  • Remove your app from the Google Play Store
  • Force you to refund any customer that purchased your app in the past year (or longer)

As well as complying with Google's terms, you must obey the law. Below, we're going to look at which privacy laws might apply to you.

We're going to focus on how these laws define personal information. This will help you understand whether your app collects personal information. If your app collects personal information, you need a Privacy Policy.

United States Privacy Law

If your app is accessible in the United States, you'll need to obey California's strict privacy laws. These privacy laws protect all California residents, so they apply to any app accessible in the US (unless you can find some way to block 40 million Californians).

The broadest Californian privacy law, which applies to all commercial app developers, is the California Online Privacy Protection Act (CalOPPA). Under CalOPPA, the following types of information are personal information:

  • First and last name
  • Address, including a street name and the name of a city or town
  • Email address
  • Phone number
  • Social security number
  • Other identifying contact details
  • Cookies or any other user data an app collects (if you store it alongside one of the other types of information above)

CalOPPA requires that you maintain a Privacy Policy disclosing how you collect and use personal information. It applies to anyone operating a commercial website or app that's accessible in California.

Many larger businesses also have to comply with the California Consumer Privacy Act (CCPA). If you qualify as a business under the CCPA, you'll need to think much more broadly about whether your app collects personal information.

The CCPA defines personal information as:

"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

This includes all the types of information above, plus many more examples, including:

  • Cookies (regardless of whether you store them alongside people's names or contact details)
  • ID numbers such as the Android ID
  • IP address
  • Phone number
  • Location data
  • Data about a person's sex, race, nationality, etc.

All sorts of apps use these types of data, including all apps that use personalized advertising.

The CCPA has much more extensive Privacy Policy requirements than CalOPPA. See our article on creating a CCPA Privacy Policy for more information and specific guidance.

European Union Privacy Law

If your app is accessible in the European Union (including the UK), you'll need to obey the EU General Data Protection Regulation (GDPR). The GDPR has a broad definition of personal information, just like the CCPA.

The GDPR applies to anyone offering goods or services in the EU or engaging in the "profiling" of people in the EU.

Profiling means building up a profile of a person's preferences or character by observing their behaviors and choices. If your app uses Google Ads, you're engaged in profiling.

Google offers developers a choice between two types of ads:

  • Personalized ads which track users' behavior and build up a profile of their preferences over time.
  • Non-personalized ads which don't store any information about users' preferences but do measure engagement with ads.

Google states that even apps that use its non-personalized ads fall under the scope of EU privacy law so you'll need a Privacy Policy even if you choose to display non-personalized ads in the EU.

Other Privacy Laws

Most countries have a generally-applicable privacy law, including:

If your Android app is available in any of these countries, and many more, you need a Privacy Policy under the law.

What Should I Include in My Android App Privacy Policy?

What Should I Include in My Android App Privacy Policy?

The contents of your Privacy Policy will depend on:

  • What personal information your app collects
  • How your app uses personal information
  • Google's requirements
  • Legal requirements

Google doesn't provide any specific requirements about what to include your Privacy Policy, just that it needs to be "legally adequate."

A good starting point is to consider the following questions:

  • What personal information does your app collect? Consider all the types of "personal and sensitive information" we covered above
  • Why do you need this personal information?
  • How do you use this information?
  • Who, if anyone, do you share the information with?

Answer these questions and you could have an acceptable Privacy Policy for a basic Android app.

To put this in context, let's take a look at some examples of some Privacy Policies from popular Android apps.

Many companies open their Privacy Policy with a brief statement about their commitment to keeping users' personal information safe. This isn't a requirement, but it's a good opportunity to ensure your app looks professional and transparent.

Here's how Tinder opens its Privacy Policy:

Tinder Privacy Policy intro

This gives a human touch to what can otherwise be a very dry legal document.

When you're disclosing what type of information your app collects, you should also explain why you collect it. Here's an example from Uber:

Uber Privacy Notice: Location data clause excerpt

Uber says a lot in these two sentences. The Uber app collects device location data, in order to:

  • Help drivers find Uber users
  • Improve Uber's pickup, navigation, and customer support services

And here's how delivery app Just Eat explains how it shares the information it collects:

Just Eat Privacy Policy: Who we share personal information with

Note that you don't necessarily need to provide the name of every company you share personal information with. You can just explain what types of companies you share personal information with.

Android App Privacy Policy For EU Users

Android App Privacy Policy For EU Users

If your app is accessible in the EU, you'll also need to comply with the strict Privacy Policy requirements of the GDPR. This means you'll also have to disclose:

Here are some examples of how popular apps make their Privacy Policies GDPR compliant.

Here's some of what Uber says about its lawful bases for processing personal information:

Uber Privacy Notice: Lawful grounds for processing - To provide requested services and features clause

Here's part of Spotify's Privacy Policy, where it explains how long it stores personal information:

Spotify Privacy Policy: Data retention and deletion clause

Note that Spotify doesn't specify how long it keeps personal information in terms of months or years. The Privacy Policy explains that Spotify deletes a users' personal information when they close their account, unless:

  • There is an unresolved issue with the users' account
  • There is a legal obligation to retain the information
  • They need the information in connection with fraud prevention or security

And here's how WhatsApp tells EU users how they can exercise their rights under the GDPR:

WhatsApp Privacy Policy: GDPR - How You Exercise Your Rights clause

If your app has EU users, it's a good idea to build controls into your app so they can access their data subject rights. WhatsApp lets users access and delete their personal information from within its app, and it uses its Privacy Policy to explain this in the context of GDPR rights.

For more information, see our article on creating a GDPR Privacy Policy.

How to Create a Privacy Policy for Your Mobile App

TermsFeed Privacy Policy Generator: How to Create a Privacy Policy for Your Mobile App

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:
  1. Click on the "Start the Privacy Policy Generator" button.
  2. At Step 1, select the Mobile app option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy for Mobile App - Step 1

  4. Answer the questions about your mobile app and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about Mobile App - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate My Privacy Policy." You'll be able to instantly access and download your new Privacy Policy:
  9. TermsFeed Privacy Policy Generator: Enter your email address - Step 4

Where Should I Display My Android App Privacy Policy?

Where Should I Display My Android App Privacy Policy?

You should host your Privacy Policy online, and provide links in the following places:

  • In the Google Play Store with your app listing
  • Within your app's menus
  • During account setup and login screens
  • When taking payments
  • Whenever you collect personal information

Ensure you take every reasonable step to present your Privacy Policy to your users whenever it's relevant.

Let's look at some examples of how some popular Android apps make their Privacy Policy easily accessible to users.

Google Play Store

It's essential to provide a link to your Privacy Policy within your listing on the Google Play Store. You can do this via your Developer Console.

Here's some basic guidance from Google on how to link to your Privacy Policy on the Google Play Store:

Google Play Console Help: Add a Privacy Policy to your Store Listing

For more information, see our article on How to Add a Privacy Policy URL to Google Play.

App Menus

Keep a link to your Privacy Policy prominently displayed in your app's menus so your users can access it whenever they want to read it.

Here's how Google Maps integrates its Privacy Policy into its side menu:

Google Maps Android app: Menu with Privacy Policy highlighted

If you have a Legal, About, Settings or other type of menu where users will intuitively know to look for information like your Privacy Policy, add your policy there.

Device Access Request

When an app requires access to a user's device storage or functions, this will usually result in the app collecting personal information from the device.

Therefore, you should provide a link to your Privacy Policy before the user agrees to this. This way, the user can understand how you'll handle their personal information and make an informed choice.

Below you can see how Google Files presents its Privacy Policy when requesting access to personal information from the user's device:

Google Files Android App: Continue screen with Privacy Policy highlighted

Sign-In Screen

When your user signs into their account on a device, their personal information is transmitted from your servers to that device. This is why it's important to provide privacy information when a user signs into their account.

Here's how Microsoft displays a link to its Privacy Policy when inviting the user to sign in:

Microsoft Android App: Sign-in screen with Privacy Policy highlighted

You should also link to your Privacy Policy if a user is already signed in and is invited to make significant changes to their account information.

This how The Guardian displays a link to its Privacy Policy in an account upgrade screen:

The Guardian Android App: Upgrade screen with Privacy Policy highlighted

Point of Sale

If you sell products via your app, you probably use a third-party payment processor to do this. Even so, you should still provide a link to your Privacy Policy before your user completes a purchase.

Here's how Amazon links to its Privacy Policy at the point of sale:

Amazon Android App: Checkout screen with Privacy Notice highlighted

It's better to over-link your Privacy Policy rather than not make it accessible enough. Make it always available in a menu, as well as at select points throughout your app when you do things like request access permission, collect personal information directly or allow transactions to be completed.

Do I Have to Comply With Google's Prominent Disclosure Rules?

Do I Have to Comply With Google's Prominent Disclosure Rules?

As well as creating a Privacy Policy for your Android app, you may also need to make a "prominent disclosure," also known as an "in-app disclosure."

This means creating a pop-up message within your app to:

  • Inform your users about the information you're collecting
  • Ask for their consent to collect the information

You must provide a prominent disclosure where:

  • You collect personal or sensitive information, and
  • Your users might not expect you to collect this data

Google provides some examples of how developers may violate the prominent disclosure requirement:

Google Play Developer Policy Center: Privacy, Security and Deception - Common examples of violations of the Prominent Disclosure Requirement

To put this in context, here's a hypothetical example:

A camera app is likely to require access to the user's camera, so you may not need a prominent disclosure for this.

The camera app might also allow users to share photos with their contacts. Users might not expect a camera app to access their contacts list. Therefore, a prominent disclosure might be required.

Google has two sets of rules about the prominent disclosure requirement:

  • Rules about how you provide information to your users
  • Rules about how you ask for consent

Providing Information

Google requires that in-app disclosures be displayed in the normal usage of the app without requiring a user to navigate to a menu or settings section of the app. Placing it in a Privacy Policy, Terms and Conditions or other disclosures not related to the collection of personal or sensitive data is not adequate.

The disclosure must provide the following information:

  • Description of the data collected
  • Explanation of how the data will be used

Here's an example from BBC iPlayer:

BBC iPlayer Android App: In-app disclosure

BBC iPlayer makes the disclosure in the correct way. The disclosure is:

  • Within the app itself
  • Part of the normal usage of the app
  • Not part of a Privacy Policy
  • Not included with any other disclosures

The disclosure also provides the required information, i.e.:

  • What information the app is collecting
  • How BBC iPlayer will use the data

Google requires that in-app disclosures include a request for consent that's presented in a clear, unambiguous way and requires the user to make an affirmative user action in order to give consent.

An affirmative user action could include ticking a checkbox or tapping to accept. Navigating away from the disclosure is not considered consent.

Personal or sensitive data cannot be collected prior to consent being correctly obtained.

Here's an example from Malwarebytes:

Malwarebytes Android App: In-app disclosure with Give permission screen for consent

This appears to comply with Google's rules around earning consent via a prominent disclosure:

  • It presents a clear and unambiguous request
  • It requires affirmative action (tapping a button)
  • It doesn't auto-expire
  • The app does not begin collecting the information until the user has consented
  • Navigating away from the disclosure doesn't result in consent

Summary of Your Privacy Policy for Android Apps

If your app collects personal information, it's crucial that you create a Privacy Policy.

Your Privacy Policy should explain, at a minimum:

  • What personal information your app collects
  • Why you need this personal information
  • How you use this personal information
  • Who, if anyone, you share the personal information with

Remember, there are additional requirements if:

  • Your app has users in the EU
  • Your app collects personal information in ways your users might not expect

Display your Privacy Policy whenever you wish to collect personal information from your users. Include it in your app store listing as well.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy