Privacy Policy for iOS Auto-Renewable Subscriptions

If you offer an auto-renew subscription service through the Apple App Store, Apple places specific requirements on you. One of those requirements is that you must provide a Privacy Policy and make it accessible through your app store listing.

A Privacy Policy is also required by most laws throughout the world if your subscription app requires personal information from your users. This means you should draft a Privacy Policy anyway--even if the App Store is not your only distribution platform.

Here is what you need to know about auto-renew subscriptions and Privacy Policies when you develop iOS apps.

Apple's requirements for auto-renewable subscriptions

Apple defines an auto-renewable subscription as one that allows a user to purchase dynamic content for a set period of time. Once that set period of time ends, the subscription renews again for the same amount of time. This continues until the user cancels the subscription.

The most common auto-renew apps involve streaming video or music. Stress reduction and meditation guidance apps are also growing in popularity, and those use auto-renew subscriptions as well.

Some subscription services allow users to choose their plan and the frequency of renewal:

Once the user makes a choice of a subscription, Apple asks the user to confirm it through this dialog window. It displays the name of the app and the period of time for the subscription:

Once the subscription starts, it is listed under the user's Apple ID. Each subscription shows the date of renewal and the term:

Once listed, cancellation is easy. All a user needs to do is open up the particular subscription and hit "cancel subscription:"

When you start using the App Store, Apple requires a Privacy Policy for any app that handles personally identifiable information such as names, email addresses, country of residence, and screen names. The link needs to be available to users in the App Store page for each app:

Apple requires a Privacy Policy for apps for two main reasons.

First, Apple wishes to protect the interests of its consumers. Without that protection, users may not purchase apps or feel safe with Apple products. That makes a Privacy Policy in the best interests of both Apple and its users.

Second, Privacy Policies are required by law throughout the world. Different laws place requirements on developers who collect personal information through their apps.

Legal requirements

Most jurisdictions require Privacy Policies if an app or website collects personal data about its users. Also called personally identifiable information, this category of data includes:

• Full names
• Email addresses
• City of residence
• Shipping addresses
• Identifying numbers like social security driver's license numbers
• Screen names

Even if you only collect one type of personally identifiable information, like email addresses, you must have a Privacy Policy. Failing to do so can result in fines and civil penalties.

Subscription plans rarely get away with avoiding the collection of personal information. Payment information includes credit card numbers, names and addresses, and that alone will require a Privacy Policy and practices in place to protect that data.

Even if you operate from a jurisdiction with no national privacy law, you are still required to have a Privacy Policy. This is because chances are your app can be accessed by users all over the world - including jurisdictions that do have privacy laws in place to protect its citizens.

Auto-renewable subscription services usually cross international lines. HBO Now is available in the Canada as well as the United States, as one example.

The U.S. does not have a comprehensive federal privacy law, but many states passed their own regulations. California, Delaware, and Nevada passed privacy protection laws and Illinois enacted one specific to location tracking. Australia, Canada, and the UK maintain federal laws requiring Privacy Policies as have India, Malaysia, and other nations.

Fortunately, privacy laws are similar in their requirements for a Privacy Policy. These include:

• A description of the type of data you collect
• How you collect it
• How you use it
• Third parties who may receive the data
• Protection mechanisms for personal data
• A clear link to the Privacy Policy on the website

This includes automatic data collection. If you use cookies and tracking software, address that in your Privacy Policy.

Note that if you operate from an EU member state, you must also follow the EU Cookies Directive. That directive requires you to include a separate Cookies Policy on your website as well as a Privacy Policy. However, you still need to include cookies information in your Privacy Policy, even with a separate Cookies Policy.

Addressing auto-renewal

Auto-renewal is frequently covered in Privacy Policies. It's normally described how a user can access subscription options and sometimes includes instructions for how to cancel services.

Strides places a "Subscription Terms of Use" near the bottom of its Privacy Policy. It informs users that if the app is purchased through iTunes they must use the account settings in their Apple device. If the app was purchased through the website, it offers an email link for users wishing to cancel:

Digipill also includes subscription renewal in its Privacy Policy. It labels this section "Subscriptions" and guides users to iTunes account settings:

Other developers may keep subscription terms outside the Privacy Policy.

Scruff maintains a separate iOS subscription terms page and provides links to its Privacy Policy and Terms of Service. If you follow the link to the Privacy Policy, you discover it does not contain a section on subscriptions:

Smule distributes the Sing! Karaoke app also maintains a separate FAQ regarding iOS and auto-renewal. Its Privacy Policy does not include these terms:

HBO Now also prefers to address auto-renewal and cancellation through a FAQ, but it offers more detailed information and instructions:

It is likely safe to conclude that subscription terms do not necessarily need to be in a Privacy Policy. As long as you have them available somewhere on your website, that will likely work for most of your users.

But there are terms that must be in your Privacy Policy so you meet your legal burdens.

Needed Privacy Policy provisions

Since auto-renewal requires the collection of personal information, a complete Privacy Policy is essential.

Here are the terms you need to include even if you decide to omit subscription terms and place them in another location on your website.

Data Collected

All Privacy Policies must discuss the data collected by the developer. This is often as general as a definition of personal data.

Smule defines personal data and this also lists the type of data it requires to function:

Notice that even if you keep data anonymous, the fact that you have access to the identifying information still triggers your privacy obligations. Smule addresses that perfectly by including it with the data it collects.

How it is collected

You also must indicate how you collect data. Sometimes, this section is easy.

Digipill only collects information that users consent to by providing Facebook information:

Scruff takes a more complex approach. It divides data into two categories. The first category includes data users give voluntarily to use the service:

The second category of data includes what Scruff collects automatically. This list is comprehensive and bulleted, which makes it easy for users to comprehend: automatically.

This section must accurately disclose all of your data collection. Even if it seems obvious that users provide their names and email addresses, mention that anyway.

Definitely include any automatic collection since that transparency is required by law and helps customers know what to expect before they sign up for your service.

How it is used

Generally, data is collected so the app functions as expected. There may be other reasons too, like assessing whether the app is effective.

Scruff provides a detailed bulleted list on personal data use:

Again, even if the use of the data seems obvious, include it in this section. Users likely understand that you need credit card information to charge for your service. However, mentioning that specifically in this section is still required--even if the use should seem obvious.

Third party sharing

If you share data with third parties, at the very least you need to provide categories for those parties. They can be described generally as "advertisers" or "affiliates." You can also name companies specifically if you have a parent corporation or sponsor that assists with your operations.

Scruff generally describes "partners" and "service providers" in this section:

Smule also defines types of third parties but also makes it clear that it only shares as much data as necessary to provide services:

If you use a specific billing company or other service provider, consider mentioning them by name. Provide a link to their Privacy Policy if you have it. If they are too numerous to list, a general category of third parties will suffice.

Protection mechanisms

You are required to describe how you protect personal data. That is the main reason behind these privacy laws; to make sure you do not misuse data or collect it inappropriately, and also keep it safe when you have it.

This is often presented in a section on security. Smule describes its efforts while warning users no system is completely secure:

Digipill only receives data from Facebook and it explains that Facebook's Privacy Policy describes security measures. It also provides a link to that agreement:

You can describe general security methods including encryption and secure storage in this section. If you outsource security, name the entity that manages it and provide links to any of their relevant agreements.

Link on website

Apple requires a link to the Privacy Policy on app listings. In addition, laws require these links to be present on a website, too.

Links to developer websites are also provided in the app store listing:

When you visit the page, links to the Privacy Policy are usually in the footer, as shown in this example from Strides:

When you release your app through the App Store, check your website and make sure there is a link to your Privacy Policy is in the header or footer. Your only requirement is to make it accessible so as long as it is present, you likely meet legal requirements.

Cookies and tracking

Even if you operate from an EU member state and must post a Cookies Policy, include a summary of those provisions in your Privacy Policy, too. If you are not required to maintain a Cookie Policy, you definitely want this section in your Privacy Policy.

Scruff handles this issue by first listing the types of tracking technology it uses:

The next section is how to opt-out of cookies and tracking. It offers a long list of services and links for the opt-out, but this shows a sample of how Scruff presents the information:

Most auto-renew apps use tracking technology. This is especially true because services are customized to make the experience more satisfying to the user. Even if you believe a user would approve of this use, describe it in your Privacy Policy and give them the means to opt out if they wish.

State notices

If you operate in the U.S., the California Online Privacy Protection Act (CalOPPA) requires a specific notice in your Privacy Policy. This notice summarizes the act and informs users of their rights under the act.

This often has a separate label to assure compliance.

This example from Strides explains the act and how it complies:

Delaware and Nevada require similar notices but since those laws passed recently, there are no examples of them as of yet. However, the requirements are similar to the California notice so including a notice similar to the Strides one will help you comply with current state privacy laws.

Privacy Policies are required by law and by most app distribution platforms. Drafting one assures compliance with distributors and regulatory agencies. Consider it a vital part of app development since legal issues can delay release and thus profits.