If your app sends push notifications to users, you may need a Privacy Policy. But first, let's cover exactly what a push notification is and does.
A push notification is a message from an app that pops up at random times on a mobile device.
They're typically formatted like mobile alerts and text messages, and pop up regardless of whether a user is actually within the app at the time or not.
Push notifications are intended to provide an enhanced user experience after downloading an app. For example, downloading a sports app and allowing push notifications will give you notifications of things like score updates and final game scores. Weather app push notifications can let you know if a dangerous weather event has suddenly started in the area you're in.
Here's an example of a push notification from H&M that encourages a user to shop for boots to go with a jacket she recently bought via the H&M app:
Here's one from KAYAK that lets a user know that the price just dropped on a flight he's watching.
Push notifications can let users know when others have interacted with their social media accounts by liking photos or leaving comments, as seen in this Android push notification from Luca.
All iOS apps are required to have a user opt in to receive push notifications, such as by tapping "OK" in the example push notification request seen here:
Android and Fire OS don't require a user to opt in to receiving these notifications from apps.
Do You Need a Privacy Policy if Your App Uses Push Notifications?
The short answer is yes.
In April of 2013, the Federal Trade Commission (FTC) released an update to their existing COPPA FAQ. In the older version, there was a differentiation between what information apps could use to send push notifications without it qualifying as being "personal information."
If anonymous screen names and usernames were used to send the push notifications, this wouldn't count as personal information, even where these push notifications included advertising, collecting and using of information.
The FTC said that this would constitute "performing network communications," "maintaining or analyzing the function of the web site or online service," and "supporting internal operations" and would not necessarily rise to the level of counting as the use of "personal information."
The update to the FAQ changes this and makes things so that if you use any information (including anonymous screen names and usernames) to send push notifications, it is considered as the use of "personal information."
Whenever personal information of a user is collected, stored or used by an app or website, a Privacy Policy is required according to a number of laws including:
- CalOPPA law in the US
- Privacy Act of 1988 in Australia
- Data Protection Act in the UK
- PIPEDA in Canada
- PDPA in Singapore and Malaysia
App stores also have their own Privacy Policy requirements for apps they host.
Apple App Store Requirements
Apple's iOS Developer Program License Agreement (PLA) states that all iOS apps must comply with all applicable privacy laws and regulations in any jurisdictions where your app may be offered.
It also states: "You and the Application must comply with all applicable privacy and data collection laws and regulations with respect to any collection, use or disclosure of user or device data."
The iOS Developer Program License Agreement also mentions that iOS apps "must provide clear and complete information to users regarding...collection, use and disclosure of user or device data, e.g., a link to Your privacy policy on the App Store."
Because push notifications typically use information like user location to provide relevant location-based notifications, and because the FTC has taken the stance that information used to send push notifications is considered to be "personal information," Apple requires a Privacy Policy to be in place with your app if your app uses push notifications.
Google Play Store Requirements
The Google Play Developer Distribution Agreement requires that app developers have "privacy procedures and notices in place." A "privacy notice" is a Privacy Policy agreement.
Google states:
"You agree that if you use the Store to distribute Products, you will protect the privacy and legal rights of users. If the users provide you with, or your Product accesses or uses, user names, passwords or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide a legally adequate privacy notice and protection for those users."
Because push notifications use personal information, Google requires apps that use push notifications to have a Privacy Policy in place.
Third Party Requirements
Push notifications are an effective method for reaching and engaging with your users. This has led to a number of third party push notification delivery system companies being created to help apps deliver push notifications to their users.
These third parties each have their own Privacy Policies and requirements when it comes to user privacy and handling push notifications.
OneSignal's Terms of Service has a section about Consumer Control & Opt-Out Options. Users are informed that they "may in most cases opt out of receiving push notifications by going to your device "Settings" and clicking on "Notifications," and then changing those settings for some or all of the apps on your device."
CleverTap's Terms of Service has a section about "Data Collection." This section thoroughly outlines restrictions, limitations and requirements on how user personal information must be dealt with. The very first sentence states that "each Party will comply with applicable laws, including applicable privacy laws."
This means that if personal information is collected from users - to send push notifications or otherwise - there must be a Privacy Policy in place that lets users know about the collection and use of their information.
Firebase is a popular web and mobile app development platform powered by Google. To use Firebase, developers must agree to be bound by the Google APIs Terms of Service agreement and the Google API Services: User Data Policy.
The Google APIs Terms of Service requires that developers:
"will comply with all applicable privacy laws and regulations including those applying to PII" and that developers "will provide and adhere to a privacy policy for your API Client that clearly and accurately describes to users of your API Client what user information you collect and how you use and share such information (including for advertising) with Google and third parties."
The Google API Services: User Data Policy goes into more detail about what's expected when it comes to how user data and personal information is to be handled. You must:
- Be transparent about the data you access with clear and prominent privacy disclosures, and
- Must publish a privacy policy that fully documents how your application interacts with user data.
If you develop an app through Firebase and use personal information to send push notifications to users, you need to disclose this in your Privacy Policy.
Because push notifications may use personal information like gps locations, usernames, shopping information and others, they may trigger a requirement for a Privacy Policy.
App stores themselves also require Privacy Policies to be in place for apps distributed on them, and some third party push notification companies require a disclosure of the use of personal information in a Privacy Policy as well.
This means that if your app uses push notifications, you more likely than not are going to be required to include a Privacy Policy that lets users know:
- What personal information you're collecting from them,
- How you use this personal information,
- How you store and safeguard this personal information, and
- Any third parties you share information with
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.