Before you start promoting your mobile app, you need to make sure that all your ducks in a row. You’ll want to start with technical testing, and to have a strong mobile app analytics platform up and running. You’ll also want to have a strong mobile app privacy policy in place.
A mobile app privacy policy is a legally binding agreement that outlines how a mobile app will collect, use, store, and share user data. The policy may be a regulatory requirement under several data or privacy laws, but it’s also something that many customers look for when considering which apps to use.
To both protect your business and the customer, knowing how to write a strong mobile app privacy policy is critical, so we talked to expert Karen Walsh about how to do exactly that.
Karen is a lawyer and former internal auditor turned subject matter expert in cybersecurity and privacy regulatory compliance. Her consulting and content services for cybersecurity startups translate technology features into business-oriented and compliance solutions. Author of Security-First Compliance for Small Businesses, Karen is a CMMC Registered Practitioner who has been published in the ISACA Journal, Dark Reading, HelpNet Security, NextGov, and Security Magazine.
A 2019 Pew Research study found that only 9% of Americans surveyed say they always read a company’s privacy policy, with 13% more saying they do regularly.
This means that only a small segment of customers are actually reading the privacy policy, but for those that do, it absolutely matters. And even for those who don’t — they’ll likely still notice if you don’t have one.
And there’s a good reason for customers to care a great deal, as mobile apps have the potential to collect a significant amount of information.
“Customers place trust in companies when interacting with mobile apps,” Walsh explained, “Sharing personal information like email addresses and telephone numbers. Privacy policies should be giving them insight into how companies use this data to help close this trust loop.”
This information should be transparent and easy to read, in plain language as opposed to highly technical writing that’s difficult to decipher.
Just as mobile app privacy policies matter to customers, they also matter a great deal to businesses and app developers.
“For businesses and app developers, the privacy policies act as both protection and visibility,” said Walsh. “Increasingly, companies need to supply these policies to meet legal and regulatory compliance mandates. On a more “customer service” level, app developers and businesses should be giving customers transparency around data collection and use it to build that trustworthy relationship that customers want.”
Many app developers first focus on launching a mobile app in a specific country, making it easy to abide by local or regional regulations. As you shift to a larger and potentially international audience, however, your privacy policy needs to account to that.
“For many companies, all app policies should include the international audience,” said Walsh. “The European Union (EU) General Data Protection Regulation (GDPR) intends to cover any EU citizens no matter where they live, including within an EU member state or in the US."
“The California Consumer Privacy Act (CCPA) takes a similar approach to citizens and residency. Many of the newer state and international laws seek to extend protections, regardless of physical location. Essentially, the best protection is to create, implement, and enforce privacy policies that respond to the strictest compliance requirement.”
While reading up on the above policies is a good place to start, if you’re unsure, it’s often worthwhile to consult with a lawyer with expertise in privacy policies.
If you’ve ever read a mobile app privacy policy (and we recommend that you do!), you’ll likely notice that there are often plenty of different clauses involved that break down different aspects of the policy itself.
Walsh recommends that all companies include the following clauses in their privacy policies to cover rights users should have over their data:
The ability to refuse to have data collected, processed or shared.
The ability to access data upon request.
The option to release data that they no longer want the company to have
The ability to fix errors in data.
The option to restrict data processing.
We also recommend including clauses that detail what data you collect, how you collect it, how long you keep it, and what you do with it.
While some clauses may be particularly valuable to businesses, there are some that users might value most.
Here’s what Walsh said:
“Savvy users will look at the limitations around data collection and processing, especially third-party processing. Many people are willing to share their data with a company so they can use a mobile app, but they don’t want the organization to sell or share that data with third-parties.”
We’ve seen data privacy become an increasing concern in recent years. A 2023 Deloitte study showed that only 38% of users trust businesses to protect their data more than they did in the year prior, and only 34% believe that companies are transparent about data use. Having clear policies in place specifically around data sharing can go a long way to build user trust through transparency.
Privacy statements for mobile apps are not just a technicality; they are legally-binding contracts, so they should be created with great care.
When asked about common mistakes many businesses make when it comes to mobile app privacy policies, this is what Walsh shared:
“Companies need to balance privacy policy readability with legal and regulatory compliance. People want to understand the policy, but, and I say this as a retired attorney, lawyers often make that impossible.
People want clear, readable, normal language. Finding the right balance between meeting a compliance objective and communicating with the end-users is the best way to build trust.”
Because privacy policies are so important, it’s critical to ensure that you’re consulting the right teams and experts when creating yours.
And in many cases, as Walsh explained, that may involve working with multiple internal and potentially (if needed) external team member:
“Someone who understands the company’s regulatory compliance requirements should look at the policy. These policies are twofold. They need to comply with a law or regulation, and they need to communicate with the end user. In a perfect world, legal, cybersecurity/IT, and communications teams would collaborate on these policies so that they tell the organization’s truth, meet compliance objectives, and communicate rights meaningfully.”
If you don’t have someone on your team with the experience to confidently manage the legal aspects of a privacy policy, we recommend seeking an external consultant with the experience and qualifications to help.
We’ve already discussed that tech-savvy users in particular are looking to see how businesses share their data. This is a concern that many users have — even if they aren’t necessarily reading the privacy policies themselves.
In addition to transparency around data collection and sharing, Walsh shared that users may also prefer brands who limit data collection where possible:
“Limiting data collection as precisely as possible and being transparent is critical. Today’s consumers are more privacy-focused than ever before. Watching data breach after data breach hit the news cycle, they are less willing to give companies blind trust over their data. The less data companies collect, the safer they and their customers will be.”
Mobile app privacy policies often involve multiple teams within an organization, including legal, marketing, developers, and cybersecurity or IT experts. Even with a solid chunk of users not reading them, you should still ensure that your policy is transparent, detailing data collection and sharing practices.
And, as your mobile app changes over time, or as new regulations roll out, review your privacy policy and update it as needed to ensure that you’re in compliance with new legal requirements.
Want to learn more about how to strengthen your mobile app performance?