Understanding Compliance and Data Disclosure for Your Mobile App

This article presents basic guidelines for understanding and meeting requirements for disclosing data collection within mobile apps. It is not legal advice; please consult a lawyer for direction on meeting compliance with legal requirements.

‍

Avoid getting caught in the app store approval process

After investing significant effort into developing your new mobile app, the last thing you want is to realize that you neglected to disclose important data.

This can cause compliance and/or legal issues which can push back the launch of your product. From the start, you need to be mindful to document and prepare all of the “paperwork.”

Let’s talk about what you can do to be better prepared for the app store approval process for both iOS and Android.

‍

Data privacy — What do we mean?

When we speak of data privacy, what is it?

Many of us have an intuitive understanding of privacy in our personal lives, but how does that intersect with our data?

When I refer to data privacy, I mean the information that software collects, that servers transmit and store, and that third-parties receive when a user interacts with a business’s software.

This can include personal details like

• name
• email address
• financial information
• purchase or transaction history
• screens viewed or buttons pressed in an app
• along with much more

Data privacy is becoming more serious

Privacy has been quite the active topic in recent years, and individuals are becoming more concerned with what happens to their data. From the EU’s GDPR to California’s CCPA (and established or developing laws in other US jurisdictions), user privacy has grown into a legal concern as well. When building software, there are both user perception and legal compliance reasons to take data privacy seriously.

Examples of laws in place in the U.S.

Virginia Law

Colorado Law

California CCPA

‍

Mobile app data is becoming more transparent

In recent years, the mobile app stores have moved to make data usage and tracking by apps more transparent. Beyond any text in a privacy policy or terms of use, Apple and Google now require app developers to list the kinds of data they use and what purposes they use it for. This allows for a quick overview of how your data will be used and whether you’ll be tracked by the developer.

The terminology is different (App Privacy for Apple, Data Safety for Google), but they provide similar insight into what kinds of data are collected and how they are used.

‍

‍

‍

Kinds of data

When publishing a new app to the stores (or a new version for an app that was originally submitted before these requirements), you’ll need to provide this list of data and report how each are used.

This could include things like

Contact information

• Name, email address, phone number

User content

• Photos, videos, user-submitted content

Identifiers

• User ID or device ID. Device IDs for advertising (for example, the IDFA on iOS) may require additional approval from users

Purchase history

• Records of in-app purchases and subscriptions

Location

• Geo-location for the user’s device

Health and fitness information

• Health history and exercise tracking

Usage data and diagnostics

• App interactions, crash logs, and other diagnostic and reporting data

‍

You’ll want to consider any kind of data the app gathers, either automatically (like diagnostics or usage data), by permission from the user (like location or contacts), or from a direct request from the user (uploads or user-created content). Depending on what data is used, you may not be required disclose it.

Optional disclosure

Apple allows for optional disclosure for some data usage, and Google considers some data not in scope as well. While the app stores do have exceptions for data that doesn’t need to be listed, you may want to consider whether it makes sense to describe your usage of that data anyway.

‍

How data are used

Beyond the kinds of data that an app collects, the app stores also differentiate how the data are used. Both platforms give a general list of categories for how information is employed.

For example

Third-party advertising

• Displaying ads from third parties and sharing data with others who display third-party ads.

Analytics

• Tracking user behavior and app engagement

Personalization

• Suggested content, app customization

App functionality

• Authentication, managing features, customer support

‍

Unique requirements

Apple data collection policy for mobile apps

Apple requires developers to describe which data can be linked to a user’s identity and used to track a user for advertising or other purposes. This appears differently within App Privacy than data collected anonymously (data not connected to a specific user)

Google data collection policy for mobile apps

Google requires developers to separately describe data collected by the app versus data shared to another provider (along with how each party uses the data).

‍

Preparing for disclosure

Now that we have an idea of what data privacy is and how mobile apps must report their data usage, how can you best prepare for filling out the necessary forms?

For a recent app project at Headway, we needed to retroactively review the data usage in the app; how might we better approach this for a new application?

1. Planning early

First, I’d suggest planning early in your app design process. Start a list of the data you collect right when you start designing the app. As screens and workflows are designed, keep track of what data the app will collect and how you will store and use it. What categories or kinds of data does your app need to function? Which are optional for the user to provide? For what purposes are you collecting the data? Are there any kinds of data that you can choose to intentionally not collect?

2. Update as you add new features

Second, as you begin to build the app, update your list of data as you add new features. Write down what users submit in forms, what you send to API endpoints, what permissions you request, and what information you share with external services. Continue to build on your overall picture of data usage as the app grows to avoid needing to review the codebase in full when submitting to the app stores.

3. Review integrations from third parties

Third, review each third-party service that you integrate with. Some collect additional data that you may not directly use or collect yourself. Even if your app doesn’t use this data, it must be reported. This may require looking through documentation, user forums, or privacy policies.

For example, RevenueCat provides a helpful guide for what data they collect and how to report it.

RevenueCat Guide

4. Gather notes to assemble disclosures

Finally, gather your notes and assemble your disclosures for the app stores. If you’ve kept notes while building your app, hopefully, this shouldn’t require too much additional research. Each app store has slightly different requirements, but your overall list should give you the starting point you need to fully disclose your data usage.

‍

A more transparent app ecosystem

Now that you have an idea of the value of data privacy and what the app stores require, hopefully you’ll be more equipped for your next mobile project. As individuals grow more concerned with how their information is used, we can all help to create more of an environment of trust and safety online.