Many of the most popular mobile apps collect personally identifiable information. Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store, or Google Play). In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA discussed in the previous section. The following is a snapshot of information concerning app privacy.


Possible penalty under California law for each app downloaded without a privacy policy.


Percentage of banking related apps that contain harmful code.


Percentage of popular dating apps vulnerable to hacker exfiltration of PII.

Consider the following privacy issues when developing a mobile app:

Does the app have a privacy policy? Privacy policies are a best practice if the app will be used in connection with personally identifiable information. As discussed above, there is also an argument that they may be required if they solicit information from California residents.

Is the app directed to users younger than 13? Under the Children's Online Privacy Protection Act ("COPPA"), if the app collects information from children it must include a privacy policy as well as comply with additional requirements imposed under that Act. See the section titled Collecting Information From Children for more information.

How is personally identifiable information stored by the app? Apps can store data in multiple places, including the device, backups of the device, and the app provider's servers. A best practice is for a mobile app's privacy policy to state accurately where personally identifiable information is stored.

Does the app communicate personally identifiable information to others? A useful privacy policy accurately states whether data that the user provides is relayed to anyone else.

Does the mobile app provider securely communicate any personally identifiable information? A 2013 study concluded that 18 percent of apps sent usernames and passwords by non-encrypted communications. Consider stating within the app's privacy policy whether the app transmits personally identifiable information, and, if so, whether the information is encrypted in transit.

If the app crashes, does diagnostic data about the crash include personally identifiable information? Some apps do not transmit personally identifiable information in their normal operation, but diagnostic data may inadvertently capture such information in an unencrypted manner.