What does the policy need to contain?
- Name and contact information of the data controller
- Data being collected, including granularity of location data (if applicable)
- Device functionalities and sensors the app requires access to
- Explanation of the purpose for which this information is collected
- Third parties with whom the information is shared (if any)
- Purpose of such sharing
- User’s (statutory) opt-out and other rights regarding collection, processing and use of their personal information
- Transfer and use of information outside the EU/EEA, and if applicable, the additional protections put in place (like EU model clauses or Privacy Shield)
What do the distribution platforms require on top?
Particular emphasis is placed on transparency: If the app collects and transmits user information in a manner that is not clearly describe in the Play Store product description or the app’s user interface, then the app must obtain active consent from the user any time it wants to collect/transmit such information.
Additional requirements apply if the app processes any payment information or certain other types if sensitive data.
Apple has similar provisions in its Developer Program License Agreement and the App Store Review Guidelines. These rules also require transparent information about the collection and use of personal data. Obligations to register separately to use a game are frowned upon if it is possible to use the game (or other app) without such mechanisms.