What Privacy Information Must Be Displayed in Mobile Apps?

If your mobile app collects, processes, or shares personal data, you are legally required to provide users with clear, accessible privacy information. This obligation is set out in data protection laws such as the GDPR (in the EU and UK), California’s CCPA/CPRA, and is reinforced by platform-specific requirements from Apple and Google.

At a minimum, your app must include a comprehensive privacy policy. This should be easily accessible both within the app, such as in the settings or about section, and via your app store listing. The policy must be written in plain, understandable language and kept up to date as your data practices evolve.

The privacy policy should explain what types of personal data you collect, such as names, email addresses, location data, or device identifiers and how you collect it, whether through user input, sensors, or third-party tools. It must also specify why the data is being collected (e.g., to provide app functionality, run analytics, or enable marketing), and where applicable, set out the lawful basis for processing under GDPR, such as consent or legitimate interest.

You must also disclose whether you share personal data with third parties, including advertising or analytics partners, and whether any data is transferred outside of your users’ home country. Retention periods should be outlined clearly, stating how long data is kept and what criteria determine those timelines.

Users must be informed of their privacy rights, such as the right to access, delete, or correct their data, and how they can exercise those rights or contact your organisation. You should also explain the security measures you’ve implemented to protect user data, such as encryption or data minimisation practices.

Consent mechanisms are especially important. If your app processes sensitive data or tracks users, you must obtain explicit consent and document how and when this consent is collected, such as through permission prompts or cookie banners. Finally, you should explain how users will be informed of any changes to your privacy policy and display the date of the most recent update.