Home > Windows 8 > Your app needs a privacy policy in the Windows Store

Your app needs a privacy policy in the Windows Store

If you would like to publish your Windows 8 application to the Windows Store, you better provide a proper privacy statement, because many apps are getting rejected because of missing or inadequate privacy policy.

This is the referred requirement:

4.1.1 Your app must have a privacy statement if it collects personal information

Why?

So how the testers know, that your app works with sensitive data? Of course from the manifest file you provide! Practically if you have anything checked on the Capabilities page, they have the reason to believe that your app accesses private data (even if your app actually doesn’t, but could). And here is the pitfall: the default project skeletons that Visual Studio 2012 generates by default have the Internet (Client) capability checked:

default-capabilities

Well, this seems reasonable, because most application today want to connect to remote services, but in this case the IP address of the client – which is definitely sensitive data –  is sent to the service. So if your app doesn’t connect to the network, you better turn off this capability to save you some certification time. On the other hand, if your app does nothing else, but downloads data from the Internet, you definitely need a privacy policy.

Personal information includes:

  • IP numbers
  • Webcam snaps
  • Audio/video recordings
  • Name, address, DOB and other PII
  • Photos
  • Contacts
  • Documents

What?

In general, an acceptable privacy policy is one that:

  • Informs users of the personal information collected by your app
  • Informs users how that information is used, stored, secured, and disclosed
  • Describes the controls that users have over the use and sharing of their information
  • Describes how users can access their information
  • Complies with applicable laws and regulations

The recommended practice is that if your app doesn’t actually collect or store personal information, say so in your privacy policy. One more reason to provide a policy.

If your app connects to a 3rd party service, don’t forget to include or link to the policy of the service.

Samples and sources

Beyond these general guidelines, Microsoft doesn’t provide samples or templates, because it’s definitely your task to create a custom policy for your application. Not the ideal task for a developer, so let’s see some samples.

The good news is that there are several free privacy policy generators available online. I found that many of them requires you to register at the end of a really long wizard, if you want to see the generated policy, so be careful.

My personal favorite is the Privacy Choice Policy Maker recommended by Association for Competitive Technology (ACT). In this tool you first have to complete a 6-step form to generate a badge like this:

policy-kids-badge

Although this badge is not suitable for the Windows Store, I like the idea. Just click on the I need a privacy policy link to get to the 12-step wizard, where you will be provided with tons of options and detailed descriptions.

If you need a short statement, you can be inspired by Robert MacLean’s privacy statement:

This application does not collect or transmit any user’s personal information, with the exception of technical information included in HTTP requests (such as your IP address). No personal information is used, stored, secured or disclosed by services this application works with. If you would like to report any violations of this policy, please contact us using the contact form.

Actually Robert has a bit longer version as well and his blog is also worth to read: http://www.sadev.co.za/app-privacy

Where?

The final question is where to publish the privacy statement? When you submit your app to the Store, you will find a Privacy policy field on the form in the Description step:

appreg-policy

Although the tip says you can enter up to 2048 characters, the tooltip of the help icon makes it clear, that you have to enter a URL here. Yes, even if it seems nonsense, your app needs a valid webpage where you publish your privacy policy. Well, there are examples of accepted URLs that point to Word documents published on SkyDrive… Note, that the form allows you to leave this field empty, but your app will be rejected later, so you better fill this field.

Within your app the best place for your privacy policy is the Settings charm:

policy-settings-charm-usa-today

Of course you can add a hyperlink here that points to your online statement.

And finally, you can give a hint to the testers in the Instructions for testers field of the Notes to testers step about where they can find your privacy statement.

 

So these are the experiences and public information so far. If you have any more ideas, tips and experiences, please don’t hesitate to share it, so we all can publish our apps seamlessly in the Store. Thank you.

 

Technorati-címkék: ,,
Categories: Windows 8 Tags: ,
  1. October 23, 2012 at 09:13 | #1

    Thanks for a good article, especially the practical tips about privacy statement generators.
    One thing got me thinking though: you mention that “Of course you can add a hyperlink here that points to your online statement.” (to the Settings Charms bar). Is it possible that in some cases this is not possible? E.g. the user doesn’t allow the app to go online before reading the privacy statement. I don’t think any official document covers that. As a safeguard, I’ve myself always opted for a local flyout menu to display the privacy statement.

    Btw, the newly published MSDN articles Resolving certification errors (http://msdn.microsoft.com/library/windows/apps/hh921583.aspx) and Avoiding common certification failures (http://msdn.microsoft.com/library/windows/apps/jj657968.aspx) are quite useful for covering the opt-in scenarios and other certification related errors as well.

    • October 23, 2012 at 14:50 | #2

      Karl, thanks for the feedback and the links. Actually the guidance got slightly updated after I wrote this blog post.

      I think the case you mentioned is covered by the privacy policy URL displayed on the app page in the Store. So you can actually review the policy before you download and install the app. I don’t think any user would want to review the PP before starting an action in the app. If a user wants to read the PP at all, she does that before installs the app.

      I also prefer displaying the PP locally in the app, so it is available offline. The issue with this is that you have two maintain the text at two places: online and also in the app.

  2. vk
    October 24, 2012 at 05:43 | #3

    Experienced this myself. We always had the URL version, but recently the Settings Pane needs a privacy policy also. And make sure you let the testers know that it’s there, even if it’s always been there. Apps have been rejected when they do include it mainly because the testers are current busy with the flood of apps. It’s not good that they don’t notice, but it happens, so help yourself and include how to find it in your test notes.

  3. October 24, 2012 at 10:16 | #4

    Thanks for sharing your experience, vk!

  4. Saad
    December 26, 2012 at 14:54 | #5

    Hello, very nice post. I am a beginner in developing apps. I have the same issue. My app have been rejected two times. The problem is the URL. I created a blog and post there a privacy policy for my app. I gave link of my app’s policy in app’s submission. And how can i add privacy policy in setting charms.

  5. January 3, 2013 at 09:05 | #6

    I personally consider this particular article , “Your app needs
    a privacy policy in the Windows Store Codes from the field”, highly engaging and also the post was a superb read.
    Thanks for your effort-Lilla

  6. January 18, 2013 at 18:17 | #7

    Finally managed to get my app accepted, the information on the privacy statement generators saved me a heap of time

  7. January 16, 2014 at 09:16 | #9

    Great post. I’ve just come across this exact issue with my first app submission and looking forward to getting it resolved using the information you’ve posted here. I’ve got a posted privacy policy already online but it seems certification deems it that I need to link to that explicitly from the app.

  8. January 18, 2014 at 13:30 | #10

    Great post added to ours just now as it keeps getting knocked back

    “The app has declared access to network capabilities and no privacy statement was provided in the Windows Settings Charm.”

    Hope link helps others

    http://www.nationaltradesmen.co.uk/mobile/privacyM.aspx

  1. October 23, 2012 at 05:05 | #1
  2. October 23, 2012 at 14:07 | #2
  3. October 23, 2012 at 16:30 | #3
  4. October 25, 2012 at 01:22 | #4
  5. October 26, 2012 at 14:43 | #5
  6. October 31, 2012 at 10:14 | #6
  7. November 8, 2012 at 16:14 | #7
  8. November 10, 2012 at 06:53 | #8
  9. January 9, 2013 at 04:45 | #9
  10. March 29, 2013 at 02:49 | #10
  11. June 7, 2013 at 12:04 | #11

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: