Daily Archives: October 22, 2012

Your app needs a privacy policy in the Windows Store

If you would like to publish your Windows 8 application to the Windows Store, you better provide a proper privacy statement, because many apps are getting rejected because of missing or inadequate privacy policy.

This is the referred requirement:

4.1.1 Your app must have a privacy statement if it collects personal information

Why?

So how the testers know, that your app works with sensitive data? Of course from the manifest file you provide! Practically if you have anything checked on the Capabilities page, they have the reason to believe that your app accesses private data (even if your app actually doesn’t, but could). And here is the pitfall: the default project skeletons that Visual Studio 2012 generates by default have the Internet (Client) capability checked:

default-capabilities

Well, this seems reasonable, because most application today want to connect to remote services, but in this case the IP address of the client – which is definitely sensitive data –  is sent to the service. So if your app doesn’t connect to the network, you better turn off this capability to save you some certification time. On the other hand, if your app does nothing else, but downloads data from the Internet, you definitely need a privacy policy.

Personal information includes:

  • IP numbers
  • Webcam snaps
  • Audio/video recordings
  • Name, address, DOB and other PII
  • Photos
  • Contacts
  • Documents

What?

In general, an acceptable privacy policy is one that:

  • Informs users of the personal information collected by your app
  • Informs users how that information is used, stored, secured, and disclosed
  • Describes the controls that users have over the use and sharing of their information
  • Describes how users can access their information
  • Complies with applicable laws and regulations

The recommended practice is that if your app doesn’t actually collect or store personal information, say so in your privacy policy. One more reason to provide a policy.

If your app connects to a 3rd party service, don’t forget to include or link to the policy of the service.

Samples and sources

Beyond these general guidelines, Microsoft doesn’t provide samples or templates, because it’s definitely your task to create a custom policy for your application. Not the ideal task for a developer, so let’s see some samples.

The good news is that there are several free privacy policy generators available online. I found that many of them requires you to register at the end of a really long wizard, if you want to see the generated policy, so be careful.

My personal favorite is the Privacy Choice Policy Maker recommended by Association for Competitive Technology (ACT). In this tool you first have to complete a 6-step form to generate a badge like this:

policy-kids-badge

Although this badge is not suitable for the Windows Store, I like the idea. Just click on the I need a privacy policy link to get to the 12-step wizard, where you will be provided with tons of options and detailed descriptions.

If you need a short statement, you can be inspired by Robert MacLean’s privacy statement:

This application does not collect or transmit any user’s personal information, with the exception of technical information included in HTTP requests (such as your IP address). No personal information is used, stored, secured or disclosed by services this application works with. If you would like to report any violations of this policy, please contact us using the contact form.

Actually Robert has a bit longer version as well and his blog is also worth to read: http://www.sadev.co.za/app-privacy

Where?

The final question is where to publish the privacy statement? When you submit your app to the Store, you will find a Privacy policy field on the form in the Description step:

appreg-policy

Although the tip says you can enter up to 2048 characters, the tooltip of the help icon makes it clear, that you have to enter a URL here. Yes, even if it seems nonsense, your app needs a valid webpage where you publish your privacy policy. Well, there are examples of accepted URLs that point to Word documents published on SkyDrive… Note, that the form allows you to leave this field empty, but your app will be rejected later, so you better fill this field.

Within your app the best place for your privacy policy is the Settings charm:

policy-settings-charm-usa-today

Of course you can add a hyperlink here that points to your online statement.

And finally, you can give a hint to the testers in the Instructions for testers field of the Notes to testers step about where they can find your privacy statement.

 

So these are the experiences and public information so far. If you have any more ideas, tips and experiences, please don’t hesitate to share it, so we all can publish our apps seamlessly in the Store. Thank you.

 

Technorati-címkék: ,,