If you hire a 3rd party app developer, be sure to agree in writing on who is responsible for the app privacy policy.  Too frequently, the privacy policy is left out of the development agreement, leaving the client to figure out the information collection practices of an app they did not develop.

The privacy policy must detail what information is collected, how information is used and who information is disclosed to.  The developer is in the best position to prepare the privacy policy as they know what information the app collects.  While the client may have an idea of what information is collected, mere ideas are too speculative for the exactness required in a privacy policy.

When entering into an agreement with a 3rd party app developer, be sure that privacy policy responsibility is addressed in the agreement.  Two common approaches are:

1.  Assistance:  the developer will provide the client with all information necessary for the client to create a privacy policy and, if necessary, will work with the client’s lawyer to collect this information.  Limits may be set on the amount of time the developer will devote to this.

2.  Create:  the developer will create an original privacy policy for the client.  Never allow a developer to copy another company’s privacy policy as this policy does not reflect your information practices and may constitute copyright infringement.

If the developer does not want to assist with a privacy policy, consider looking elsewhere.  A “finished” app still requires legal documents to protect your company and to comply with the law.  A developer that won’t assist with legal compliance is not providing a complete product.

Startups and video game companies often ask me to draft a privacy policy AFTER development is complete. Unfortunately, developers often fail to track their software’s information collection features and 3rd party plugins used for data collection during development.  As a result, privacy policy drafting may require development backtracking to determine these collection practices.Keyhole

I recommend that developers consider privacy as part of the development process. This simplifies the process of drafting a Privacy Policy, documents all information collection features in your software to assist with future development and may lower legal fees!

During development, consider the following:

1. Collect the minimum.  Only collect the minimum amount of information your company needs as this simplifies the privacy policy and is appreciated by users.

2. What are you collecting?  Create a list of all information that your software collects and make sure this list is shared between development teams and is kept up to date.  If possible, separate this information into “Personal”, such as first and last names, geolocation data or email addresses, and “Anonymous”, such as number of clicks or how long a user stayed on a page.

3. What are you using this information for?  Opposite each piece of information you collect, note what you are using this information for.  For example, in a restaurant app, beside geolocation data:  “determines user location to list nearby businesses that are similar to type requested by user”.  If you can’t find a use for information, consider not collecting that information.

4. Are you disclosing this information outside the company?  Opposite each piece of information you collect, note if you disclose that information to 3rd parties outside of your company and how those companies are using this information.

5. 3rd party plugins?  Keep track of 3rd party plugins/APIs incorporated into your software and, if possible, determine the collection practices of these 3rd party plugins/APIs as this information is also incorporated into the privacy policy.

Considering privacy as part of the development process will impose an organizational structure on your information collection practices to assist with future development and greatly assist your lawyer when preparing your privacy policy.