Windows Store app development: Include that privacy policy

Welcome to Pete Brown's 10rem.net

First time here? If you are a developer or are interested in Microsoft tools and technology, please consider subscribing to the latest posts.

You may also be interested in my blog archives, the articles section, or some of my lab projects such as the C64 emulator written in Silverlight.

(hide this)

Windows Store app development: Include that privacy policy

Pete Brown - 03 October 2012

Privacy is a huge concern to most customers. Part of the Windows Store app certification process includes checking for the presence of a privacy policy if your app declares any capabilities which could affect privacy.

MSDN has a section (4.1.1) explaining what is expected from the privacy policy. I won't quote it here, but some important points jump out (emphasis mine):

Declaring certain capabilities in your app manifest makes us think your app collects the corresponding private information. For example, declaring Internet capabilities (internetClient, internetClientServer) in the app manifest makes us think you're collecting the IP number of the user.

Note that the default templates for apps in Visual Studio include the internetClient capability, so unless you change the default manifest, you will need a privacy policy.

So if your app connects to the Internet, you need a privacy policy explaining what you do with the information (IP numbers, for example).

Similarly, if your app captures Webcam images, Audio or video recordings, accesses Photos, Contacts, or Documents, or collects user-entered name, address, date of birth or other personally identifiable information (PII), you must have a privacy policy.

The format and structure of the privacy policy is up to you and your lawyer. It's a legal document, just like an EULA or other license agreement. For those reasons, Microsoft does not provide a template or any guidance on the format of the document other than the following:

In general, an acceptable privacy policy is one that:

Informs users of the information collected by your app

Informs users how that information is used, stored, secured and disclosed

Describes the controls that users have over the use and sharing of their information

Describes how they may access their information

Complies with applicable laws and regulations

Again, refer to our official documentation on the topic on MSDN for any updates to this guidance.

Viewing the Policy

Prior to installation, the privacy policy is also available on the app's page in the store. Once installed, the privacy policy is accessed through the Settings pane in the app, as shown here:

By way of example, here's part of the privacy policy flyout page for an app:

So, you can see that the policy doesn't need to be written in legalese, but can instead be plain text which explains the information collected and what you do with it.

WindowsClient Windows8

posted by Pete Brown on Wednesday, October 3, 2012
filed under: WindowsClient Windows8

3 comments for “Windows Store app development: Include that privacy policy”

Reply
Arun Mahendrakarsays:
Thursday, October 4, 2012 at 11:50:05 PM
Hey Pete,

I had some trouble writing my first privacy policy for my app. I had to look for multiple apps and read through many paragraphs online to figure out what needs to go into a privacy policy.

The section 'In general, an acceptable privacy policy is one that:' makes up for a very nice reference. Can you please make sure those points are included in the site (link below) for the reference of the thousands of developers?

http://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx

Thanks,
Arun
Reply
Arun Mahendrakarsays:
Thursday, October 4, 2012 at 11:55:54 PM
Ah, I see that these points are already there in the 'Resolving certification errors' article, if only they are seen earlier in the app development cycle.
Reply
alansays:
Friday, May 15, 2015 at 10:04:01 AM
I was just wondering if there are any privacy permissions required during the developing stage of an application. For eg; If an organization is developing any app internally does it require to collect any personal information or where a data privacy notice shall be required? Can you give an example while replying to the query.

thanks in advance
Alan.