You also have to detail what a user’s rights are. From Dearie:
Legally, if you have users in the EU or California, you need to include a section (or sections) that specify the privacy rights that they are granted under those jurisdictions. For example, EU citizens should be informed that they have the right to request to transfer, edit, or delete their personal data, while California citizens should be informed of their right to request that their personal data not be sold.
Dearie points out that, while Reischer may be correct that such a policy can absolve guilt, GDPR guidelines outline six specific bases where the “collection and processing” of data is lawful: user consent, legitimate interests, public interest, contractual necessity, vital interests, legal obligation. To remain GDPR compliant, you must state specifically which case you’re claiming as reason to gather and process user data for each activity.
You could craft your own policy, so long as you’re open about what info the app gathers, which partners you may be working with, and what you’re doing with user data. The best instance to write your own policy is when you have an app or service that doesn’t collect any info, or one that stores login credentials and nothing more.
The easiest method for most tech pros is finding a template online. We really like Termly’s GDPR-friendly option, which can be customized and embedded on any webpage (which, as we’ve noted, is now mandatory for some services). It’s free to use if you get less than 25,000 page views monthly and don’t need to embed your policy (it hosts your policy and provides you with a link to it, which adheres to Apple’s rules). If you want to embed your policy on a page or have a lot of traffic to your site, the $10/month paid option is probably a better choice.
Apple is likely a canary in the privacy coal mine. We fully expect Google to follow suit, especially as its recent Google Plus/user data privacy issues have revealed that it’s as vulnerable as any other company to breaches. Expect web-hosting services to likewise follow suit at some point.
Yes, it’s going to cost you a bit of cash to craft and implement a policy, but a few dollars every month is far more cost-effective than the fallout your business and reputation will take if you or your partners aren’t clear about how data is handled. Even the best intentions can seem nefarious when you leave people in the dark.