1

I googled a lot, but I don't find a valid answer (I find a related answer here, but I think it's out of date).

My android app makes use of google analytics, do I have to create a dialog to inform the users about that (to comply to the EU cookie law)?
The cookie law is referring only to websites, but at this link google includes both websites and mobile apps, so I am a little confused.

Also, I think that a dialog for the first use is an horrible idea, and I hope to avoid that.

Community
  • 1
  • 1
Azincourt
  • 935
  • 5
  • 13
  • 29
  • 4
    I'm voting to close this question as off-topic because it is about law and legislation. Consult a lawyer instead. – rene Sep 27 '15 at 12:40

2 Answers2

3

I'll answer both of your bolded questions:

  1. Google Analytics

Using Google Analytics you consent to their terms of service which state that you, using Google Analytics, will have and abide by a privacy policy:

You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data.

Therefore, you always need a privacy policy no matter what you do with your Google Analytics installation. This is rooted in privacy laws around the globe, Google just codified this.

The privacy policy on the app store and in the app as a minimum is a no-brainer. Even just to say in plain English that this app doesn't collect and process any personal data.

The bigger question these days leading up to September 30th is, whether you need to abide by the stronger wording of the EU user consent policy when you target European users.

The answer is yes, when you use any of the Google Analytics Advertising Features:

When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.

For apps this realistically comes down to collecting consent before starting the app and collecting any data.

  1. Cookie law is only concerned with websites

As pointed out by @Eike, the cookie law isn't necessarily concerned with cookies or websites as such, it extends to cookies and similar technologies. Here's what the Article 29 Working Party says in its communication regarding cookie consent exemptions:

requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. The requirement applies to all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies as understood by the definition in RFC62651. As such, this opinion explains how the revised Article 5.3 impacts on the usage of cookies but the term should not be regarded as excluding similar technologies.

It says two things: not only cookies, but all similar technologies, not only web but all terminal devices.

To come back full circle, in their EU user consent policy Google mentions both websites and apps in order to make sure everyone understands the requirements:

If the EU user consent policy applies to your website or app, two of the key things to consider are:

  • Do you have a means of obtaining consent from your end users? If not, you’ll need one.
  • What message should you present to your users to get consent?

To finish, if you have some time you might want to check out this opinion on apps on smart devices.

disclosure: It is a very complex topic that I'm working on daily at www.iubenda.com

Simon
  • 2,263
  • 2
  • 19
  • 26
1

The "cookie law" is not actually called cookie law, is not particulary concerned with cookies and in fact mentions cookies only once or twice by way of example. The

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

, which by now has been turned into national law by most European countries, regulates (well, the full name is pretty much self-explanatory) "privacy in the electronic communications sector" (which includes not only websites but apps, smart-TV, web-enabled toasters and everything else that communicates electronically).

You can read the text of the directive here, but the short form is: If you want to track somebody, no matter on what device, you need his/her/zes/zirs permission and even then there are limits.

This is off-topic for SO in any case, but the misunderstandings about the so called "cookie law" are so annoyingly persistent that they need to be addressed somewhere.

Eike Pierstorff
  • 31,996
  • 4
  • 43
  • 62
  • Are you sure about the text of directive? I always see this as reference: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm – Azincourt Sep 17 '15 at 11:01
  • That merely says that cookie usage has to comply with the EU directive (so this is a special case for a general regulation). – Eike Pierstorff Sep 17 '15 at 11:05
  • At the end, I chose to add the dialog and a Privacy Policy page; however, I checked on Android Market and it seems that very few apps are comply with the EU law. – Azincourt Sep 18 '15 at 10:03
  • 1
    Technically the EU does not pass laws (it passes directives which need to be turned into national law by the member states, and they have some wiggle room as to how narrowly they want to interpret the directives). But yes, privacy laws are rarely enforced (partly because practially everybody is confused what is allowed and what not). – Eike Pierstorff Sep 18 '15 at 10:07