Privacy policy linked in app metadata or UI
Why it matters
GDPR Art. 13, CCPA §1798.100, and COPPA §312.4 all require that a privacy policy be provided to users before or at the time of data collection. Apple's App Store Review Guidelines (5.1.1) mandate a privacy policy URL in app metadata for any app that collects user or device data — apps without one are rejected at review. Google Play similarly requires a privacy policy link in the store listing for apps with any data collection. A placeholder URL (e.g., https://example.com/privacy) satisfies neither the legal disclosure requirement nor the app store technical requirement — reviewers check that the URL resolves to actual policy content. COPPA additionally requires specific disclosures when an app may be used by children under 13.
Severity rationale
High because a missing privacy policy URL causes App Store and Google Play rejection at submission, and its absence during data collection creates direct GDPR Art. 13 and CCPA §1798.100 violations.
Remediation
Add a real privacy policy URL to app.json and link to it from your Settings screen. The URL must resolve to actual policy content, not a placeholder or 404.
{
"expo": {
"privacy": "https://yourapp.com/privacy"
}
}
// In your Settings or About screen
import { Linking } from 'react-native'
function LegalLinks() {
return (
<Pressable onPress={() => Linking.openURL('https://yourapp.com/privacy')}>
<Text>Privacy Policy</Text>
</Pressable>
)
}
For COPPA compliance, the policy must explicitly state whether the app is directed at children and how parental consent is obtained. For GDPR, it must identify the data controller, legal basis for processing, and the user's rights under Arts. 15–22.
Detection
-
ID:
privacy-policy-linked -
Severity:
high -
What to look for: Check
app.jsonforprivacyURL field. Count all in-app links to privacy policy (Settings, About, legal section, onboarding). Quote the actual URL found or note its absence. -
Pass criteria: At least 1 privacy policy link exists: either in
app.jsonmetadata, or in an in-app Settings/About/legal section, or bundled within the app. The link points to a real URL (not a placeholder likehttps://example.com). -
Fail criteria: No privacy policy URL in app metadata and no privacy policy link anywhere in the app. Do NOT pass when the URL is a placeholder (e.g.,
https://example.com/privacyorTODO). -
Skip (N/A) when: App is internal/development only with no published release and no user data collection.
-
Detail on fail:
"No privacy policy URL in app.json and no privacy policy link found in app UI" -
Cross-reference: For app store listing requirements related to privacy policy, the App Store Policy Compliance audit covers mandatory metadata fields.
-
Remediation: Add privacy policy URL to app metadata and link it from your app's UI:
{ "app.json": { "privacy": "https://yourapp.com/privacy" } }And add a link in your Settings screen:
function SettingsScreen() { return ( <ScrollView> {/* Other settings */} <Pressable onPress={() => Linking.openURL('https://yourapp.com/privacy')}> <Text>Privacy Policy</Text> </Pressable> </ScrollView> ) }
External references
- gdpr · Art. 13 — Information to be provided where personal data are collected
- ccpa · §1798.100
- coppa · §312.4 — Notice to parents
- external · apple-app-store-privacy-policy — Apple App Store Review Guidelines: 5.1.1 Privacy policies
Taxons
History
- 2026-04-18·v1.0.0·Initial import from mobile-permissions-privacy·automated