GDPR Art. 13 requires that data subjects be informed of the categories of data collected and the purposes of processing at the time of collection — not buried in a long-form privacy policy users will never read. CCPA §1798.100 similarly requires 'notice at collection' that discloses data types before or at the point where data is collected. An app that collects location data and sends it to a backend without ever explaining this to the user in context — even if the privacy policy mentions it — fails the informed-at-collection requirement. Google Play Data Safety's prominence means that mismatches between declared data collection and actual SDK behavior are publicly visible to users before they install.
Medium because undisclosed data collection violates GDPR Art. 13 notice requirements and CCPA §1798.100 notice-at-collection, but the immediate data-breach risk is lower than cleartext storage or missing consent gating.
Add contextual in-app notices at each data collection point. The notice must name the data type and its purpose — generic 'we collect data to improve your experience' copy does not satisfy GDPR Art. 13.
// Before requesting location for a feature
function NearbyContentScreen() {
const [noticeShown, setNoticeShown] = useState(false)
useEffect(() => {
Alert.alert(
'Location Used Here',
'We use your location to show nearby listings. Your precise location is not stored — only a city-level radius is sent to our servers.',
[{ text: 'Got it', onPress: () => setNoticeShown(true) }]
)
}, [])
// render feature
}
For analytics, add a one-line in-app notice on the settings screen listing the data types collected (e.g., 'We collect screen views and tap events to improve navigation'). Update your privacy policy to list specific data types and retention periods, not just categories.
ID: mobile-permissions-privacy.data-handling.collection-disclosure
Severity: medium
What to look for: Enumerate all data collection points (analytics events, API calls that send user data, permission-gated features). For each, check whether the data type is disclosed in the privacy policy or in an in-app notice near the collection point.
Pass criteria: At least 100% of data collection types are disclosed either in the privacy policy or via in-app context at collection points (e.g., location permission rationale, analytics notice). Privacy policy clearly states what data is collected and the purposes.
Fail criteria: Any data collection type is undisclosed — privacy policy is vague or missing regarding specific data collected. OR app collects data with no disclosure to users.
Skip (N/A) when: App collects no user data (no analytics, no API calls sending user information, no permission-gated features).
Detail on fail: Specify what data lacks disclosure. Quote the collection code. Example: "App collects user location and sends it to backend but privacy policy does not mention location collection" or "Analytics tracking enabled with no notice to users"
Remediation: Clearly disclose data collection in your privacy policy and in-app UI:
// In-app disclosure example
function LocationFeature() {
const [showDisclosure, setShowDisclosure] = useState(true)
return (
<>
{showDisclosure && (
<Alert
title="Location Data"
message="We collect your location to show nearby content. This data is stored securely and never shared with third parties."
buttons={[
{ text: 'Got it', onPress: () => setShowDisclosure(false) }
]}
/>
)}
{/* Feature content */}
</>
)
}