For mobile developers to comply with privacy regulations, they must create privacy policies that accurately describe their apps' data practices. This requires a complete understanding of their apps' behaviors, including those of embedded third-party SDKs. Despite the complexity of this process, little is known about how privacy policies are created and validated. To investigate, we interviewed 20 developers from around the world about their processes, also observing them use a large language model (LLM) to prepare privacy policies for their apps. We found that developers struggle with collecting information about third-party SDKs, even when they use LLMs, and feel uncertain about the legal validity of LLM outputs. Many developers do not seek legal assistance and believe that, as long as app stores accept their privacy policies, they are protected. Our findings suggest that reliance on LLMs and developers' desire to externalize validation may result in increasingly unreliable privacy policies.
ACM CHI Conference on Human Factors in Computing Systems