I don't know exactly the legal details, but over the past several years "privacy policies" have evolved into some sort of "data use policies" (with no privacy to speak of) and the norm is to use terms on apps to basically give companies access to the most invasive and abusive stuff, and we don't see the legal system doing anything to stop this, as long as it isn't directly in medical or legal contexts…
Agreeing to surrender your privacy, even when through a clickwrap agreement that is subject to change without notice is very different from installing spyware on someone else’s phone.
