OAuth apps have their own rules for handling private data, which are different from the WMF privacy rules. Users should be using such apps at their own risk, but to be able to evaluate such risk, there should be some way to evaluate the app's privacy policy & data retention rules.
We should add a new field (oarc_privacy_policy_url or similar) to the consumer table, ask the owner for a privacy policy URL when registering the app, and display that URL in the authorization form.