Last updated on 09 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
In May of 2021, Google announced that it would require all apps listed in the Google Play Store to begin detailing how they would handle user data in a new "Data Safety Section." Google launched that safety section for developers in the Google Play Store on October 18, 2021.
The launch follows Google's promise made in May to improve transparency about how apps store user data on its platforms. App developers will have to detail their data use in a series of bullet points that users see when they click on an app to update or install it.
The general public won't see any of these app privacy briefings until February 2022. By launching the safety section for developers in October, Google believes it's giving app developers a head start on updating their apps with the necessary safety information.
In fact, Google sent out an email to all developers, which you can read below:
It reads:
Hello Google Play Developer,
Earlier this year, we announced new policy requirements for the upcoming Data safety section in Google Play. With this feature, you'll have a clear way to show your users how you keep their data safe and explain what data your app collects and why.
Your Data safety form is ready for you to fill out. Go to App Content in your Google Play Console to get started.
We want to make sure you have ample time and resources to get prepared:
- Visit the Help Center for more on providing app privacy and security details in Play Console, including data type lists.
- Review how your app collects, protects and shares data. See how example apps should fill out the form on our Play Academy course.
- Join a policy webinar and send us your questions in advance. You can register for Global, India, Japan, or Korea sessions.
- We'll also be presenting and answering questions at Android Developer Summit and Droidcon.
- Review the policy requirements on our Policy Center or watch July PolicyBytes.
Timeline
February: Users will start to see the Data safety sections in Play store.
- If your information is not approved, your section will say "No information available."
April: Deadline to have your privacy policy and Data Safety form approved.
- Without an approved section, your new app submission or app update may be rejected. There may also be additional enforcement actions in the future.
Thank you for continuing to partner with us to make Google Play a trustworthy platform for you and your users.
Google's plans for app privacy enhancements follow in Apple's footsteps, which released privacy labels in late 2020 for all products in its App Stores. These labels tell users what apps do to their data and are divided into three categories: data used for tracking, data linked to user identity, and data not related to user identity.
Apple requires Privacy Policies to be in place for all apps that are available on its store. These policies must disclose data collection, comply with the App Store Review Guidelines, and follow other legal requirements.
On the surface, Google and Apple's new data safety policies are somewhat alike. However, there are significant differences. For instance, Google isn't issuing set labels.
Instead, the tech giant is creating a "data safety summary" for developers to explain data and security practices. App developers will also be able to have their claims independently verified. This addresses the problem of false reporting, on which the Washington Post reported.
In that publication's analysis, more than a dozen apps on Apple's App Store were found to have labels that were either misleading or completely inaccurate.
With that said, Google is encouraging app developers to make the following disclosures:
To help developers take advantage of the window before Google's data safety section's official launch, the company has released a series of tools, including:
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
As noted above, starting from October 18, 2021, developers can now submit information to the Google Play Console for review. Google encourages all who plan to have their apps on the Google Play Store to start sooner rather than later.
Although the data safety section will go live to the public in February 2022, Google has stated that it understands some app developers may need additional time to evaluate their apps and prepare disclosures.
However, all data safety sections must be approved by April 2022.
If developers submit the Data Safety Form and it is not approved before that date, their apps may be denied inclusion on the Play Store.
Google provided a mockup for what everyone can expect to see in app store listings starting in February, 2022.
If you're an app developer and want your app on the Google Play Store, you must complete the data safety form.
This includes apps that are on:
Even app developers who do not collect user data must complete this form. You can use your app's Privacy Policy and completed form to indicate that no user data has been shared or collected.
You will need to provide information disclosing how your app collects data, whether you share data, how you handle data in your possession, and more. You'll also need to commit to following Google's Families policy (if applicable) and announce whether your app has undergone an independent, third-party security review.
Let's look closer at each of these requirements.
According to Google, if your app transmits data from off a user's device, that's the definition of "collect."
If your app transmits data or behaves in the following ways, you must disclose it:
Data that isn't within the scope of collection can be seen in this screenshot from Google's Support pages as seen below.
When it comes to data sharing, Google distinguishes between "First Parties," which are typically the app developers and organizations that list apps on the Google Play Store, and "Third-Parties," which are any organizations that "aren't the First Party or its service providers."
Now, if your app collects data and then transmits it to a third party, you are sharing that data. In fact, any data transferred in the following ways is considered "sharing data," according to Google.
For example:
In the screenshot below, Google clarifies what types of sharing are exempt from the need for disclosure:
If you allow all users, regardless of region or device, to provide your app with data (in other words, you give them a way to opt-out of data collection), you can state that fact in the data safety form.
Additionally, this can apply to all data types you collect or only some. For instance, if you allow users to opt-out of certain kinds of data collection but not others, you'll need to specify each type and whether it is optional or required.
For instance, Google specifically states that "If your app's primary functionality requires the data type, you should declare that data as required."
Examples of optional data include:
Some app developers go above and beyond the call of duty. Google recognizes that fact and allows you to highlight your security and privacy practices in the data safety section.
For instance, you could emphasize that you encrypt all data in transit. End-to-end encryption is actually a selling point for some. If your app gives users a way to request data deletion, you could also highlight that fact.
If your app targets kids or you've chosen to opt into Google Play's "Designed for Families" program, then you have to follow the Families Policy requirements.
After ensuring that your app meets all Families Policy requirements, you have the option of displaying a badge in your data safety section, which states that you've "Committed to follow the Play Families Policy."
An independent security review of your app is optional right now, but it's clear that Google favors apps that obtain one.
After undergoing a third-party review, you can then declare in your app's Play Store listing that you've undergone a review for compliance with "an independent global security standard."
Remember that a review like this is optional and is not affiliated with Google in any way. Further, it's a security review that you'll have to pay for, and you'll be held responsible by Google for ensuring that all your declarations in this regard are truthful, complete, and accurate.
What kinds of data will developers need to disclose in the data safety form? Well, as mentioned previously, they'll have to be transparent about what data they collect, share, and more.
In fact, almost all of these data types fall under the same categories listed in major data and privacy protection laws, such as Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA).
With that said, here are the categories and data types about which you need to be aware.
There are two data types under the location category. They are:
Many apps collect personal information, such as:
If your app collects data in this category, it must be disclosed.
If your app collects financial information in any of the categories below, you'll need to disclose it:
If your app collects the data within the following health categories, you need to disclose it:
If your app collects data from or on emails, SMS or MMS messages, or other in-app messages, you must disclose that fact.
If your app collects data from or on a user's photos or videos, you must disclose that fact.
If your app collects data from or the following types of audio files, you must disclose it:
If your app collects data from a user's calendar or contacts, you must disclose that fact. For example, you'll have to be transparent about any data collection on:
If your app collects data from a user's files or documents such as text or file names, you must disclose that fact.
You must disclose the collection of information about user behavior while using your app. For example, you'll need to report it if you collect data on:
If your app collects data on a user's browsing habits or websites visited, you need to disclose that fact.
If your app keeps records of things such as crash logs, diagnostics, or other app performance data, you need to disclose that fact.
If your app collects data on the type of user device on which it is installed or other identifiers, you need to report that fact. For example, you'll need to disclose it if your app collects data on:
Google requires app developers to be transparent about why they are collecting data. If you collect data for the following reasons, you must disclose that fact:
After you submit the Data Safety Form, Google will review the information provided in order to ensure that you've appropriately disclosed all necessary details. If Google finds no issues, then your Play Store application or update can continue through its normal process and you don't have to do anything extra.
You'll have until April 22, 2022 to publish app updates regardless of whether Google finds problems with your Data Safety Form. If Google finds issues, your app will most likely still be approved. However, you'll have to change the status of your Data Safety Form to "Draft" before publishing an update.
Google will ensure that you know the status of your Data Safety Form by sending you an email, an inbox message in the Play Console, and will show pertinent information on the Policy status page.
Following April 22, your Data Safety Form will need to be complete and accurate, disclosing all relevant data collection and sharing practices. This will include apps that don't collect user data.
In a move to address user privacy, Google has announced plans for app transparency. Google's actions follow Apple's footsteps, which released privacy labels in late 2020 for all products in its App Stores.
With the new Data Safety Section in place, users will better understand how an app handles their information before downloading it from the Play Store.
Although the general public will begin seeing Data Safety Forms on app listings within the Google Play Store in February 2022, developers have until April of the same year to finalize their forms.
The general timeline can be seen in this infographic seen on Google's Android developer's blog:
Developers will have to ensure that they disclose all relevant information required by Google and that all declarations are truthful, complete, and accurate. App developers must be transparent about what kind of data their app collects (e.g., personal information such as name and email address, contacts, location, financial information, and more):
Google's Data Safety Form is limited to apps that already exist on the Play Store or that you may submit to it. Third-party stores are not impacted.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
09 May 2022