Google Data Safety Form

In May of 2021, Google announced that it would require all apps listed in the Google Play Store to begin detailing how they would handle user data in a new "Data Safety Section." Google launched that safety section for developers in the Google Play Store on October 18, 2021.

The launch follows Google's promise made in May to improve transparency about how apps store user data on its platforms. App developers will have to detail their data use in a series of bullet points that users see when they click on an app to update or install it.

The general public won't see any of these app privacy briefings until February 2022. By launching the safety section for developers in October, Google believes it's giving app developers a head start on updating their apps with the necessary safety information.

In fact, Google sent out an email to all developers, which you can read below:

It reads:

Hello Google Play Developer,

Earlier this year, we announced new policy requirements for the upcoming Data safety section in Google Play. With this feature, you'll have a clear way to show your users how you keep their data safe and explain what data your app collects and why.

Your Data safety form is ready for you to fill out. Go to App Content in your Google Play Console to get started.

We want to make sure you have ample time and resources to get prepared:

• Visit the Help Center for more on providing app privacy and security details in Play Console, including data type lists.
• Review how your app collects, protects and shares data. See how example apps should fill out the form on our Play Academy course.
• Join a policy webinar and send us your questions in advance. You can register for Global, India, Japan, or Korea sessions.
• We'll also be presenting and answering questions at Android Developer Summit and Droidcon.
• Review the policy requirements on our Policy Center or watch July PolicyBytes.

Timeline

• February: Users will start to see the Data safety sections in Play store.

  • If your information is not approved, your section will say "No information available."

• April: Deadline to have your privacy policy and Data Safety form approved.

  • Without an approved section, your new app submission or app update may be rejected. There may also be additional enforcement actions in the future.

Thank you for continuing to partner with us to make Google Play a trustworthy platform for you and your users.

Google's plans for app privacy enhancements follow in Apple's footsteps, which released privacy labels in late 2020 for all products in its App Stores. These labels tell users what apps do to their data and are divided into three categories: data used for tracking, data linked to user identity, and data not related to user identity.

Apple requires Privacy Policies to be in place for all apps that are available on its store. These policies must disclose data collection, comply with the App Store Review Guidelines, and follow other legal requirements.

On the surface, Google and Apple's new data safety policies are somewhat alike. However, there are significant differences. For instance, Google isn't issuing set labels.

Instead, the tech giant is creating a "data safety summary" for developers to explain data and security practices. App developers will also be able to have their claims independently verified. This addresses the problem of false reporting, on which the Washington Post reported.

In that publication's analysis, more than a dozen apps on Apple's App Store were found to have labels that were either misleading or completely inaccurate.

With that said, Google is encouraging app developers to make the following disclosures:

• What kind of data their app collects (e.g., personal information such as name and email address, contacts, location, financial information, and more)
• Whether the data is required or optional to use the app
• Whether the data is encrypted during transit
• Whether the app was independently reviewed for conformance to a global security standard

To help developers take advantage of the window before Google's data safety section's official launch, the company has released a series of tools, including:

• A support webpage
• A guidance to help users identify these practices
• A Google Play Academy course to help developers complete the required data safety form

What Developers Can Expect

As noted above, starting from October 18, 2021, developers can now submit information to the Google Play Console for review. Google encourages all who plan to have their apps on the Google Play Store to start sooner rather than later.

Although the data safety section will go live to the public in February 2022, Google has stated that it understands some app developers may need additional time to evaluate their apps and prepare disclosures.

However, all data safety sections must be approved by April 2022.

If developers submit the Data Safety Form and it is not approved before that date, their apps may be denied inclusion on the Play Store.

Google provided a mockup for what everyone can expect to see in app store listings starting in February, 2022.

Who Needs to Complete the Data Safety Form in the Play Console?

If you're an app developer and want your app on the Google Play Store, you must complete the data safety form.

This includes apps that are on:

• Internal
• Closed
• Open, or
• Production tracks

Even app developers who do not collect user data must complete this form. You can use your app's Privacy Policy and completed form to indicate that no user data has been shared or collected.

Requirements for Completing the Data Safety Form

You will need to provide information disclosing how your app collects data, whether you share data, how you handle data in your possession, and more. You'll also need to commit to following Google's Families policy (if applicable) and announce whether your app has undergone an independent, third-party security review.

Let's look closer at each of these requirements.

Collection of Data

According to Google, if your app transmits data from off a user's device, that's the definition of "collect."

If your app transmits data or behaves in the following ways, you must disclose it:

• If user data is sent off the device by SDKs and/or libraries used by your app, regardless of whether it is transmitted to you directly or to a third-party server
• If your app controls the code or behavior delivered through a webview (an exception is a webview in which users navigate the open web)
• If your app transmits data off a user device and is processed ephemerally, it must be disclosed in your form response. However, if that data is stored in the memory alone, and is kept only as long as needed to process a specific request in real-time, and isn't used for anything else, then it doesn't have to be disclosed
• If your app pseudonymously collects data and it can reasonably be re-associated with a user, then you must disclose that fact

Data that isn't within the scope of collection can be seen in this screenshot from Google's Support pages as seen below.

Data Sharing

When it comes to data sharing, Google distinguishes between "First Parties," which are typically the app developers and organizations that list apps on the Google Play Store, and "Third-Parties," which are any organizations that "aren't the First Party or its service providers."

Now, if your app collects data and then transmits it to a third party, you are sharing that data. In fact, any data transferred in the following ways is considered "sharing data," according to Google.

For example:

• If your server takes data collected from your app and transfers it to a third-party server
• Even if all transfers take place on the user's device, it's still considered sharing data if your app transfers data to a third-party app, and you must disclose that fact in your data safety section
• If your app transfers data to a third party through a library or SDK included in your app
• If your app transfers data through a webview to a third party. However, as in collecting data, if users are navigating the open web from a webview, you don't need to disclose any data sharing that may occur

In the screenshot below, Google clarifies what types of sharing are exempt from the need for disclosure:

Handling Data

If you allow all users, regardless of region or device, to provide your app with data (in other words, you give them a way to opt-out of data collection), you can state that fact in the data safety form.

Additionally, this can apply to all data types you collect or only some. For instance, if you allow users to opt-out of certain kinds of data collection but not others, you'll need to specify each type and whether it is optional or required.

For instance, Google specifically states that "If your app's primary functionality requires the data type, you should declare that data as required."

Examples of optional data include:

Other Disclosures

Some app developers go above and beyond the call of duty. Google recognizes that fact and allows you to highlight your security and privacy practices in the data safety section.

For instance, you could emphasize that you encrypt all data in transit. End-to-end encryption is actually a selling point for some. If your app gives users a way to request data deletion, you could also highlight that fact.

Families Policy

If your app targets kids or you've chosen to opt into Google Play's "Designed for Families" program, then you have to follow the Families Policy requirements.

After ensuring that your app meets all Families Policy requirements, you have the option of displaying a badge in your data safety section, which states that you've "Committed to follow the Play Families Policy."

Independent Security Review

An independent security review of your app is optional right now, but it's clear that Google favors apps that obtain one.

After undergoing a third-party review, you can then declare in your app's Play Store listing that you've undergone a review for compliance with "an independent global security standard."

Remember that a review like this is optional and is not affiliated with Google in any way. Further, it's a security review that you'll have to pay for, and you'll be held responsible by Google for ensuring that all your declarations in this regard are truthful, complete, and accurate.

Data Types that Must be Disclosed in the Data Safety Form

What kinds of data will developers need to disclose in the data safety form? Well, as mentioned previously, they'll have to be transparent about what data they collect, share, and more.

In fact, almost all of these data types fall under the same categories listed in major data and privacy protection laws, such as Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA).

With that said, here are the categories and data types about which you need to be aware.

Location

There are two data types under the location category. They are:

• Approximate location, and
• Precise location

Personal Information

Many apps collect personal information, such as:

• Name
• Email address
• Personal identifiers (account name, account ID, account number)
• Address (mailing address or home address)
• Phone number
• Race and ethnicity
• Sexual orientation
• Gender identity
• Political affiliation
• Religious affiliation
• Other personal information (date of birth, veteran status, disability status)

If your app collects data in this category, it must be disclosed.

Financial Information

If your app collects financial information in any of the categories below, you'll need to disclose it:

• Credit card number
• Debit card number
• Bank account number
• Purchase history
• Credit history
• Credit score
• Any other financial information

Health Information

If your app collects the data within the following health categories, you need to disclose it:

• Medical records or symptoms
• Data on exercise activity
• Other physical activity

Messages

If your app collects data from or on emails, SMS or MMS messages, or other in-app messages, you must disclose that fact.

Photos or Videos

If your app collects data from or on a user's photos or videos, you must disclose that fact.

Audio Files

If your app collects data from or the following types of audio files, you must disclose it:

• Voice recordings
• Sound recordings
• Music files
• Any other user-provided or user-created audio files

Calendar and Contacts

If your app collects data from a user's calendar or contacts, you must disclose that fact. For example, you'll have to be transparent about any data collection on:

• Calendar events
• Event notes
• Event attendees
• Contact names
• Message history
• Social graph information
• Call history

Files and Documents

If your app collects data from a user's files or documents such as text or file names, you must disclose that fact.

App Activity

You must disclose the collection of information about user behavior while using your app. For example, you'll need to report it if you collect data on:

• Page views
• Taps in-app
• In-app search history
• Installed apps
• Other user-generated content (e.g., bios or notes)
• Other user activities (e.g., gameplay or likes)

Web Browsing

If your app collects data on a user's browsing habits or websites visited, you need to disclose that fact.

App Information and Performance

If your app keeps records of things such as crash logs, diagnostics, or other app performance data, you need to disclose that fact.

Device and Other Identifiers

If your app collects data on the type of user device on which it is installed or other identifiers, you need to report that fact. For example, you'll need to disclose it if your app collects data on:

• IMEI numbers
• MAC addresses
• Widevine Device IDs
• Firebase installation ID
• Advertising identifiers

Data Purposes

Google requires app developers to be transparent about why they are collecting data. If you collect data for the following reasons, you must disclose that fact:

• App functionality
• Analytics
• Developer communications
• Advertising or marketing
• Fraud prevention, security, and compliance
• Personalization
• Account management

What Happens After You Submit the Data Safety Form?

After you submit the Data Safety Form, Google will review the information provided in order to ensure that you've appropriately disclosed all necessary details. If Google finds no issues, then your Play Store application or update can continue through its normal process and you don't have to do anything extra.

You'll have until April 22, 2022 to publish app updates regardless of whether Google finds problems with your Data Safety Form. If Google finds issues, your app will most likely still be approved. However, you'll have to change the status of your Data Safety Form to "Draft" before publishing an update.

Google will ensure that you know the status of your Data Safety Form by sending you an email, an inbox message in the Play Console, and will show pertinent information on the Policy status page.

Following April 22, your Data Safety Form will need to be complete and accurate, disclosing all relevant data collection and sharing practices. This will include apps that don't collect user data.

Summary

In a move to address user privacy, Google has announced plans for app transparency. Google's actions follow Apple's footsteps, which released privacy labels in late 2020 for all products in its App Stores.

With the new Data Safety Section in place, users will better understand how an app handles their information before downloading it from the Play Store.

Although the general public will begin seeing Data Safety Forms on app listings within the Google Play Store in February 2022, developers have until April of the same year to finalize their forms.

The general timeline can be seen in this infographic seen on Google's Android developer's blog:

Developers will have to ensure that they disclose all relevant information required by Google and that all declarations are truthful, complete, and accurate. App developers must be transparent about what kind of data their app collects (e.g., personal information such as name and email address, contacts, location, financial information, and more):

• Whether the data is required or optional to use the app
• Whether the data is encrypted during transit
• Whether the app was independently reviewed for conformance to a global security standard

Google's Data Safety Form is limited to apps that already exist on the Play Store or that you may submit to it. Third-party stores are not impacted.