Since May of 2021, Google requires all apps listed in the Google Play Store to detail how they handle user data in the "Data Safety Section." App developers will have to detail their data use in a series of bullet points that users see when they click on an app to update or install it.
This article will look at Google's requirements, who it applies to, what types of data must be disclosed, and how to fill in Google's Data Safety Form.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Who Needs to Complete the Data Safety Form in the Play Console?
- 2. Requirements for Completing the Data Safety Form
- 2.1. Collection of Data
- 2.2. Data Sharing
- 2.3. Handling Data
- 2.4. Other Disclosures
- 2.5. Families Policy
- 2.6. Independent Security Review
- 2.7. Data Types that Must be Disclosed in the Data Safety Form
- 2.7.1. Location
- 2.7.2. Personal Information
- 2.7.3. Financial Information
- 2.7.4. Health Information
- 2.7.5. Messages
- 2.7.6. Photos or Videos
- 2.7.7. Audio Files
- 2.7.8. Calendar and Contacts
- 2.7.9. Files and Documents
- 2.7.10. App Activity
- 2.7.11. Web Browsing
- 2.7.12. App Information and Performance
- 2.7.13. Device and Other Identifiers
- 2.7.14. Data Purposes
- 3. How to Fill In the Google Data Safety Form For Your App
- 4. What Happens After You Submit the Data Safety Form?
- 5. Summary
Who Needs to Complete the Data Safety Form in the Play Console?
If you're an app developer and want your app on the Google Play Store, you must complete the data safety form.
This includes apps that are on:
- Open, or
- Production tracks
After completing the Data Safety Form, your app will have a summary of your data safety policies and procedures. Here's an example:
So how do you get from an empty Data Safety Form to a completed one? Let's look at the requirements and the steps to comply.
Requirements for Completing the Data Safety Form
You will need to provide information disclosing how your app collects data, whether you share data, how you handle data in your possession, and more. You'll also need to commit to following Google's Families policy (if applicable) and announce whether your app has undergone an independent, third-party security review.
The Data Safety Form is accessed from within your Google Play Console, from the App content menu option:
Let's look closer at each of the requirements set out by Google.
Note: Full instructions for completing the form are located at the end of the article.
Collection of Data
According to Google, if your app transmits data from off a user's device, that's the definition of "collect."
If your app transmits data or behaves in the following ways, you must disclose it:
- If user data is sent off the device by SDKs and/or libraries used by your app, regardless of whether it is transmitted to you directly or to a third-party server
- If your app controls the code or behavior delivered through a webview (an exception is a webview in which users navigate the open web)
- If your app transmits data off a user device and is processed ephemerally, it must be disclosed in your form response. However, if that data is stored in the memory alone, and is kept only as long as needed to process a specific request in real-time, and isn't used for anything else, then it doesn't have to be disclosed
- If your app pseudonymously collects data and it can reasonably be re-associated with a user, then you must disclose that fact
Data that isn't within the scope of collection can be seen in this screenshot from Google's Support pages as seen below.
When it comes to data sharing, Google distinguishes between "First Parties," which are typically the app developers and organizations that list apps on the Google Play Store, and "Third Parties," which are any organizations that "aren't the First Party or its service providers."
Now, if your app collects data and then transmits it to a third party, you are sharing that data. In fact, any data transferred in the following ways is considered "sharing data," according to Google.
- If your server takes data collected from your app and transfers it to a third-party server
- Even if all transfers take place on the user's device, it's still considered sharing data if your app transfers data to a third-party app, and you must disclose that fact in your data safety section
- If your app transfers data to a third party through a library or SDK included in your app
- If your app transfers data through a webview to a third party. However, as in collecting data, if users are navigating the open web from a webview, you don't need to disclose any data sharing that may occur
In the screenshot below, Google clarifies what types of sharing are exempt from the need for disclosure:
If you allow all users, regardless of region or device, to provide your app with data (in other words, you give them a way to opt-out of data collection), you can state that fact in the data safety form.
Additionally, this can apply to all data types you collect or only some. For instance, if you allow users to opt-out of certain kinds of data collection but not others, you'll need to specify each type and whether it is optional or required.
For instance, Google specifically states that "If your app's primary functionality requires the data type, you should declare that data as required."
Examples of optional data include:
Some app developers go above and beyond the call of duty. Google recognizes that fact and allows you to highlight your security and privacy practices in the data safety section.
For instance, you could emphasize that you encrypt all data in transit. End-to-end encryption is actually a selling point for some. If your app gives users a way to request data deletion, you could also highlight that fact.
If your app targets kids or you've chosen to opt into Google Play's "Designed for Families" program, then you have to follow the Families Policy requirements.
After ensuring that your app meets all Families Policy requirements, you have the option of displaying a badge in your data safety section, which states that you've "Committed to follow the Play Families Policy."
Independent Security Review
An independent security review of your app is optional right now, but it's clear that Google favors apps that obtain one.
After undergoing a third-party review, you can then declare in your app's Play Store listing that you've undergone a review for compliance with "an independent global security standard."
Remember that a review like this is optional and is not affiliated with Google in any way. Further, it's a security review that you'll have to pay for, and you'll be held responsible by Google for ensuring that all your declarations in this regard are truthful, complete, and accurate.
Data Types that Must be Disclosed in the Data Safety Form
App developers will have to disclose what data they collect, use or share such as location data, personal information, financial information, health information, messages, photos, videos, audio files, calendar events, contacts, files, documents, app activity and more.
Almost all of these data types fall under the same categories listed in major data and privacy protection laws, such as Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA/CPRA).
With that said, here are the categories and data types about which you need to be aware.
There are two data types under the location category. They are:
- Approximate location, and
- Precise location
Many apps collect personal information, such as:
- Email address
- Personal identifiers (account name, account ID, account number)
- Address (mailing address or home address)
- Phone number
- Race and ethnicity
- Sexual orientation
- Gender identity
- Political affiliation
- Religious affiliation
- Other personal information (date of birth, veteran status, disability status)
If your app collects data in this category, it must be disclosed.
If your app collects financial information in any of the categories below, you'll need to disclose it:
- Credit card number
- Debit card number
- Bank account number
- Purchase history
- Credit history
- Credit score
- Any other financial information
If your app collects the data within the following health categories, you need to disclose it:
- Medical records or symptoms
- Data on exercise activity
- Other physical activity
If your app collects data from or on emails, SMS or MMS messages, or other in-app messages, you must disclose that fact.
Photos or Videos
If your app collects data from or on a user's photos or videos, you must disclose that fact.
If your app collects data from or the following types of audio files, you must disclose it:
- Voice recordings
- Sound recordings
- Music files
- Any other user-provided or user-created audio files
Calendar and Contacts
If your app collects data from a user's calendar or contacts, you must disclose that fact. For example, you'll have to be transparent about any data collection on:
- Calendar events
- Event notes
- Event attendees
- Contact names
- Message history
- Social graph information
- Call history
Files and Documents
If your app collects data from a user's files or documents such as text or file names, you must disclose that fact.
You must disclose the collection of information about user behavior while using your app. For example, you'll need to report it if you collect data on:
- Page views
- Taps in-app
- In-app search history
- Installed apps
- Other user-generated content (e.g., bios or notes)
- Other user activities (e.g., gameplay or likes)
If your app collects data on a user's browsing habits or websites visited, you need to disclose that fact.
App Information and Performance
If your app keeps records of things such as crash logs, diagnostics, or other app performance data, you need to disclose that fact.
Device and Other Identifiers
If your app collects data on the type of user device on which it is installed or other identifiers, you need to report that fact. For example, you'll need to disclose it if your app collects data on:
- IMEI numbers
- MAC addresses
- Widevine Device IDs
- Firebase installation ID
- Advertising identifiers
Google requires app developers to be transparent about why they are collecting data. If you collect data for the following reasons, you must disclose that fact:
- App functionality
- Developer communications
- Advertising or marketing
- Fraud prevention, security, and compliance
- Account management
How to Fill In the Google Data Safety Form For Your App
Before you complete the Data Safety form, make sure that you:
- Have completed the App Content > Ads form
- Have completed the App content > App access form
- Have completed the App content > Targeted audience form
You can download these instructions as PDF file.
Here are the full instructions:
Log in to your Google Play Console account.
In the left menu, click on All apps and then choose the app you wish to work with:
In the left menu, scroll to the Policy section and click on App content:
Follow the "To do" list under the App content section to make sure your app complies with Google policies.
Go back to the App content section and click on the Start button under the Ads section:
Answer if your app displays ads or not. Click on the Save button to continue:
Go back to the App content section and click on the Start button under the App access section:
Answer if all your app functionality is available to users or it is restricted in some way. Click Save to continue:
Go back to the App content section and click on the Start button under Targeted audience and content section:
Select the targeted age groups of your app and click on Next to continue:
At the Store presence step, click on Next to continue:
Click on the Save button to continue. You can review your answers under the Summary step.
Now it's time to fill in the Data safety form.
Go back to the App content section, scroll to the Data Safety section and click on the Start button:
When the Data Safety page opens, click Next at the bottom of the page to start the form:
Start answering the questions based on your app and business model.
For example, under the Data collection and security section, answer the question with Yes or No. Click the Next button at the bottom of the page to continue:
Under the Data types section, answer the question about the data that is collected or shared with third parties by your app. When done, click Next at the bottom of the page:
Under the Data usage and handling section, answer the question about how data is used and handled. When done, click Next at the bottom of the page:
You're almost done. Preview the answers and click on the Submit button:
What Happens After You Submit the Data Safety Form?
After you submit the Data Safety Form, Google will review the information provided in order to ensure that you've appropriately disclosed all necessary details. If Google finds no issues, then your Play Store application or update can continue through its normal process and you don't have to do anything extra.
Your Data Safety Form will need to be complete and accurate, disclosing all relevant data collection and sharing practices. This will include apps that don't collect user data.
Google's Data Safety requirement helps users will better understand how an app handles their information before downloading it from the Play Store.
Developers will have to ensure that they disclose all relevant information required by Google and that all declarations are truthful, complete, and accurate. App developers must be transparent about what kind of data their app collects (e.g., personal information such as name and email address, contacts, location, financial information, and more):
- Whether the data is required or optional to use the app
- Whether the data is encrypted during transit
- Whether the app was independently reviewed for conformance to a global security standard