Last updated on 28 September 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Since May of 2021, Google requires all apps listed in the Google Play Store to detail how they handle user data in the "Data Safety Section." App developers will have to detail their data use in a series of bullet points that users see when they click on an app to update or install it.
This article will look at Google's requirements, who it applies to, what types of data must be disclosed, and how to fill in Google's Data Safety Form.
If you're an app developer and want your app on the Google Play Store, you must complete the data safety form.
This includes apps that are on:
You will need to provide information disclosing how your app collects data, whether you share data, how you handle data in your possession, and more. You'll also need to commit to following Google's Families policy (if applicable) and announce whether your app has undergone an independent, third-party security review.
Let's look closer at each of these requirements.
According to Google, if your app transmits data from off a user's device, that's the definition of "collect."
If your app transmits data or behaves in the following ways, you must disclose it:
Data that isn't within the scope of collection can be seen in this screenshot from Google's Support pages as seen below.
When it comes to data sharing, Google distinguishes between "First Parties," which are typically the app developers and organizations that list apps on the Google Play Store, and "Third-Parties," which are any organizations that "aren't the First Party or its service providers."
Now, if your app collects data and then transmits it to a third party, you are sharing that data. In fact, any data transferred in the following ways is considered "sharing data," according to Google.
In the screenshot below, Google clarifies what types of sharing are exempt from the need for disclosure:
If you allow all users, regardless of region or device, to provide your app with data (in other words, you give them a way to opt-out of data collection), you can state that fact in the data safety form.
Additionally, this can apply to all data types you collect or only some. For instance, if you allow users to opt-out of certain kinds of data collection but not others, you'll need to specify each type and whether it is optional or required.
For instance, Google specifically states that "If your app's primary functionality requires the data type, you should declare that data as required."
Examples of optional data include:
Some app developers go above and beyond the call of duty. Google recognizes that fact and allows you to highlight your security and privacy practices in the data safety section.
For instance, you could emphasize that you encrypt all data in transit. End-to-end encryption is actually a selling point for some. If your app gives users a way to request data deletion, you could also highlight that fact.
If your app targets kids or you've chosen to opt into Google Play's "Designed for Families" program, then you have to follow the Families Policy requirements.
After ensuring that your app meets all Families Policy requirements, you have the option of displaying a badge in your data safety section, which states that you've "Committed to follow the Play Families Policy."
An independent security review of your app is optional right now, but it's clear that Google favors apps that obtain one.
After undergoing a third-party review, you can then declare in your app's Play Store listing that you've undergone a review for compliance with "an independent global security standard."
Remember that a review like this is optional and is not affiliated with Google in any way. Further, it's a security review that you'll have to pay for, and you'll be held responsible by Google for ensuring that all your declarations in this regard are truthful, complete, and accurate.
App developers will have to disclose what data they collect, use or share such as location data, personal information, financial information, health information, messages, photos, videos, audio files, calendar events, contacts, files, documents, app activity and more.
Almost all of these data types fall under the same categories listed in major data and privacy protection laws, such as Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA).
With that said, here are the categories and data types about which you need to be aware.
There are two data types under the location category. They are:
Many apps collect personal information, such as:
If your app collects data in this category, it must be disclosed.
If your app collects financial information in any of the categories below, you'll need to disclose it:
If your app collects the data within the following health categories, you need to disclose it:
If your app collects data from or on emails, SMS or MMS messages, or other in-app messages, you must disclose that fact.
If your app collects data from or on a user's photos or videos, you must disclose that fact.
If your app collects data from or the following types of audio files, you must disclose it:
If your app collects data from a user's calendar or contacts, you must disclose that fact. For example, you'll have to be transparent about any data collection on:
If your app collects data from a user's files or documents such as text or file names, you must disclose that fact.
You must disclose the collection of information about user behavior while using your app. For example, you'll need to report it if you collect data on:
If your app collects data on a user's browsing habits or websites visited, you need to disclose that fact.
If your app keeps records of things such as crash logs, diagnostics, or other app performance data, you need to disclose that fact.
If your app collects data on the type of user device on which it is installed or other identifiers, you need to report that fact. For example, you'll need to disclose it if your app collects data on:
Google requires app developers to be transparent about why they are collecting data. If you collect data for the following reasons, you must disclose that fact:
Before you complete the Data Safety form, make sure that you:
Here are the full instructions:
Follow the "To do" list under the App content section to make sure your app complies with Google policies.
Now it's time to fill in the Data safety form.
Go back to the App content section, scroll to the Data Safety section and click on the Start button:
Start answering the questions based on your app and business model.
For example, under the Data collection and security section, answer the question with Yes or No. Click the Next button at the bottom of the page to continue:
After you submit the Data Safety Form, Google will review the information provided in order to ensure that you've appropriately disclosed all necessary details. If Google finds no issues, then your Play Store application or update can continue through its normal process and you don't have to do anything extra.
Your Data Safety Form will need to be complete and accurate, disclosing all relevant data collection and sharing practices. This will include apps that don't collect user data.
Google's Data Safety requirement helps users will better understand how an app handles their information before downloading it from the Play Store.
Developers will have to ensure that they disclose all relevant information required by Google and that all declarations are truthful, complete, and accurate. App developers must be transparent about what kind of data their app collects (e.g., personal information such as name and email address, contacts, location, financial information, and more):
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
28 September 2022