On May 6th, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers who submit new apps and updates to existing apps to the Google Play store must disclose information regarding how their apps collect, use, and share private user information.
Let's take a deeper look at what Google's requirements are and how to satisfy them.
At Step 1, select the App option.
Answer some questions about your app.
Answer some questions about your business.
- 1. What is Google Requiring?
- 2. Google's Previous Mobile Privacy Requirements
- 3. Privacy Policies Required by Laws
- 3.1. The California Online Privacy Protection Act
- 3.2. The Australian Privacy Act of 1988
- 3.3. GDPR
- 4. Google's Privacy Requirements for Mobile Apps
- 4.1. Requirements for Prominent and In-App Disclosures
- 5. Your App's Request for Consent
- 6. Requirements for Specific Activities
- 7. Summary
What is Google Requiring?
Google requires that app developer's disclose whether the app:
- Follows Google's Families policy
- Allows users to choose not to share specific data
- Requires specific data for the app to function
- Has its "safety section" independently verified by a third party
- Allows users to have their data deleted upon request
Further, app developers must disclose how data will be used (e.g., for personalization or functionality) and the types of data they collect, such as:
- Contacts on your phone
- Contact information
- Audio files
- Storage files
Those who do not adhere to Google's policies will have the chance to correct the issues. However, if developers remain non-compliant, they could have their apps removed from Google Play entirely.
Google appears to be following in Apple's footsteps as the latter enacted a similar policy on December 8th, 2020. Apple's version also requires app developers to post detailed information about their app's data gathering and privacy practices, which Apple refers to as "privacy nutrition labels."
Google's Previous Mobile Privacy Requirements
Back in 2018, Google declared that it would enact strict policies regarding privacy disclosure for mobile app owners. Its policies took effect on January 30th, 2018. Just four months later, the European Union's General Data Protection Regulation (GDPR), which also has data privacy rules for mobile app owners, also took effect.
Google's demands on developers are mainly due to the tech giant recognizing growing privacy trends in legislation worldwide and then making a concerted effort to get ahead of the curve. For example, in addition to the GDPR, multiple international laws regarding data security and privacy now require Privacy Policies. These documents must be included any time private, personal information is collected and used by apps or websites.
Below are just a few laws that Google likely had in mind when it began putting together its requirements for privacy disclosure.
Privacy Policies Required by Laws
A few examples of personal information are:
- First and last names
- Email addresses
- Phone numbers
- Financial information (credit card numbers, bank account numbers, etc.)
- Social Security Numbers
- Billing and shipping addresses
The California Online Privacy Protection Act
The Australian Privacy Act of 1988
There is a set of Privacy Principles listed in the Australian Privacy Act of 1988 which app developers must adhere to if they collect private user information from people in Australia.
The first principle in Schedule 1 - Australian Privacy Principles demands that companies "manage personal information in an open and transparent way."
Google's Privacy Requirements for Mobile Apps
You should ensure you're doing the following if your app handles personal information:
- Secure all user data by transmitting it using current cryptography methods (e.g., HTTPS)
Requirements for Prominent and In-App Disclosures
If your app collects and transmits sensitive or personal data, you must prominently state that fact and then acquire explicit user consent before any data collection or transmission occurs.
Disclosures in your app must:
- List the types of information collected
- Describe how you will use the information
- List the types of third parties with whom you share that information
- Be kept separate from other disclosures that are unrelated to the collection of personal or sensitive information
Here are some examples of what this can look like:
Your App's Request for Consent
When obtaining explicit consent to collect and use personal information, you must ensure that the consent dialog is presented to the user in a straightforward and easy-to-understand format.
You must acquire user consent through an affirmative user action such as:
- Tapping to accept
- Ticking a check-box
Here's another example, with a button used to obtain consent:
Further, you must not:
- Consider navigation away from disclosure as an indication of consent (e.g., if a user presses the home button and leaves without actively giving consent, you can't just assume the user has given consent)
- Begin collection of personal information before obtaining affirmative consent
- Use expiring or auto-dismissing messages
Requirements for Specific Activities
For example, the Rumble Camera app requests the following permissions:
- Precise Geolocation
- WiFi Connection
- Other (receive data from the internet, control flashlight, full network access, prevent the device from sleeping, run at startup, control vibration, view network connections)
Obviously, apps that ask for permission to use a phone's camera and microphone can potentially turn on either without the consent of the phone's owner. They can also potentially record and send data back to the developer.
Your app must never publicly disclose any sensitive or personal user data related to the following:
- Government identification numbers
- Payment activities
- Other financial information
Additionally, if your mobile app can access a user's nonpublic phone book and contact list, you must ensure that this information is never disclosed or published by your app.
Google announced in May 2021 that all mobile app developers must now make all privacy disclosures public as well as their Privacy Policies within Google Play's "safety" section that began in the second quarter of 2022.
To be compliant with Google's requirements, Android app developers will need to place the following information in their Privacy Policies or disclosure statements:
- Whether the app follows Google's Families policy
- Whether the app allows users to choose not to share specific data
- Whether the app requires particular data to function
- Whether users can request data deletion if they uninstall the app
- Whether the app uses data encryption or any other security features
- What type of personal data the app collects or shares
- What types of third parties the app shares data with
- Whether the app has its "safety section" independently verified by a third party
In light of the above, recommended best practices for Android developers include reviewing your current Privacy Policies and disclosures. If these are missing any of the requirements outlined above, be sure to fix those issues.