Last updated on 09 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
On May 6th, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers who submit new apps and updates to existing apps to the Google Play store must disclose information regarding how their apps collect, use, and share private user information.
They must also disclose their security practices and how they plan to protect personal information. Finally, app developers must also provide a Privacy Policy with their apps. Google will place all of this information within a new "safety" section on Google Play.
Let's take a deeper look at what the requirements are and how to satisfy them.
Specifics that will soon be required by Google in an app developer's disclosures are things such as whether the app:
Further, app developers must disclose how data will be used (e.g., for personalization or functionality) and the types of data they collect, such as:
Google plans to provide further guidance for app developers throughout the summer of 2021. Those who do not adhere to Google's new policies will have the chance to correct the issues. However, if developers remain non-compliant, they could have their apps removed from Google Play entirely.
Google appears to be following in Apple's footsteps as the latter enacted a similar policy on December 8th, 2020. Apple's version also requires app developers to post detailed information about their app's data gathering and privacy practices, which Apple refers to as "privacy nutrition labels."
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your mobile app. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new App Privacy Policy.
If you're an app developer, you probably have a Privacy Policy for your app already.
Back in 2018, Google declared that it would enact strict policies regarding privacy disclosure for mobile app owners. Its policies took effect on January 30th, 2018. Just four months later, the European Union's General Data Protection Regulation (GDPR), which also has data privacy rules for mobile app owners, also took effect.
Google's demands on developers are mainly due to the tech giant recognizing growing privacy trends in legislation worldwide and then making a concerted effort to get ahead of the curve. For example, in addition to the GDPR, multiple international laws regarding data security and privacy now require Privacy Policies. These documents must be included any time private, personal information is collected and used by apps or websites.
Below are just a few laws that Google likely had in mind when it began putting together its requirements for privacy disclosure.
Many Android apps collect private information from their users. Personal information is any data that the developer (or third parties) could potentially use to identify an individual. Because of this reality, lawmakers worldwide have enacted regulations demanding that developers post a Privacy Policy that details the kinds of personal information they collect and use.
A few examples of personal information are:
There are 13 Privacy Principles listed in the Australian Privacy Act of 1988, which app developers must adhere to if they collect private user information.
The first principle in Schedule 1 - Australian Privacy Principles demands that companies "manage personal information in an open and transparent way."
Today, this has been interpreted to mean that companies collecting personal information must have an easily accessed, up-to-date Privacy Policy.
In the United States of America, California's Online Privacy Protection Act (CalOPPA) demands that mobile apps and websites that collect personal information within the borders of California must have a Privacy Policy. That document must lay out in detail the types of data collected, why it is collected, and how the data is used.
Additionally, you must place the Privacy Policy in a conspicuous location. For example, the Brave Private Browser places its Privacy Policy right on its app's main listing in the "additional information" section in Google's Play Store:
Similar in nature to Australia's law, which was enacted the same year, the United Kingdom's Data Protection Act of 2018 has six principles governing data privacy that call for businesses to collect data fairly and transparently. Specifically, the collection and use of data must be "specified, explicit and legitimate."
Again, this has been interpreted to mean that companies collecting personal information must have an easily accessed, up-to-date Privacy Policy.
Before the newly enhanced privacy disclosure requirements, Google required all Android apps to have a Privacy Policy if they collect and use private information. That Privacy Policy had to be placed within the app itself and also within the Play Developer Console.
The app's Privacy Policy is required to specifically disclose how your app collects, uses, and shares user data, including the types of parties with whom it's shared.
In addition to needing a Privacy Policy if an app collects personal information as mentioned above, a Privacy Policy is also necessary if the app makes sensitive data requests like trying to access a phone's microphone or camera. Again, the Privacy Policy must be placed within the app and also in the app's store listing.
For example, the Rumble Camera app requests the following permissions:
Obviously, apps that ask for permission to use a phone's camera and microphone can potentially turn on either without the consent of the phone's owner. They can also potentially record and send data back to the developer.
Because of these abilities, these apps are asking for high-risk, sensitive permissions. Therefore, it is the developer's responsibility to state clearly and prominently which permissions their apps request as well as provide a full Privacy Policy.
With data and privacy laws becoming more strict than ever, it's recommended that developers include a Privacy Policy with their apps along with statements regarding the permissions their apps make even when the app doesn't collect personal information at all.
As 2022 gets closer, you should ensure you're doing the following if your app handles personal or sensitive user information:
Remember that your Privacy Policy must disclose entirely how your app collects, uses, shares, and secures data. Further, you must disclose the types of third parties with whom you share data, if any.
If your app collects and transmits sensitive or personal data, you must prominently state that fact and then acquire explicit user consent before any data collection or transmission occurs.
As previously mentioned, your Privacy Policy must be included within your app and not just on Google Play. Further, you cannot hide in-app disclosures within the app's menu or settings. Instead, they must be displayed as part of the regular usage of the app.
Disclosures in your app must:
When obtaining explicit consent to collect and use personal information, you must ensure that the consent dialog is presented to the user in a straightforward and easy-to-understand format.
You must acquire user consent through an affirmative user action such as:
Further, you must not:
Your app must never publicly disclose any sensitive or personal user data related to the following:
Additionally, if your mobile app can access a user's nonpublic phone book and contact list, you must ensure that this information is never disclosed or published by your app.
There's a strong likelihood that you'll need to update your in-app disclosures and your Privacy Policy both within the app and in Google's app store to ensure you are compliant with Google's newly enhanced privacy disclosure requirements.
Google announced in May 2021 that all mobile app developers must now make all privacy disclosures public as well as their Privacy Policies within Google Play's "safety" section starting in the second quarter of 2022.
Google appears to be following quickly on the heels of Apple's determination that app developers for the iOS must publish privacy "nutrition labels."
To be compliant with Google's new requirements, Android app developers will need to place the following information in their Privacy Policies or disclosure statements:
So far, app developers do not have access to the new "safety" section on Google Play. However, Google plans to make the new area available to developers starting in the fourth quarter of 2021. On the other hand, users won't be able to access the area until the beginning of 2022.
Privacy experts believe that Google's announcement regarding their plans for enhanced privacy disclosure requirements together with Apple's recent statements signal a shift in policy by Big Tech companies. Essentially, the executives of these companies are beginning to see trends in public attitudes and international legislation, and are moving to ensure their companies are compliant early in the process.
By doing so, they can elevate their company's image and reputation in the collective consciousness of the world's consumers, who are ever more conscious of protecting their privacy and personal information.
In light of the above, recommended best practices for Android developers include reviewing your current Privacy Policies and disclosures. If these are missing any of the requirements outlined above, be sure to fix those issues.
Additionally, don't rely on Google's requirements alone when checking to see whether you're compliant or not. You could be compliant with Google, but not with the law. At the end of the day, your app's Privacy Policy must be governed by applicable legislation and regulations.
Finally, be aware that the FTC and other regulators see Privacy Policies as contractually binding. Therefore, you should make sure your "i's" are dotted, your "t's" are crossed, and all information included in your app's disclosures and Privacy Policies is up to date and accurate.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
09 May 2022