Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
On May 6th, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers who submit new apps and updates to existing apps to the Google Play store must disclose information regarding how their apps collect, use, and share private user information.
Let's take a deeper look at what the requirements are and how to satisfy them.
Specifics that will soon be required by Google in an app developer's disclosures are things such as whether the app:
Further, app developers must disclose how data will be used (e.g., for personalization or functionality) and the types of data they collect, such as:
Google plans to provide further guidance for app developers throughout the summer of 2021. Those who do not adhere to Google's new policies will have the chance to correct the issues. However, if developers remain non-compliant, they could have their apps removed from Google Play entirely.
Google appears to be following in Apple's footsteps as the latter enacted a similar policy on December 8th, 2020. Apple's version also requires app developers to post detailed information about their app's data gathering and privacy practices, which Apple refers to as "privacy nutrition labels."
Back in 2018, Google declared that it would enact strict policies regarding privacy disclosure for mobile app owners. Its policies took effect on January 30th, 2018. Just four months later, the European Union's General Data Protection Regulation (GDPR), which also has data privacy rules for mobile app owners, also took effect.
Google's demands on developers are mainly due to the tech giant recognizing growing privacy trends in legislation worldwide and then making a concerted effort to get ahead of the curve. For example, in addition to the GDPR, multiple international laws regarding data security and privacy now require Privacy Policies. These documents must be included any time private, personal information is collected and used by apps or websites.
Below are just a few laws that Google likely had in mind when it began putting together its requirements for privacy disclosure.
A few examples of personal information are:
There are 13 Privacy Principles listed in the Australian Privacy Act of 1988, which app developers must adhere to if they collect private user information.
The first principle in Schedule 1 - Australian Privacy Principles demands that companies "manage personal information in an open and transparent way."
Similar in nature to Australia's law, which was enacted the same year, the United Kingdom's Data Protection Act of 2018 has six principles governing data privacy that call for businesses to collect data fairly and transparently. Specifically, the collection and use of data must be "specified, explicit and legitimate."
For example, the Rumble Camera app requests the following permissions:
Obviously, apps that ask for permission to use a phone's camera and microphone can potentially turn on either without the consent of the phone's owner. They can also potentially record and send data back to the developer.
As 2022 gets closer, you should ensure you're doing the following if your app handles personal or sensitive user information:
If your app collects and transmits sensitive or personal data, you must prominently state that fact and then acquire explicit user consent before any data collection or transmission occurs.
Disclosures in your app must:
When obtaining explicit consent to collect and use personal information, you must ensure that the consent dialog is presented to the user in a straightforward and easy-to-understand format.
You must acquire user consent through an affirmative user action such as:
Further, you must not:
Your app must never publicly disclose any sensitive or personal user data related to the following:
Additionally, if your mobile app can access a user's nonpublic phone book and contact list, you must ensure that this information is never disclosed or published by your app.
Google announced in May 2021 that all mobile app developers must now make all privacy disclosures public as well as their Privacy Policies within Google Play's "safety" section starting in the second quarter of 2022.
Google appears to be following quickly on the heels of Apple's determination that app developers for the iOS must publish privacy "nutrition labels."
To be compliant with Google's new requirements, Android app developers will need to place the following information in their Privacy Policies or disclosure statements:
So far, app developers do not have access to the new "safety" section on Google Play. However, Google plans to make the new area available to developers starting in the fourth quarter of 2021. On the other hand, users won't be able to access the area until the beginning of 2022.
Privacy experts believe that Google's announcement regarding their plans for enhanced privacy disclosure requirements together with Apple's recent statements signal a shift in policy by Big Tech companies. Essentially, the executives of these companies are beginning to see trends in public attitudes and international legislation, and are moving to ensure their companies are compliant early in the process.
By doing so, they can elevate their company's image and reputation in the collective consciousness of the world's consumers, who are ever more conscious of protecting their privacy and personal information.
In light of the above, recommended best practices for Android developers include reviewing your current Privacy Policies and disclosures. If these are missing any of the requirements outlined above, be sure to fix those issues.
Finally, be aware that the FTC and other regulators see Privacy Policies as contractually binding. Therefore, you should make sure your "i's" are dotted, your "t's" are crossed, and all information included in your app's disclosures and Privacy Policies is up to date and accurate.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022