Google's Enhanced Privacy Disclosure Requirements

On May 6th, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers who submit new apps and updates to existing apps to the Google Play store must disclose information regarding how their apps collect, use, and share private user information.

They must also disclose their security practices and how they plan to protect personal information. Finally, app developers must also provide a Privacy Policy with their apps. Google will place all of this information within a new "safety" section on Google Play.

Let's take a deeper look at what Google's requirements are and how to satisfy them.

What is Google Requiring?

Google requires that app developer's disclose whether the app:

• Follows Google's Families policy
• Allows users to choose not to share specific data
• Requires specific data for the app to function
• Has its "safety section" independently verified by a third party
• Allows users to have their data deleted upon request

Further, app developers must disclose how data will be used (e.g., for personalization or functionality) and the types of data they collect, such as:

• Geolocation
• Contacts on your phone
• Contact information
• Photos
• Videos
• Audio files
• Storage files

Those who do not adhere to Google's policies will have the chance to correct the issues. However, if developers remain non-compliant, they could have their apps removed from Google Play entirely.

Google appears to be following in Apple's footsteps as the latter enacted a similar policy on December 8th, 2020. Apple's version also requires app developers to post detailed information about their app's data gathering and privacy practices, which Apple refers to as "privacy nutrition labels."

Google's Previous Mobile Privacy Requirements

If you're an app developer, you probably have a Privacy Policy for your app already.

Back in 2018, Google declared that it would enact strict policies regarding privacy disclosure for mobile app owners. Its policies took effect on January 30th, 2018. Just four months later, the European Union's General Data Protection Regulation (GDPR), which also has data privacy rules for mobile app owners, also took effect.

Google's demands on developers are mainly due to the tech giant recognizing growing privacy trends in legislation worldwide and then making a concerted effort to get ahead of the curve. For example, in addition to the GDPR, multiple international laws regarding data security and privacy now require Privacy Policies. These documents must be included any time private, personal information is collected and used by apps or websites.

Below are just a few laws that Google likely had in mind when it began putting together its requirements for privacy disclosure.

Privacy Policies Required by Laws

Many Android apps collect personal information from their users. Personal information is any data that the developer (or third parties) could potentially use to identify an individual. Because of this reality, lawmakers worldwide have enacted regulations demanding that developers post a Privacy Policy that details the kinds of personal information they collect and use.

A few examples of personal information are:

• First and last names
• Email addresses
• Phone numbers
• Financial information (credit card numbers, bank account numbers, etc.)
• Social Security Numbers
• Birthdates
• Billing and shipping addresses

The California Online Privacy Protection Act

In the United States of America, California's Online Privacy Protection Act (CalOPPA) is one of many California laws that demands that mobile apps and websites that collect personal information within the borders of California must have a Privacy Policy. That document must lay out in detail the types of data collected, why it is collected, and how the data is used.

Additionally, you must place the Privacy Policy in a conspicuous location, such as in a Settings or some sort of in-app menu, as seen here:

The Australian Privacy Act of 1988

There is a set of Privacy Principles listed in the Australian Privacy Act of 1988 which app developers must adhere to if they collect private user information from people in Australia.

The first principle in Schedule 1 - Australian Privacy Principles demands that companies "manage personal information in an open and transparent way."

Today, this has been interpreted to mean that companies collecting personal information must have an easily accessed, up-to-date Privacy Policy.

Here's an example of a Privacy Policy that's easy to access from within an app:

GDPR

The GDPR is the most strict privacy law on the books. It has a number of stipulations for how personal information can be collected and processed. Users are given a lot of rights under the GDPR, and having a Privacy Policy displayed publicly is key to GDPR compliance.

Here's another example of how to display a Privacy Policy within your mobile app for general legal compliance:

Google's Privacy Requirements for Mobile Apps

You should ensure you're doing the following if your app handles personal information:

• Include a Privacy Policy within your app
• Include a Privacy Policy in the designated Play Console field
• Secure all user data by transmitting it using current cryptography methods (e.g., HTTPS)

Remember that your Privacy Policy must disclose entirely how your app collects, uses, shares, and secures data. Further, you must disclose the types of third parties with whom you share data, if any.

Requirements for Prominent and In-App Disclosures

If your app collects and transmits sensitive or personal data, you must prominently state that fact and then acquire explicit user consent before any data collection or transmission occurs.

Disclosures in your app must:

• List the types of information collected
• Describe how you will use the information
• List the types of third parties with whom you share that information
• Not be placed solely in the Privacy Policy or Terms of Service
• Be kept separate from other disclosures that are unrelated to the collection of personal or sensitive information

Here are some examples of what this can look like:

As previously mentioned, your Privacy Policy must be included within your app and not just on Google Play. Further, you cannot hide in-app disclosures within the app's menu or settings. Instead, they must be displayed as part of the regular usage of the app

Your App's Request for Consent

When obtaining explicit consent to collect and use personal information, you must ensure that the consent dialog is presented to the user in a straightforward and easy-to-understand format.

You must acquire user consent through an affirmative user action such as:

• Tapping to accept
• Ticking a check-box

Here's an example. Note that the Privacy Policy link is close to where consent is requested:

Here's another example, with a button used to obtain consent:

Further, you must not:

• Consider navigation away from disclosure as an indication of consent (e.g., if a user presses the home button and leaves without actively giving consent, you can't just assume the user has given consent)
• Begin collection of personal information before obtaining affirmative consent
• Use expiring or auto-dismissing messages

Requirements for Specific Activities

A Privacy Policy is necessary if an app makes sensitive data requests like trying to access a phone's microphone or camera. The Privacy Policy must be placed within the app and also in the app's store listing.

For example, the Rumble Camera app requests the following permissions:

• Precise Geolocation
• Microphone
• Camera
• Photos/Media/Files
• Storage
• WiFi Connection
• Other (receive data from the internet, control flashlight, full network access, prevent the device from sleeping, run at startup, control vibration, view network connections)

Obviously, apps that ask for permission to use a phone's camera and microphone can potentially turn on either without the consent of the phone's owner. They can also potentially record and send data back to the developer.

Because of these abilities, these apps are asking for high-risk, sensitive permissions. Therefore, it is the developer's responsibility to state clearly and prominently which permissions their apps request as well as provide a full Privacy Policy.

With data and privacy laws becoming more strict than ever, it's recommended that developers include a Privacy Policy with their apps along with statements regarding the permissions their apps make even when the app doesn't collect personal information at all.

Your app must never publicly disclose any sensitive or personal user data related to the following:

• Government identification numbers
• Payment activities
• Other financial information

Additionally, if your mobile app can access a user's nonpublic phone book and contact list, you must ensure that this information is never disclosed or published by your app.

Summary

Google announced in May 2021 that all mobile app developers must now make all privacy disclosures public as well as their Privacy Policies within Google Play's "safety" section that began in the second quarter of 2022.

You may need to update your in-app disclosures and your Privacy Policy both within the app and in Google's app store to ensure you are compliant with Google's privacy disclosure requirements.

To be compliant with Google's requirements, Android app developers will need to place the following information in their Privacy Policies or disclosure statements:

• Whether the app follows Google's Families policy
• Whether the app allows users to choose not to share specific data
• Whether the app requires particular data to function
• Whether users can request data deletion if they uninstall the app
• Whether the app uses data encryption or any other security features
• What type of personal data the app collects or shares
• What types of third parties the app shares data with
• Whether the app has its "safety section" independently verified by a third party

In light of the above, recommended best practices for Android developers include reviewing your current Privacy Policies and disclosures. If these are missing any of the requirements outlined above, be sure to fix those issues.

Additionally, don't rely on Google's requirements alone when checking to see whether you're compliant or not. You could be compliant with Google, but not with the law. At the end of the day, your app's Privacy Policy must be governed by applicable legislation and regulations.