Google's Enhanced Privacy Disclosure Requirements

On May 6th, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers who submit new apps and updates to existing apps to the Google Play store must disclose information regarding how their apps collect, use, and share private user information.

They must also disclose their security practices and how they plan to protect personal information. Finally, app developers must also provide a Privacy Policy with their apps. Google will place all of this information within a new "safety" section on Google Play.

Let's take a deeper look at what the requirements are and how to satisfy them.

Specifics that will soon be required by Google in an app developer's disclosures are things such as whether the app:

• Follows Google's Families policy
• Allows users to choose not to share specific data
• Requires specific data for the app to function
• Has its "safety section" independently verified by a third party
• Allows users to have their data deleted upon request

Further, app developers must disclose how data will be used (e.g., for personalization or functionality) and the types of data they collect, such as:

• Geolocation
• Contacts on your phone
• Contact information
• Photos
• Videos
• Audio files; and
• Storage files

Google plans to provide further guidance for app developers throughout the summer of 2021. Those who do not adhere to Google's new policies will have the chance to correct the issues. However, if developers remain non-compliant, they could have their apps removed from Google Play entirely.

Google appears to be following in Apple's footsteps as the latter enacted a similar policy on December 8th, 2020. Apple's version also requires app developers to post detailed information about their app's data gathering and privacy practices, which Apple refers to as "privacy nutrition labels."

Google's Previous Mobile Privacy Requirements

If you're an app developer, you probably have a Privacy Policy for your app already.

Back in 2018, Google declared that it would enact strict policies regarding privacy disclosure for mobile app owners. Its policies took effect on January 30th, 2018. Just four months later, the European Union's General Data Protection Regulation (GDPR), which also has data privacy rules for mobile app owners, also took effect.

Google's demands on developers are mainly due to the tech giant recognizing growing privacy trends in legislation worldwide and then making a concerted effort to get ahead of the curve. For example, in addition to the GDPR, multiple international laws regarding data security and privacy now require Privacy Policies. These documents must be included any time private, personal information is collected and used by apps or websites.

Below are just a few laws that Google likely had in mind when it began putting together its requirements for privacy disclosure.

Privacy Policies Required by Laws

Many Android apps collect private information from their users. Personal information is any data that the developer (or third parties) could potentially use to identify an individual. Because of this reality, lawmakers worldwide have enacted regulations demanding that developers post a Privacy Policy that details the kinds of personal information they collect and use.

A few examples of personal information are:

• First and last names
• Email addresses
• Phone numbers
• Financial information (credit card numbers, bank account numbers, etc.)
• Social Security Numbers
• Birthdates
• Billing and shipping addresses

The Australian Privacy Act of 1988

There are 13 Privacy Principles listed in the Australian Privacy Act of 1988, which app developers must adhere to if they collect private user information.

The first principle in Schedule 1 - Australian Privacy Principles demands that companies "manage personal information in an open and transparent way."

Today, this has been interpreted to mean that companies collecting personal information must have an easily accessed, up-to-date Privacy Policy.

The California Online Privacy Protection Act

In the United States of America, California's Online Privacy Protection Act (CalOPPA) demands that mobile apps and websites that collect personal information within the borders of California must have a Privacy Policy. That document must lay out in detail the types of data collected, why it is collected, and how the data is used.

Additionally, you must place the Privacy Policy in a conspicuous location. For example, the Brave Private Browser places its Privacy Policy right on its app's main listing in the "additional information" section in Google's Play Store:

The UK's Data Protection Act of 2018

Similar in nature to Australia's law, which was enacted the same year, the United Kingdom's Data Protection Act of 2018 has six principles governing data privacy that call for businesses to collect data fairly and transparently. Specifically, the collection and use of data must be "specified, explicit and legitimate."

Again, this has been interpreted to mean that companies collecting personal information must have an easily accessed, up-to-date Privacy Policy.

Google Play's Requirements

Before the newly enhanced privacy disclosure requirements, Google required all Android apps to have a Privacy Policy if they collect and use private information. That Privacy Policy had to be placed within the app itself and also within the Play Developer Console.

The app's Privacy Policy is required to specifically disclose how your app collects, uses, and shares user data, including the types of parties with whom it's shared.

Sensitive Permissions that Need a Privacy Policy

In addition to needing a Privacy Policy if an app collects personal information as mentioned above, a Privacy Policy is also necessary if the app makes sensitive data requests like trying to access a phone's microphone or camera. Again, the Privacy Policy must be placed within the app and also in the app's store listing.

For example, the Rumble Camera app requests the following permissions:

• Precise Geolocation
• Microphone
• Camera
• Photos/Media/Files
• Storage
• WiFi Connection
• Other (receive data from the internet, control flashlight, full network access, prevent the device from sleeping, run at startup, control vibration, view network connections)

Obviously, apps that ask for permission to use a phone's camera and microphone can potentially turn on either without the consent of the phone's owner. They can also potentially record and send data back to the developer.

Because of these abilities, these apps are asking for high-risk, sensitive permissions. Therefore, it is the developer's responsibility to state clearly and prominently which permissions their apps request as well as provide a full Privacy Policy.

With data and privacy laws becoming more strict than ever, it's recommended that developers include a Privacy Policy with their apps along with statements regarding the permissions their apps make even when the app doesn't collect personal information at all.

Google's New Privacy Requirements for Mobile Apps

As 2022 gets closer, you should ensure you're doing the following if your app handles personal or sensitive user information:

• Include a Privacy Policy within your app
• Include a Privacy Policy in the designated Play Console field
• Secure all user data by transmitting it using current cryptography methods (e.g., HTTPS)

Remember that your Privacy Policy must disclose entirely how your app collects, uses, shares, and secures data. Further, you must disclose the types of third parties with whom you share data, if any.

Requirements for Prominent and In-App Disclosures

If your app collects and transmits sensitive or personal data, you must prominently state that fact and then acquire explicit user consent before any data collection or transmission occurs.

As previously mentioned, your Privacy Policy must be included within your app and not just on Google Play. Further, you cannot hide in-app disclosures within the app's menu or settings. Instead, they must be displayed as part of the regular usage of the app.

Disclosures in your app must:

• List the types of information collected
• Describe how you will use the information
• List the types of third parties with whom you share that information
• Not be placed solely in the Privacy Policy or Terms of Service
• Be kept separate from other disclosures that are unrelated to the collection of personal or sensitive information

Your App's Request for Consent

When obtaining explicit consent to collect and use personal information, you must ensure that the consent dialog is presented to the user in a straightforward and easy-to-understand format.

You must acquire user consent through an affirmative user action such as:

• Tapping to accept
• Ticking a check-box, or
• Giving a verbal command

Further, you must not:

• Consider navigation away from disclosure as an indication of consent (e.g., if a user presses the home button and leaves without actively giving consent, you can't just assume the user has given consent)
• Begin collection of personal information before obtaining affirmative consent
• Use expiring or auto-dismissing messages

Requirements for Specific Activities

Your app must never publicly disclose any sensitive or personal user data related to the following:

• Government identification numbers
• Payment activities
• Other financial information

Additionally, if your mobile app can access a user's nonpublic phone book and contact list, you must ensure that this information is never disclosed or published by your app.

Updating Your Disclosures and Privacy Notice

There's a strong likelihood that you'll need to update your in-app disclosures and your Privacy Policy both within the app and in Google's app store to ensure you are compliant with Google's newly enhanced privacy disclosure requirements.

Summary

Google announced in May 2021 that all mobile app developers must now make all privacy disclosures public as well as their Privacy Policies within Google Play's "safety" section starting in the second quarter of 2022.

Google appears to be following quickly on the heels of Apple's determination that app developers for the iOS must publish privacy "nutrition labels."

To be compliant with Google's new requirements, Android app developers will need to place the following information in their Privacy Policies or disclosure statements:

• Whether the app follows Google's Families policy
• Whether the app allows users to choose not to share specific data
• Whether the app requires particular data to function
• Whether users can request data deletion if they uninstall the app
• Whether the app uses data encryption or any other security features
• What type of personal data the app collects or shares
• What types of third parties the app shares data with
• Whether the app has its "safety section" independently verified by a third party

So far, app developers do not have access to the new "safety" section on Google Play. However, Google plans to make the new area available to developers starting in the fourth quarter of 2021. On the other hand, users won't be able to access the area until the beginning of 2022.

Privacy experts believe that Google's announcement regarding their plans for enhanced privacy disclosure requirements together with Apple's recent statements signal a shift in policy by Big Tech companies. Essentially, the executives of these companies are beginning to see trends in public attitudes and international legislation, and are moving to ensure their companies are compliant early in the process.

By doing so, they can elevate their company's image and reputation in the collective consciousness of the world's consumers, who are ever more conscious of protecting their privacy and personal information.

In light of the above, recommended best practices for Android developers include reviewing your current Privacy Policies and disclosures. If these are missing any of the requirements outlined above, be sure to fix those issues.

Additionally, don't rely on Google's requirements alone when checking to see whether you're compliant or not. You could be compliant with Google, but not with the law. At the end of the day, your app's Privacy Policy must be governed by applicable legislation and regulations.

Finally, be aware that the FTC and other regulators see Privacy Policies as contractually binding. Therefore, you should make sure your "i's" are dotted, your "t's" are crossed, and all information included in your app's disclosures and Privacy Policies is up to date and accurate.