Google's Mobile Unwanted Software (MUwS) Requirements and Your Privacy Practices

Google's Mobile Unwanted Software (MUwS) is a mobile software category that Google flags as potentially harmful due to its suspicious behavior.

To combat this threat, Google has released a set of requirements that developers must adhere to when building and submitting apps on the Google Play Store.

In doing so, developers can help protect users from malicious apps, as well as promote a safe, secure, and privacy-conscious ecosystem on Google.

In this article, we'll examine what Google's MUwS policy entails, its developer guidelines for protecting the user experience, the associated privacy implications, and practical insights to help your mobile app comply accordingly.

What is Google's Mobile Unwanted Software (MUwS)?

Google's Mobile Unwanted Software (MUwS) refers to any mobile application or executable file on Google's ecosystem that displays certain deceptive or questionable behavior.

According to Google, MUwS displays at least one of the following characteristics:

MUwS can essentially disrupt users' computing experiences, harm their devices, or violate their privacy. For example, a software that changes users' default browser settings to ones they don't want will fall under Google's MUwS.

While MUwS isn't necessarily classified as malware (i.e., software designed specifically to harm users or devices), it sometimes exhibits similar behavior or produces similar consequences.

In Google's own words, MUwS are apps that "aren't strictly malware, but are harmful to the software ecosystem."

To protect the user experience, Google actively monitors its software ecosystem for apps that exhibit MUwS characteristics and takes appropriate action against them.

Categories of Google's Mobile Unwanted Software (MUwS)

Like with malware, developers may sometimes be unaware that their apps exhibit Google's MUwS qualities.

For this reason, Google classifies MUwS into several distinct categories to help developers identify potential problem areas within their apps and make adjustments where necessary.

Briefly, Google's MUwS categories are as follows:

• Data collection and restricted permissions abuse

  A mobile app that collects, uses, or discloses users' personal or sensitive information (e.g., names, phone numbers, email addresses, financial details, etc.) without adequate notice or approval.

• Social engineering

  A mobile app that impersonates another app in order to trick users into performing actions they intended for the original trusted app.

• Disruptive ads

  A mobile app that displays ads to users in unexpected ways, including interrupting device functions or displaying outside the app's environment without appropriate consent.

• Unauthorized Use or Imitation of System Functionality

  A mobile app or ad that imitates or disrupts system functionality (e.g., via notifications or alerts) for non-essential app features.

• Ad fraud

  A mobile app that engages in a form of invalid traffic by fabricating ad interactions to trick an ad network into believing traffic is from genuine user interest.

To help put things in context, Google provides several examples of common violations, as shown below:

Now that we understand Google's MUwS and its various categories, let's examine the associated privacy implications for your mobile app.

Privacy Implications of Google's Mobile Unwanted Software (MUwS)

In the context of data privacy, MUwS is known for collecting at least one of the following information without adequate notice or user consent:

• Phone numbers
• Email addresses
• Location data
• Information about installed apps
• Information about third-party accounts

Under privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA), these data types are considered personal information and protected by layers of stringent requirements.

In fact, one of the primary reasons Google established MUwS guidelines for developers in its ecosystem is to ensure compliance with data protection laws and modern privacy standards.

In other words, violating Google's MUwS guidelines will not only provoke corrective action from Google but may also place your mobile app in the crosshairs of international privacy laws.

Google's MUwS guidelines cover a wide range of issues, including data privacy, security, and user experience, which we'll discuss next.

General Requirements of Google's Mobile Unwanted Software (MUwS)

Google's MUwS guidelines build upon its Unwanted Software Policy and Software Principles to extend its applicability to the mobile experience.

In its Unwanted Software Policy, Google outlines several principles developers must observe to protect the user experience. Briefly, they include the following:

• Transparent installation and upfront disclosure: Your software's installation process should be easy to understand, straightforward, and reflect clear choices made by the user. You must also inform users of the software's specific functions.
• Simple removal: You should make it easy for users to disable or uninstall your software from their devices.
• Clear behavior: After installation, your software should perform as expected and deliver on its promises to users.
• Snooping: If your software collects or handles users' personal information, it must do so transparently after providing adequate notice and obtaining consent.
• Keeping good company: If your software is bundled with any third-party software, you must ensure that the third-party software complies with the guidelines above.

Building on these principles, Google's MUwS policy provides the following additional requirements for mobile software developers in its ecosystem:

• Transparent behavior and clear disclosures: Your mobile app should be easy to navigate, behave as expected, and explain key details about the data it collects. You can provide this information within your Privacy Policy (More on this later in the article)
• Protect user data: Your mobile app must be transparent about how it handles users' personal and sensitive information, implement all necessary data security measures, and satisfy the requirements set out in Google's User Data Policy.
• Do not harm the mobile experience: Your mobile app should prioritize a seamless user experience, reflect users' preferences, and meet up with its advertised standards.

Now that we've seen Google's MUwS general requirements, let's go over the privacy requirements and examine practical steps you can take to ensure compliance.

Google's MUwS Privacy Requirements and Practical Steps for Compliance

When it comes to data privacy, your mobile app must observe certain best practices to ensure compliance with Google's MUwS policy and meet the standards of international data protection laws.

Below, we outline key steps to help you comply accordingly.

Obtain user consent when needed

Consent is one of the most important requirements for adhering to Google's MUwS guidelines. After all, apps that don't request user consent before collecting personal information will be categorized as MUwS in Google's ecosystem.

In terms of practicalities, Google offers the following guidelines in its Google Play User Data Policy:

Essentially, before collecting, using, or sharing personal information, your app must obtain explicit user consent through affirmative action (i.e., asking users to check an empty "I Agree" checkbox or click a conspicuous "I Agree" button).

Keep in mind that your consent request must be simple and informed.

For example, here's how Yelp obtains simple, explicit, and informed consent through empty checkboxes on its sign-up form:

Notably, Google considers instances where an app may not need user consent if it can rely on another lawful basis (e.g., legitimate interest under the GDPR).

In such cases, app developers must comply with all relevant legal requirements stipulated under applicable laws and provide adequate disclosures to users.

That being said, obtaining consent remains the safest and simplest way to avoid violating Google's requirements and those of applicable privacy laws.

Protect Users' Personal Information

Google requires developers to implement appropriate data security measures in order to protect users' information from unauthorized access, loss, or breaches.

Google specifically requires developers to handle users' data securely, send data using modern cryptography (e.g., HTTPS), and limit data transfers to only what is necessary for your mobile app's functionality.

Implement Privacy-by-Design Principles

Privacy by Design is a framework that emphasizes the importance of building privacy protections into apps from the beginning of the development process.

While Google doesn't specifically mention adopting this framework, it's a standard best practice and even mandatory under some privacy laws like the GDPR.

By observing the principles of Privacy By Design, you can ensure that your mobile app is built with privacy at its core and that users' personal information is protected by default.

Now, let's go over how to draft your mobile app's most important legal document: a Privacy Policy.

How to Write a Google-compliant Privacy Policy for Your Mobile App

Maintaining a publicly accessible Privacy Policy is one of Google's core requirements for developers in its ecosystem. Moreover, having a Privacy Policy is mandatory under many privacy laws and a best practice in general.

According to Google, your Privacy Policy must provide comprehensive information about your data collection, usage, and sharing practices. Even if your app doesn't collect any personal or sensitive information, you must provide a Privacy Policy regardless.

Importantly, you must provide conspicuous links to your Privacy Policy in two key locations:

• The designated field within the Google Play Console
• Within your mobile app itself (typically in the legal, menu, or settings interface)

Here's how Google explains all these in its Google Play User Data Policy:

It's also important to note that you must observe Google's requirements in addition to the other obligations imposed by privacy laws in your jurisdiction.

Here's how Google explains this in its Developer Policy Center:

If, for instance, your app falls under the GDPR's scope, you'll need to address GDPR-specific disclosures within your Privacy Policy in addition to Google's required disclosures.

Fortunately, Google's requirements are pretty standard and revolve around maintaining transparency with users regarding their information.

Without further ado, let's briefly examine some key clauses you should address in your Privacy Policy.

What type of personal information you collect, and how you use the information

Your Privacy Policy should inform users what personal or sensitive information you collect about them through your mobile app.

You then need to clearly outline your purpose(s) for collecting that information, whether it be for improving the user experience, providing targeted ads, personalizing content, etc.

It's important to be completely transparent and as detailed as possible here.

For example, here's how Uber provides an overview of the type of information it collects from users:

Further into the notice, Uber goes into comprehensive detail about the type of information it collects. Note that this is just an excerpt:

And here's how Walmart addresses how it uses personal information:

Who you share personal information with

If you share personal information with third parties, your Privacy Policy must clearly mention this and state who you share that information with.

For mobile app owners, this typically includes business partners, reputable marketing or advertising firms, payment gateways, other Google services, etc.

In its Privacy Notice, Amazon states that it will only share personal information with third parties whose privacy standards are at least as protective as its own:

How you protect users' personal information

Your Privacy Policy must explain the security measures you have in place to prevent unauthorized access, loss, or theft of users' personal information. This typically entails using encryption, firewalls, two-factor authentication, and other effective security measures.

It's not required that you go into detail about the specific safeguards you use, but you should, at the very least, mention that you do take the necessary precautions and have adequate systems in place.

Here's how PayPal concisely explains its data security practices:

User rights

In today's privacy landscape, users typically have several rights over their personal information, depending on applicable privacy laws.

A few common ones include:

• The right to access their information
• The right to correct inaccuracies in their information
• The right to opt out of certain data processing activities
• The right to request deletion of their information

Your Privacy Policy must address users' rights and explain what steps users can take to exercise them like IBM does here:

Changes to your Privacy Policy

Finally, you must inform users of any changes made to your Privacy Policy, making sure to include the date when it was last updated like Medium does here:

Once drafted, you should place your Privacy Policy in other prominent areas of your app, such as the account registration page or near a contact form.

Summary

Google's Mobile Unwanted Software (MUwS) is a software category that exhibits deceptive or unexpected behavior and negatively affects users' experiences. Naturally, Google works to protect its users from this type of software.

To help developers identify areas of deficiency in their apps, Google breaks down MUwS into several distinct categories.

One significant category that raises privacy concerns is "data collection and restricted permissions abuse." It basically entails collecting, using, or sharing personal information without adequate notice or user consent.

To guard against this threat to user privacy, Google imposes several privacy obligations on developers. This includes:

• Obtaining clear, unambiguous, and explicit consent before collecting or using personal information
• Protecting users' personal information by employing adequate data security measures
• Providing a comprehensive Privacy Policy that explains what type of data your app collects, how you use it, and with whom you share it
• Including prominent links to your Privacy Policy in the Google Play Store listing and within the app itself
• Observing all other relevant data privacy obligations as required by applicable privacy laws