Legal and Data Privacy Writer at TermsFeed.
Widener University School of Law graduate, Managing Legal Editor at TermsFeed.
On this page
- 1. What is Google's Mobile Unwanted Software (MUwS)?
- 2. Categories of Google's Mobile Unwanted Software (MUwS)
- 3. Privacy Implications of Google's Mobile Unwanted Software (MUwS)
- 4. General Requirements of Google's Mobile Unwanted Software (MUwS)
- 5. Google's MUwS Privacy Requirements and Practical Steps for Compliance
- 5.1. Obtain user consent when needed
- 5.2. Protect Users' Personal Information
- 5.3. Implement Privacy-by-Design Principles
- 6.1. What type of personal information you collect, and how you use the information
- 6.2. Who you share personal information with
- 6.3. How you protect users' personal information
- 6.4. User rights
- 7. Summary
Google's Mobile Unwanted Software (MUwS) is a mobile software category that Google flags as potentially harmful due to its suspicious behavior.
To combat this threat, Google has released a set of requirements that developers must adhere to when building and submitting apps on the Google Play Store.
In doing so, developers can help protect users from malicious apps, as well as promote a safe, secure, and privacy-conscious ecosystem on Google.
In this article, we'll examine what Google's MUwS policy entails, its developer guidelines for protecting the user experience, the associated privacy implications, and practical insights to help your mobile app comply accordingly.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What is Google's Mobile Unwanted Software (MUwS)?
Google's Mobile Unwanted Software (MUwS) refers to any mobile application or executable file on Google's ecosystem that displays certain deceptive or questionable behavior.
According to Google, MUwS displays at least one of the following characteristics:
MUwS can essentially disrupt users' computing experiences, harm their devices, or violate their privacy. For example, a software that changes users' default browser settings to ones they don't want will fall under Google's MUwS.
While MUwS isn't necessarily classified as malware (i.e., software designed specifically to harm users or devices), it sometimes exhibits similar behavior or produces similar consequences.
In Google's own words, MUwS are apps that "aren't strictly malware, but are harmful to the software ecosystem."
To protect the user experience, Google actively monitors its software ecosystem for apps that exhibit MUwS characteristics and takes appropriate action against them.
Categories of Google's Mobile Unwanted Software (MUwS)
Like with malware, developers may sometimes be unaware that their apps exhibit Google's MUwS qualities.
For this reason, Google classifies MUwS into several distinct categories to help developers identify potential problem areas within their apps and make adjustments where necessary.
Briefly, Google's MUwS categories are as follows:
Data collection and restricted permissions abuse
A mobile app that collects, uses, or discloses users' personal or sensitive information (e.g., names, phone numbers, email addresses, financial details, etc.) without adequate notice or approval.
A mobile app that impersonates another app in order to trick users into performing actions they intended for the original trusted app.
A mobile app that displays ads to users in unexpected ways, including interrupting device functions or displaying outside the app's environment without appropriate consent.
Unauthorized Use or Imitation of System Functionality
A mobile app or ad that imitates or disrupts system functionality (e.g., via notifications or alerts) for non-essential app features.
A mobile app that engages in a form of invalid traffic by fabricating ad interactions to trick an ad network into believing traffic is from genuine user interest.
To help put things in context, Google provides several examples of common violations, as shown below:
Now that we understand Google's MUwS and its various categories, let's examine the associated privacy implications for your mobile app.
Privacy Implications of Google's Mobile Unwanted Software (MUwS)
In the context of data privacy, MUwS is known for collecting at least one of the following information without adequate notice or user consent:
- Phone numbers
- Email addresses
- Location data
- Information about installed apps
- Information about third-party accounts
Under privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA), these data types are considered personal information and protected by layers of stringent requirements.
In fact, one of the primary reasons Google established MUwS guidelines for developers in its ecosystem is to ensure compliance with data protection laws and modern privacy standards.
In other words, violating Google's MUwS guidelines will not only provoke corrective action from Google but may also place your mobile app in the crosshairs of international privacy laws.
Google's MUwS guidelines cover a wide range of issues, including data privacy, security, and user experience, which we'll discuss next.
General Requirements of Google's Mobile Unwanted Software (MUwS)
In its Unwanted Software Policy, Google outlines several principles developers must observe to protect the user experience. Briefly, they include the following:
- Transparent installation and upfront disclosure: Your software's installation process should be easy to understand, straightforward, and reflect clear choices made by the user. You must also inform users of the software's specific functions.
- Simple removal: You should make it easy for users to disable or uninstall your software from their devices.
- Clear behavior: After installation, your software should perform as expected and deliver on its promises to users.
- Snooping: If your software collects or handles users' personal information, it must do so transparently after providing adequate notice and obtaining consent.
- Keeping good company: If your software is bundled with any third-party software, you must ensure that the third-party software complies with the guidelines above.
Building on these principles, Google's MUwS policy provides the following additional requirements for mobile software developers in its ecosystem:
- Protect user data: Your mobile app must be transparent about how it handles users' personal and sensitive information, implement all necessary data security measures, and satisfy the requirements set out in Google's User Data Policy.
- Do not harm the mobile experience: Your mobile app should prioritize a seamless user experience, reflect users' preferences, and meet up with its advertised standards.
Now that we've seen Google's MUwS general requirements, let's go over the privacy requirements and examine practical steps you can take to ensure compliance.
Google's MUwS Privacy Requirements and Practical Steps for Compliance
When it comes to data privacy, your mobile app must observe certain best practices to ensure compliance with Google's MUwS policy and meet the standards of international data protection laws.
Below, we outline key steps to help you comply accordingly.
Obtain user consent when needed
Consent is one of the most important requirements for adhering to Google's MUwS guidelines. After all, apps that don't request user consent before collecting personal information will be categorized as MUwS in Google's ecosystem.
In terms of practicalities, Google offers the following guidelines in its Google Play User Data Policy:
Essentially, before collecting, using, or sharing personal information, your app must obtain explicit user consent through affirmative action (i.e., asking users to check an empty "I Agree" checkbox or click a conspicuous "I Agree" button).
Keep in mind that your consent request must be simple and informed.
For example, here's how Yelp obtains simple, explicit, and informed consent through empty checkboxes on its sign-up form:
Notably, Google considers instances where an app may not need user consent if it can rely on another lawful basis (e.g., legitimate interest under the GDPR).
In such cases, app developers must comply with all relevant legal requirements stipulated under applicable laws and provide adequate disclosures to users.
That being said, obtaining consent remains the safest and simplest way to avoid violating Google's requirements and those of applicable privacy laws.
Protect Users' Personal Information
Google requires developers to implement appropriate data security measures in order to protect users' information from unauthorized access, loss, or breaches.
Google specifically requires developers to handle users' data securely, send data using modern cryptography (e.g., HTTPS), and limit data transfers to only what is necessary for your mobile app's functionality.
Implement Privacy-by-Design Principles
Privacy by Design is a framework that emphasizes the importance of building privacy protections into apps from the beginning of the development process.
While Google doesn't specifically mention adopting this framework, it's a standard best practice and even mandatory under some privacy laws like the GDPR.
By observing the principles of Privacy By Design, you can ensure that your mobile app is built with privacy at its core and that users' personal information is protected by default.
- The designated field within the Google Play Console
- Within your mobile app itself (typically in the legal, menu, or settings interface)
Here's how Google explains all these in its Google Play User Data Policy:
It's also important to note that you must observe Google's requirements in addition to the other obligations imposed by privacy laws in your jurisdiction.
Here's how Google explains this in its Developer Policy Center:
Fortunately, Google's requirements are pretty standard and revolve around maintaining transparency with users regarding their information.
What type of personal information you collect, and how you use the information
You then need to clearly outline your purpose(s) for collecting that information, whether it be for improving the user experience, providing targeted ads, personalizing content, etc.
It's important to be completely transparent and as detailed as possible here.
For example, here's how Uber provides an overview of the type of information it collects from users:
Further into the notice, Uber goes into comprehensive detail about the type of information it collects. Note that this is just an excerpt:
And here's how Walmart addresses how it uses personal information:
Who you share personal information with
For mobile app owners, this typically includes business partners, reputable marketing or advertising firms, payment gateways, other Google services, etc.
In its Privacy Notice, Amazon states that it will only share personal information with third parties whose privacy standards are at least as protective as its own:
How you protect users' personal information
It's not required that you go into detail about the specific safeguards you use, but you should, at the very least, mention that you do take the necessary precautions and have adequate systems in place.
Here's how PayPal concisely explains its data security practices:
In today's privacy landscape, users typically have several rights over their personal information, depending on applicable privacy laws.
A few common ones include:
- The right to access their information
- The right to correct inaccuracies in their information
- The right to opt out of certain data processing activities
- The right to request deletion of their information
Google's Mobile Unwanted Software (MUwS) is a software category that exhibits deceptive or unexpected behavior and negatively affects users' experiences. Naturally, Google works to protect its users from this type of software.
To help developers identify areas of deficiency in their apps, Google breaks down MUwS into several distinct categories.
One significant category that raises privacy concerns is "data collection and restricted permissions abuse." It basically entails collecting, using, or sharing personal information without adequate notice or user consent.
To guard against this threat to user privacy, Google imposes several privacy obligations on developers. This includes:
- Obtaining clear, unambiguous, and explicit consent before collecting or using personal information
- Protecting users' personal information by employing adequate data security measures
- Observing all other relevant data privacy obligations as required by applicable privacy laws