Google's Prominent Disclosure Requirement became effective as of March 15, 2017. If you do not comply with this requirement, Google may remove your app from the Google Play store.
The Prominent Disclosure Requirement requires that users be informed of any data collected by your app that is not essential to the basic functions of your app. You must also give users the opportunity to refuse that collection.
Here's what you need to know about the Prominent Disclosure Requirement and how to comply with it.
The Prominent Disclosure Requirement is located in the Google Play Policy Center under Personal and Sensitive Information. It applies to any app that collects and transmits sensitive user data for tracking or research purposes rather than app functions.
If your app does this, you're required to have an in-app disclosure that meets the following requirements:
Additionally, the disclosure must:
Google offers two examples of common violations of this requirement.
There are two main elements you'll need to be in compliance with this policy: An in-app disclosure, and affirmative consent.
TermsFeed is the world's leading generator of legal agreements for websites and apps.
TermsFeed Generators make it easy for you to generate the necessary legal agreements for your websites and apps:
With TermsFeed, you can generate:
As soon as a user chooses to install your app, Google Play presents the user with a list of data that the app needs access to. This lets users know that data is being collected.
SnapChat requests a large amount of personal data from users in order to function. When users download this app from Google Play, they are presented with the list of data the app will access.
Apps that request less data can still use this list approach.
Once inside the app, there may be additional permission dialogues. An Android app called Power Clean addresses virus infections and removes excess data so devices become more efficient.
Disclosure of its data requirements starts at installation--just like the apps listed above:
As the app is used, it may request additional permissions. For example, Power Clean notifies users that cleaning up excess notifications requires access to personal data.
If a user refuses during this dialogue but attempts the function again at a later time, the app presents a more detailed notice. Behind the pop-up is a promise not to misuse personal data:
There are other examples when data collection is more evasive. Pollfish does not produce a specific app but it compiles surveys that may be presented through third party apps. These surveys may offer rewards to users who wish to share their opinions.
In this blog example, Pollfish shows how it complies with the Prominent Disclosure requirement. It places the disclosure right within the third party app so users can see it before they agree to take the survey.
The disclosure is difficult to read but it states as follows:
"By accepting to take this survey a specific set of user's device data, including information about the apps the user has installed, is automatically sent to Pollfish servers and associated with answers to the questionnaires, in order for Pollfish to discern whether the user is eligible for a survey and improve targeting of future surveys."
Pollfish makes it clear that users have two options: They can take the survey after reading the prominent disclosure, or click "No Thanks" and avoid data collection.
Always obtain affirmative consent. Passive acceptance through merely using an app will not work with these requirements. A user has to read the notice and actively click "Accept" or "OK."
Once again, this begins at installation with Google Play's standard dialog. Notice the big green "Accept" button when installing Bumble, a dating app.
Looking at the dialogue boxes from Power Clean, you'll notice the same approach. Rather than "Accept" the user clicks "OK" which is informal but still indicates affirmative consent.
The takeaway here is that you should give users the active option to consent to or decline your data collection.
Place two separate buttons for each function as you request permission to collect data. This makes it clear whether a user accepts the risks of your data collection.
When the policy regarding prominent disclosure was first implemented, Google sent out emails to developers whose apps likely violated the policy.
Now, Google will most likely just pull your app until you fix the violations.
Sometimes fixing a violation will involve adding code so the correct disclosures alert users.
Most times, it is a matter of adding text at the beginning, such as with Pollfish. If you receive a notice, it will indicate where you violated the policy so you can fix the errors.
If you're in violation of Google's Prominent Disclosure requirement, take the following steps:
Stay informed when Google Play sends you policy updates so you can remain on its platform.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
18 January 2021