At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 2.1.1. GDPR
- 2.1.2. CCPA (CPRA)
- 2.2. Explain App Permissions Through Data Safety Form
- 2.3. Maintain and Get Consent to In-App Disclosures When Necessary
- 2.4.1. App Listing
- 2.4.2. In-App Menu
- 2.5. Limit the Data You Collect, Use and Share
- 2.6. Keep Collected Data Secure
- 2.7. Explain How Users Can Delete Their Data
- 2.8. Explain How Long You Retain Data
- 2.9. Display Your Contact Information
- 4. Summary
Here's a screenshot of the rejection message:
- The developer's name and contact information
- The types of personal and sensitive user data your app collects, uses, or shares
- Third parties you share personal or sensitive user data with
- How you keep personal and sensitive user data safe
- How long you keep personal data
- How users can request to delete their personal data
- Limiting the data you collect
- Keeping data secure
- Explaining permissions
- Maintaining and getting consent to in-app disclosures
- Keeping the Data Safety section of your app listing up-to-date
- Explaining how users can delete their data
- Explaining how long you retain data
- Displaying your contact information
- Explains consumers' privacy rights
- Outlines how they use consumers' data
- Gives consumers a way to make requests or opt-out of the use of their personal information
Let's take a look at a couple privacy laws that may apply to you if you collect or use personal data from consumers in the European Union (EU) or California.
The General Data Protection Regulation (GDPR) is the EU's primary privacy legislation. It requires organizations that provide goods or services to or process (use) personal data belonging to EU residents to:
- Only process personal data necessary for their functions
- Give EU consumers a way to exercise their privacy rights
- Explains consumers' rights under the law
- Gives consumers a way to opt-out of the sale or sharing of their personal information
- Describes the types of personal information their organization collects and uses
Section 1798.100 of the CCPA explains that businesses must inform consumers of the following before collecting their personal data:
- What kinds of information they are collecting and why
- Whether the information they are collecting includes sensitive personal information (a special category of protected personal information)
- How long they plan to keep the personal information
Explain App Permissions Through Data Safety Form
TikTok's Data Safety page contains a menu of the types of data it collects, including approximate location, personal information, financial information, in-app messages, and photos and videos:
You should use your app description to explain the permissions that your app uses, especially if you use any sensitive permissions like READ_EXTERNAL_STORAGE (a permission used to access storage outside of your app). You should explain why your app requires those permissions.
Dropbox explains its permissions and includes instructions for how users can disable permissions in their device settings and a Learn More link as part of its Google Play Store app description:
Maintain and Get Consent to In-App Disclosures When Necessary
If you collect or use personal or sensitive personal data for purposes that a user wouldn't reasonably expect, you will need to maintain in-app disclosures explaining why you are collecting or using the data.
Google Play's User Data Policy provides a sample format that developers can use to create a compliant disclosure:
You must obtain consent to your in-app disclosures. Users must give active consent (such as by tapping an "I Agree" button or checkbox, or clicking a button affirming a consent statement):
If a user navigates away from the consent box that does not count as granting consent. You must get consent from users before accessing their personal data.
Limit the Data You Collect, Use and Share
You must limit the access, collection, use, or sharing of personal or sensitive user data to that which is necessary for the purposes you disclose to users. That means that you need to determine what kinds of data your apps are collecting, storing, and transmitting to your servers, and how it is being used.
Google Play defines personal and sensitive user data as information that can be used to identify an individual, including: financial, health, and authentication information, text and phone call related-data, and data from users' microphones and cameras.
Google Play's User Data Policy informs developers that they must clearly explain how they handle users' personal data and limit the use of data to "policy compliant purposes:"
If you use personal or sensitive user data for advertising purposes, then you must also comply with Google Play's Ad Policy.
Google Play's Ads Policy requires app developers to include information about the collection or use of permission based device location data for advertising purposes in their Privacy Policies. Developers may not request location data permissions solely for advertising purposes:
Let users know what types of information you collect in a way that's easy to understand. Use lists and short sentences to keep things clear, like seen here:
Always disclose if you share any types of data with third parties. You can name them specifically, but most businesses will use categories of third parties, such as "hosting services" and "service providers." Disclose what types of information will be shared, and what it will be used for, such as "data analysis" and "email delivery:"
Keep Collected Data Secure
You will also need to make sure you keep the data you collect safe by:
- Using modern cryptography (secure digital communications practice) to transmit user data
- Using runtime permissions requests (permissions that help prevent apps from accessing private information without a user's consent) whenever they are available
- Not selling users' personal and sensitive data
Explain How Users Can Delete Their Data
If your app allows users to create an account, then you must also establish a way for users to request that their account be deleted. You should make the deletion request process accessible from both the app and from a web resource (such as a website or email address).
Let users know that they have the right to have their data deleted, and instruct them on how to go about exercising this right.
Here's an example of such a clause:
Explain How Long You Retain Data
Display Your Contact Information
Add a contact clause like this to share your name and contact information:
You can download these instructions as PDF file.
Log in to your Google Play Console.
In the left menu, click on All apps and then choose the app you wish to work with:
Click on the app you wish to work with:
In order to fix the Google Play Store rejection message, you will need to follow these steps:
- Know what data you are collecting and limit your use of data to only that which is strictly necessary for the purposes disclosed to your users.
- Explain the permissions your app uses.
- Maintain prominent disclosures as needed and get consent to disclosures before collecting or using personal data.
- Keep your Data Safety Section up to date.
- Explain how users can delete their personal data.
- A list of the data you collect and use, including personally identifiable information
- Why you are collecting and using consumers' data
- A list of any third parties you share personal and sensitive user data with
- How users can request to have their data deleted, if applicable
- The permissions your app uses
- Your data retention policy
- How you keep users' personal data safe
- Your contact information