In this article, you'll learn:
- How privacy law applies to your Android app
- How to create an Android app that complies with Google's terms, and the law
- How to comply with Google's "prominent disclosure" requirements
Google's Transparency Requirements
It includes a clause about user data that states that developers must be transparent in their handling of user data by disclosing important details about the collection and use of the data:
And here's part of Google's Developer Distribution Agreement. You agree to these terms when you publish your app on the Google Play Store:
Personal and Sensitive Information
Here's how Google defines "personal and sensitive information" in its Developer Policy Center. If you collect personal and sensitive information, you need to comply with Google's transparency requirements.
- Any other login information
- Financial and payment information
- Authentication information
- Phonebook, contacts, SMS, and call-related data
- Microphone and camera data
- Sensitive device or usage data
- Any personal information (or "personally identifiable information")
The last point is important. "Personal information" is a very broad term. Privacy laws differ in how they define "personal information." Depending on where your users live, you'll have different standards to meet.
And while we're on the subject of privacy law, Google can impose some harsh penalties on those whose apps fail to comply with the law.
Here's a section of the Developer Distribution Agreement describing Google's "Legal Takedown" process:
If Google determines that your app has broken the law, or even if someone alleges it, Google can:
- Remove your app from the Google Play Store
- Force you to refund any customer that purchased your app in the past year (or longer)
As well as complying with Google's terms, you must obey the law. Below, we're going to look at which privacy laws might apply to you.
United States Privacy Law
If your app is accessible in the United States, you'll need to obey California's strict privacy laws. These privacy laws protect all California residents, so they apply to any app accessible in the US (unless you can find some way to block 40 million Californians).
The broadest Californian privacy law, which applies to all commercial app developers, is the California Online Privacy Protection Act (CalOPPA). Under CalOPPA, the following types of information are personal information:
- First and last name
- Address, including a street name and the name of a city or town
- Email address
- Phone number
- Social security number
- Other identifying contact details
- Cookies or any other user data an app collects (if you store it alongside one of the other types of information above)
Many larger businesses also have to comply with the California Consumer Privacy Act (CCPA). If you qualify as a business under the CCPA, you'll need to think much more broadly about whether your app collects personal information.
The CCPA defines personal information as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This includes all the types of information above, plus many more examples, including:
- Cookies (regardless of whether you store them alongside people's names or contact details)
- ID numbers such as the Android ID
- IP address
- Phone number
- Location data
- Data about a person's sex, race, nationality, etc.
All sorts of apps use these types of data, including all apps that use personalized advertising.
European Union Privacy Law
If your app is accessible in the European Union (including the UK), you'll need to obey the EU General Data Protection Regulation (GDPR). The GDPR has a broad definition of personal information, just like the CCPA.
The GDPR applies to anyone offering goods or services in the EU or engaging in the "profiling" of people in the EU.
Profiling means building up a profile of a person's preferences or character by observing their behaviors and choices. If your app uses Google Ads, you're engaged in profiling.
Google offers developers a choice between two types of ads:
- Personalized ads which track users' behavior and build up a profile of their preferences over time.
- Non-personalized ads which don't store any information about users' preferences but do measure engagement with ads.
Other Privacy Laws
Most countries have a generally-applicable privacy law, including:
- What personal information your app collects
- How your app uses personal information
- Google's requirements
- Legal requirements
A good starting point is to consider the following questions:
- What personal information does your app collect? Consider all the types of "personal and sensitive information" we covered above
- Why do you need this personal information?
- How do you use this information?
- Who, if anyone, do you share the information with?
To put this in context, let's take a look at some examples of some Privacy Policies from popular Android apps.
This gives a human touch to what can otherwise be a very dry legal document.
When you're disclosing what type of information your app collects, you should also explain why you collect it. Here's an example from Uber:
Uber says a lot in these two sentences. The Uber app collects device location data, in order to:
- Help drivers find Uber users
- Improve Uber's pickup, navigation, and customer support services
And here's how delivery app Just Eat explains how it shares the information it collects:
Note that you don't necessarily need to provide the name of every company you share personal information with. You can just explain what types of companies you share personal information with.
Here are some examples of how popular apps make their Privacy Policies GDPR compliant.
Here's some of what Uber says about its lawful bases for processing personal information:
- There is an unresolved issue with the users' account
- There is a legal obligation to retain the information
- They need the information in connection with fraud prevention or security
And here's how WhatsApp tells EU users how they can exercise their rights under the GDPR:
- In the Google Play Store with your app listing
- Within your app's menus
- During account setup and login screens
- When taking payments
- Whenever you collect personal information
Google Play Store
Device Access Request
When an app requires access to a user's device storage or functions, this will usually result in the app collecting personal information from the device.
When your user signs into their account on a device, their personal information is transmitted from your servers to that device. This is why it's important to provide privacy information when a user signs into their account.
Point of Sale
Do I Have to Comply With Google's Prominent Disclosure Rules?
This means creating a pop-up message within your app to:
- Inform your users about the information you're collecting
- Ask for their consent to collect the information
You must provide a prominent disclosure where:
- You collect personal or sensitive information, and
- Your users might not expect you to collect this data
Google provides some examples of how developers may violate the prominent disclosure requirement:
To put this in context, here's a hypothetical example:
A camera app is likely to require access to the user's camera, so you may not need a prominent disclosure for this.
The camera app might also allow users to share photos with their contacts. Users might not expect a camera app to access their contacts list. Therefore, a prominent disclosure might be required.
Google has two sets of rules about the prominent disclosure requirement:
- Rules about how you provide information to your users
- Rules about how you ask for consent
The disclosure must provide the following information:
- Description of the data collected
- Explanation of how the data will be used
Here's an example from BBC iPlayer:
BBC iPlayer makes the disclosure in the correct way. The disclosure is:
- Within the app itself
- Part of the normal usage of the app
- Not included with any other disclosures
The disclosure also provides the required information, i.e.:
- What information the app is collecting
- How BBC iPlayer will use the data
Google requires that in-app disclosures include a request for consent that's presented in a clear, unambiguous way and requires the user to make an affirmative user action in order to give consent.
An affirmative user action could include ticking a checkbox or tapping to accept. Navigating away from the disclosure is not considered consent.
Personal or sensitive data cannot be collected prior to consent being correctly obtained.
Here's an example from Malwarebytes:
This appears to comply with Google's rules around earning consent via a prominent disclosure:
- It presents a clear and unambiguous request
- It requires affirmative action (tapping a button)
- It doesn't auto-expire
- The app does not begin collecting the information until the user has consented
- Navigating away from the disclosure doesn't result in consent
- What personal information your app collects
- Why you need this personal information
- How you use this personal information
- Who, if anyone, you share the personal information with
Remember, there are additional requirements if:
- Your app has users in the EU
- Your app collects personal information in ways your users might not expect