Google's Enhanced Privacy Disclosure Requirements

by Jennifer L. Legal writer.
Google's Enhanced Privacy Disclosure Requirements

Beginning in mid-2022, Android developers must add a privacy disclosure to any apps they list in the Google Play Web Store. The disclosure must set out what type of data the app collects from users, how the app processes this data, and whether anyone can verify the developer's privacy claims.

The idea behind the change is to give Android users more control over what happens to their personal information, and to help them decide which apps to share their data with.

Since it's a fairly big change, Google has already released some guidance to help developers understand the new rules, although there's no obligation to comply until around the second quarter of 2022. To help you get a headstart on your preparations, though, here's a breakdown of what's new.


Google's New Privacy Disclosure Requirements

Next year, Google will introduce a new "safety section" for Android mobile apps listed in the Web Store. In this section, developers must summarize:

  • What data an app collects
  • Why you collect the data
  • Whether you share data with third parties
  • What processes you use to keep personal data safe
  • Whether the app complies with Google's Families Policy
  • What choices users have regarding the sharing of their data
  • Who can verify the declarations you make in the disclosure

As the developer, you'll be responsible for completing this section and ensuring the information provided is accurate. If you don't make accurate statements in your disclosure, Google may force you to take the app down or change your privacy disclosure.

As they're not live yet, it's not entirely clear what the disclosures will look like. However, the disclosure may look similar, at least in design, to the "Privacy practices" section for apps listed on the Chrome Web Store.

Here's an example from Grammarly for Chrome so you have an idea what we mean. Users can click on the drop-down menus to learn more about your data usage policies, including what data you collect, how you determine someone's location, and who you share the data with:

Grammarly for Chrome - Chrome Web Store listing: Privacy Practices tab

So, privacy disclosures are essentially a summary where you set out, at a glance, the key clauses from your more detailed Privacy Policy to give users some helpful context.

Who Must Comply With the Privacy Changes

Who Must Comply With the Privacy Changes

You must comply if you're a developer hosting an Android app on the Google Play Web Store. Even if you're not collecting any personal data from your users, you should state this clearly so people know this before they download or engage with your app in any way.

The good news is that if you're already hosting your app on another platform such as the Chrome Web Store, you'll already have the basic information you need to generate a privacy disclosure for the Google Play Store.

Privacy Disclosure v. Privacy Policy

To be clear, a privacy disclosure is not the same as a Privacy Policy.

  • Disclosure: A summary of your key privacy practices, created using Google's own online template which will go live later in 2021 or early 2022. It should be succinct and easy for the average person to read before they use your app.
  • Policy: A document setting out, in more detail, how you process personal data provided by users upon downloading or using your app. If you collect personal data i.e., any data which may be used to identify a certain person, you must have a Privacy Policy.

In other words, you'll need both a disclosure and a Privacy Policy to comply with Google's new requirements.

How to Comply With the New Privacy Requirements

How to Comply With the New Privacy Requirements

Now we've established what the new requirements involve and why Google made the changes, let's break down the steps you'll probably need to follow to comply.

Explain What Data You Collect

First, tell users if your app collects personal data. Personal data means anything you could use to identify one particular person, so it includes obvious markers like names but also less obvious markers such as IP addresses.

In your privacy disclosure, be as specific as possible about what type of personal data you collect. Use broad language such as "for example" to ensure you're not limited to that list, but also similar identifiers.

Grammarly for Chrome, for example, collects data like names and email addresses:

Grammarly for Chrome - Chrome Web Store listing: Privacy Practices tab - Personally Identifiable Information section

You can always lift this information from your Privacy Policy. Just make sure it's accurate before you do so.

Tell Users if the App Complies With Google's Families Policy

The Families Policy is all about keeping kids safe online. The goal is to ensure that minors don't download apps with mature or unsuitable content. So, it's likely the new privacy disclosure will ask you questions to confirm things like:

  • If your app targets children under 13
  • Whether you collect personal data belonging to children
  • What measures you have in place to protect this data, given its sensitive nature

Also, if you don't want children under 13 to download or use your app, confirm in this section that your app is not aimed at minors. If you're concerned that your marketing might attract a younger audience, consider making some adjustments to the colors and adverts you use before going live.

You might find it helpful to get some legal advice before drafting this section if you're unsure how to comply with the Families Policy.

Confirm How You Use Personal Data

Be clear about what you do with the personal or sensitive data you collect. Examples of ways you might use data include:

  • Processing payments
  • Communicating with users
  • Sharing data with third parties
  • Tailoring marketing so it's relevant to each person

While you can set out the reasons in more detail in your Privacy Policy, it's crucial you highlight how you're using personal data in the disclosure. This way, users can quickly decide if they're happy sharing the data with you.

Tell Users if You Share Their Data

If you share the data with anyone else, you must declare this in your disclosure. For example, you might share data with:

  • Third party payment processors
  • Marketing companies
  • Business partners

You may also need to declare specifically why you share data with these third parties.

Inform Users About Their Privacy Rights

Every user has certain rights regarding who can have their data and what they can use it for. Most likely, you'll need to specify the difference between:

  • Essential data: Information you must collect in order for the app to work properly, and
  • Non-essential data: Information you don't need but you want permission to collect for marketing purposes

Be clear about the differences so people know what data they can decide not to share with you.

And finally, make sure people know if they can ask you to erase their data if they decide to delete your app. If for any reason this isn't possible, set out the reasons why in your Privacy Policy.

Set Out Your Security Practices

When you collect personal data from individuals, you need safeguards in place to protect it. Otherwise, you leave potentially highly sensitive data vulnerable to cyberattacks and data breaches. So, to comply with Google's new requirements, you'll need to specify if you have sufficient security in place such as data encryption or multi-factor authentication.

If you don't have cybersecurity measures yet, now's the time to devise a security strategy and decide how you plan on protecting the data you collect. That way, when it's time to draft your privacy disclosure, you will already know what you're going to include.

Explain How You Verified Your Disclosure

As of yet, there's not much guidance around what the verification process involves. However, it'll probably involve confirmation from an independent third party that your disclosure is accurate. You may need to provide contact details so users can reach this third party.

If you can't verify your statements, in the interests of transparency, you will probably need to say this in your disclosure. Users can then decide if they're happy to place their trust in you or if they want to wait until you're verified.

We expect Google to provide more information regarding this particular verification process within the coming months.

Draft a Privacy Policy

Remember, you still need a Privacy Policy if you host Android mobile apps on the Google Play Store.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

You should link to the Policy within the "Developer" bar of the "Additional Information" section underneath your app. Here's an example of where you can find the Privacy Policy for a Game of Thrones app in the Google Play Store:

Game of Thrones Google Play Store listing: Additional Information section with Privacy Policy link highlighted

While the exact requirements vary depending on which jurisdiction you're in, every Privacy Policy needs, at minimum, clauses explaining:

  • If you collect personal data
  • Why you need the data and how it's used
  • Whether you use third party tracking technology, such as cookies or web beacons
  • What rights people have regarding the processing of their personal information
  • How users can opt-out of marketing communications and other analytics or data gathering processes
  • Where people can contact you to either exercise their rights or find out more
  • How you'll communicate any changes in your Privacy Policy to users

Your Privacy Policy is an opportunity to provide more detail on your privacy disclosure. Use clear, user-friendly language and break your clauses into short paragraphs to improve readability.

If you're unsure what to include in your Privacy Policy, check out our Privacy Policy Template article for more specific guidance on creating the perfect Privacy Policy.

Display Your Privacy Details in the Safety Section

Luckily, it's easy to know where to display your new disclosure, since you fill out the form and Google automatically places the information in the right section.

It's not clear where the safety section will appear yet, but Google will provide more details on this in the coming months. What's fairly likely, though, is that if you don't complete the disclosure once the feature goes live, users will be able to see that it's missing, which could affect whether they download your app or use its features.

Failure to Comply With Google's Requirements

Failure to Comply With Google's Requirements

If you don't publish a privacy disclosure to comply with Google's new rules, then you're violating the Developer Distribution Agreement you agreed to before using the platform.

Under this Agreement, Google can remove your app from the Store or stop users from downloading it. This is all set out in Section 8.3 of the Distribution Agreement:

Google Play Developer Distribution Agreement: Section 8 3 - Remove violating apps section

As per Section 10, Google can also stop you from using the platform entirely:

Google Play Developer Distribution Agreement: Section 10 3 - Terminate agreement section

If Google deletes your account, they won't accept any new apps from you:

Google Play Console Help: Account, Registration and Payment Issues - Terminated Account section

In other words, it's crucial you comply with the new rules because otherwise you risk losing access to the Google Play Store. Remember, you have until mid-2022 to prepare your disclosure though, so if you're unsure how to write it or you need more help with compliance, it's worth getting some legal advice.

Conclusion

If you have an Android app in the Google Play Store, then you will need a privacy disclosure. You must fill in the form when Google rolls it out for completion so the data can go in Google Play's new "safety section."

The enhanced requirements are similar to the "nutrition labels" introduced by Apple earlier in 2021, and the whole idea is to ensure users know what's happening to their data when they use your app.

To comply with the new rules for Android mobile apps in Google Play, your disclosure must explain:

  • If you collect personal data
  • How you collect this information
  • What happens to the information e.g., who do you share it with
  • Whether you collect sensitive personal information
  • How users can exercise their privacy rights
  • How you can verify the contents of your disclosure

If you don't post this disclosure within the safety section of Google Play by mid-2022, your app could be removed from the Google Store. And if you make false claims, Google may ask you to change your disclosure or, again, Google could remove your app from use.

Finally, to comply with Google's Terms of Service for developers, always make sure you display a Privacy Policy somewhere noticeable within your app.

Last updated on 28 June 2021

Article categories

Jennifer L.

Legal writer.