Google's Enhanced Privacy Disclosure Requirements
Beginning in mid-2022, Android developers must add a privacy disclosure to any apps they list in the Google Play Web Store. The disclosure must set out what type of data the app collects from users, how the app processes this data, and whether anyone can verify the developer's privacy claims.
The idea behind the change is to give Android users more control over what happens to their personal information, and to help them decide which apps to share their data with.
Since it's a fairly big change, Google has already released some guidance to help developers understand the new rules, although there's no obligation to comply until around the second quarter of 2022. To help you get a headstart on your preparations, though, here's a breakdown of what's new.
- 1. Google's New Privacy Disclosure Requirements
- 2. Who Must Comply With the Privacy Changes
- 3. How to Comply With the New Privacy Requirements
- 3.1. Explain What Data You Collect
- 3.2. Tell Users if the App Complies With Google's Families Policy
- 3.3. Confirm How You Use Personal Data
- 3.4. Tell Users if You Share Their Data
- 3.5. Inform Users About Their Privacy Rights
- 3.6. Set Out Your Security Practices
- 3.7. Explain How You Verified Your Disclosure
- 3.9. Display Your Privacy Details in the Safety Section
- 4. Failure to Comply With Google's Requirements
- 5. Conclusion
Google's New Privacy Disclosure Requirements
Next year, Google will introduce a new "safety section" for Android mobile apps listed in the Web Store. In this section, developers must summarize:
- What data an app collects
- Why you collect the data
- Whether you share data with third parties
- What processes you use to keep personal data safe
- Whether the app complies with Google's Families Policy
- What choices users have regarding the sharing of their data
- Who can verify the declarations you make in the disclosure
As the developer, you'll be responsible for completing this section and ensuring the information provided is accurate. If you don't make accurate statements in your disclosure, Google may force you to take the app down or change your privacy disclosure.
As they're not live yet, it's not entirely clear what the disclosures will look like. However, the disclosure may look similar, at least in design, to the "Privacy practices" section for apps listed on the Chrome Web Store.
Here's an example from Grammarly for Chrome so you have an idea what we mean. Users can click on the drop-down menus to learn more about your data usage policies, including what data you collect, how you determine someone's location, and who you share the data with:
Who Must Comply With the Privacy Changes
You must comply if you're a developer hosting an Android app on the Google Play Web Store. Even if you're not collecting any personal data from your users, you should state this clearly so people know this before they download or engage with your app in any way.
The good news is that if you're already hosting your app on another platform such as the Chrome Web Store, you'll already have the basic information you need to generate a privacy disclosure for the Google Play Store.
- Disclosure: A summary of your key privacy practices, created using Google's own online template which will go live later in 2021 or early 2022. It should be succinct and easy for the average person to read before they use your app.
How to Comply With the New Privacy Requirements
Now we've established what the new requirements involve and why Google made the changes, let's break down the steps you'll probably need to follow to comply.
Explain What Data You Collect
First, tell users if your app collects personal data. Personal data means anything you could use to identify one particular person, so it includes obvious markers like names but also less obvious markers such as IP addresses.
In your privacy disclosure, be as specific as possible about what type of personal data you collect. Use broad language such as "for example" to ensure you're not limited to that list, but also similar identifiers.
Grammarly for Chrome, for example, collects data like names and email addresses:
Tell Users if the App Complies With Google's Families Policy
The Families Policy is all about keeping kids safe online. The goal is to ensure that minors don't download apps with mature or unsuitable content. So, it's likely the new privacy disclosure will ask you questions to confirm things like:
- If your app targets children under 13
- Whether you collect personal data belonging to children
- What measures you have in place to protect this data, given its sensitive nature
Also, if you don't want children under 13 to download or use your app, confirm in this section that your app is not aimed at minors. If you're concerned that your marketing might attract a younger audience, consider making some adjustments to the colors and adverts you use before going live.
You might find it helpful to get some legal advice before drafting this section if you're unsure how to comply with the Families Policy.
Confirm How You Use Personal Data
Be clear about what you do with the personal or sensitive data you collect. Examples of ways you might use data include:
- Processing payments
- Communicating with users
- Sharing data with third parties
- Tailoring marketing so it's relevant to each person
Tell Users if You Share Their Data
If you share the data with anyone else, you must declare this in your disclosure. For example, you might share data with:
- Third party payment processors
- Marketing companies
- Business partners
You may also need to declare specifically why you share data with these third parties.
Inform Users About Their Privacy Rights
Every user has certain rights regarding who can have their data and what they can use it for. Most likely, you'll need to specify the difference between:
- Essential data: Information you must collect in order for the app to work properly, and
- Non-essential data: Information you don't need but you want permission to collect for marketing purposes
Be clear about the differences so people know what data they can decide not to share with you.
Set Out Your Security Practices
When you collect personal data from individuals, you need safeguards in place to protect it. Otherwise, you leave potentially highly sensitive data vulnerable to cyberattacks and data breaches. So, to comply with Google's new requirements, you'll need to specify if you have sufficient security in place such as data encryption or multi-factor authentication.
If you don't have cybersecurity measures yet, now's the time to devise a security strategy and decide how you plan on protecting the data you collect. That way, when it's time to draft your privacy disclosure, you will already know what you're going to include.
Explain How You Verified Your Disclosure
As of yet, there's not much guidance around what the verification process involves. However, it'll probably involve confirmation from an independent third party that your disclosure is accurate. You may need to provide contact details so users can reach this third party.
If you can't verify your statements, in the interests of transparency, you will probably need to say this in your disclosure. Users can then decide if they're happy to place their trust in you or if they want to wait until you're verified.
We expect Google to provide more information regarding this particular verification process within the coming months.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- If you collect personal data
- Why you need the data and how it's used
- Whether you use third party tracking technology, such as cookies or web beacons
- What rights people have regarding the processing of their personal information
- How users can opt-out of marketing communications and other analytics or data gathering processes
- Where people can contact you to either exercise their rights or find out more
Display Your Privacy Details in the Safety Section
Luckily, it's easy to know where to display your new disclosure, since you fill out the form and Google automatically places the information in the right section.
It's not clear where the safety section will appear yet, but Google will provide more details on this in the coming months. What's fairly likely, though, is that if you don't complete the disclosure once the feature goes live, users will be able to see that it's missing, which could affect whether they download your app or use its features.
Failure to Comply With Google's Requirements
If you don't publish a privacy disclosure to comply with Google's new rules, then you're violating the Developer Distribution Agreement you agreed to before using the platform.
Under this Agreement, Google can remove your app from the Store or stop users from downloading it. This is all set out in Section 8.3 of the Distribution Agreement:
As per Section 10, Google can also stop you from using the platform entirely:
If Google deletes your account, they won't accept any new apps from you:
In other words, it's crucial you comply with the new rules because otherwise you risk losing access to the Google Play Store. Remember, you have until mid-2022 to prepare your disclosure though, so if you're unsure how to write it or you need more help with compliance, it's worth getting some legal advice.
If you have an Android app in the Google Play Store, then you will need a privacy disclosure. You must fill in the form when Google rolls it out for completion so the data can go in Google Play's new "safety section."
The enhanced requirements are similar to the "nutrition labels" introduced by Apple earlier in 2021, and the whole idea is to ensure users know what's happening to their data when they use your app.
To comply with the new rules for Android mobile apps in Google Play, your disclosure must explain:
- If you collect personal data
- How you collect this information
- What happens to the information e.g., who do you share it with
- Whether you collect sensitive personal information
- How users can exercise their privacy rights
- How you can verify the contents of your disclosure
If you don't post this disclosure within the safety section of Google Play by mid-2022, your app could be removed from the Google Store. And if you make false claims, Google may ask you to change your disclosure or, again, Google could remove your app from use.