A Privacy Policy to Satisfy Google's Unwanted Software Policy

by Elizabeth C. Legal writer.
A Privacy Policy to Satisfy Google's Unwanted Software Policy

Developing software can be hard work. There are so many aspects to take into consideration, from creation and market research to specific platforms and target audiences. Things can definitely begin to feel overwhelming.

Things got a bit trickier with Google's implementation of the Unwanted Software Policy.

There have been a few incidences that have encouraged this move on Google's behalf, such as malware sneaking past security defenses and infecting apps and even hidden trackers. A particularly alarming statistic published by Yale Privacy Lab found that "Over 75% of Android apps tested contain trackers that are unknown to their users."

If you're a developer, Google's new policy will affect you regarding requirements around your Privacy Policy.


What is Google's Unwanted Software Policy?

This policy has been designed as an offshoot of Google Safe Browsing, and aims to deter malware and other unwanted or harmful behavior that may occur when users are browsing the web.

Malware is something that every developer should be wary of. Even if your app is created with the best intentions in mind, malware can still inadvertently affect it. Malware is considered to be an application that is designed to install harmful software, like a virus, on a user's device, with the purpose of exploiting their privacy and security.

Google Help: Malware and unwanted software definitions section

There are several different sections and requirements to the Unwanted Software Policy. Let's break each one down to what it says and requires.

Transparent Installation and Upfront Disclosure

This section relates to the software installation itself. The description of your app in the Play Store should be straightforward and easy to understand. This ensures users know exactly what they can expect if/when they download your program.

You should showcase your app as something that can provide value, but you should also be clear on that value. Essentially, you need to detail what your app will do, and this detail needs to be verifiable.

This means your app should have a "valid and verified code signature" that has been "issued by a code-signing authority". This is a great way to verify your identity as the developer and the integrity of your program's code. It's an effective way of establishing trust with your users right from the get-go, which is what every developer should aim for.

Simple Removal

Your software shouldn't be hard to remove from any device. The steps to remove it should be simple to follow, and shouldn't try to deter the user from removal.

Here is an example of behavior that may be deemed as an attempt to deter simple removal:

Excerpt of Simple Removal clause of Google Unwanted Software Policy

After removal, all traces of the software should be gone from the device, and it shouldn't make any configuration changes once removed.

Further, you should also ensure users can deactivate or delete their account easily, and provide clear instructions on how they can do that.

Clear Behavior

This section relates to the behavior of your software. Essentially, it should do exactly what's been described, and nothing further. After installation, it shouldn't access or change any device settings unless explicit permission has been given.

The software also shouldn't spam the user or inject advertising pop-ups on the device. Also, users must be notified about any changes that are made through software updates, and be given the opportunity to make any necessary approvals or permission changes.

Some behavior that the Unwanted Software Policy frowns upon is:

Excerpt of Clear Behavior clause of Google Unwanted Software Policy

Snooping

Snooping involves collecting personal information from users without disclosing that collection and allowing users to approve or deny it.

If your app does need to collect personal information, you need to explain why, in easy-to-understand language. And if you need to collect sensitive information like banking or payment details, you must have proper encryption in place.

Keeping Good Company

The Unwanted Software Policy also considers "keeping good company" to be a crucial aspect. So, even if you're positive your software and related apps are following the policy, if you're associated with software and/or developers that aren't complying, you could be in trouble as well.

This is a key reason why the Unwanted Software Policy is so essential. It aims to hold all software accountable for their own individual behaviors, and is one of the most effective ways to create a safer online environment.

If your app or software is considered unwanted or potentially deceptive, warnings will be issues and it'll be up to you to make changes.

Other Rules and Regulations

On top of the requirements from Google, you're also responsible for ensuring your Privacy Policy adheres to the regulations created by various government bodies, such as the California Online Privacy Protection Act (CalOPPA) and the EU's General Data Protection Regulation (GDPR).

CalOPPA and the GDPR affect app software developers due to the strict requirements regarding what to include in Privacy Policies.

Luckily, both regulations are relatively simple to follow.

For CalOPPA, your Privacy Policy must:

  • Show the most current date your policy is effective from
  • Be conspicuously posted on both your app and any related websites
  • Inform users of the personal information you will be collecting from them, as well as how and why you collect it
  • Let users know if this information will be shared with any third-party apps, and the purpose behind this sharing
  • Enable users to review, change or delete the personal information you've collected from them
  • Tell users how you plan on letting them know about any changes to your Privacy Policy
  • Detail how you respond to Do Not Track signals (the signal that users can set if they choose not to have their web/app activity tracked)

And for the GDPR, your Privacy Policy needs to include the same aspects for CalOPPA, but additionally:

  • The security measures you have in place to protect user data from being breached
  • If you use cookies, and why
  • How users can control their data they share
  • The lawful basis behind your processing of personal data
  • Identify the Data Control and Data Protection Officers (which will likely just be yourself, as the business owner), and how users can contact these Officers
  • Inform users of the eight particular rights they have under the GDPR (which are the rights to be informed, to have access, to rectify incomplete/incorrect data, to erase data, to restrict processing, to retain or reuse data, to object to the use of their data, and the right to protection against automated data processing.)

How to Comply with the Unwanted Software Policy

How to Comply with the Unwanted Software Policy

The Unwanted Software Policy differs from Google Play's Developer Distribution Agreement by narrowing down the app behavior it allows, and that which it will not.

As a developer, you should be aware that Google has several Software Principles that it adheres to in order to provide a safe online environment.

These principles include things like:

  • Upfront disclosure which informs users of the app's specific functions
  • Simple installation and removal, making it easy and obvious to users how they can both install and delete the app from their device
  • Clear, transparent behavior that means the app does what it says it will, and nothing more
  • Full knowledge around the collection of user data, with an adequate Privacy Policy found both on the app itself and in the Google app store

Enforcement of this new policy came into effect on January 30, 2018. After this, warnings began to be handed out to app developers, and continue to occur even today.

The policy also started displaying warning notifications on both apps and their related websites, informing users that the app doesn't request consent where necessary, and doesn't include a Privacy Policy.

This warning system, while great for online users looking to protect their information, can create significant effects for app developers, particularly resulting in lower levels of traffic and downloads.

You might be wondering how this relates to your Privacy Policy. Well, these warnings will be triggered if you don't include certain things within your policy, while also providing users with a clear opportunity to either consent or deny data collection.

To avoid this impacting you, here's what you need to know.

Google has a very clear description of what they do and don't tolerate in their app software, so for full disclosure check out their policy on Privacy, Security and Deception.

This policy covers everything from the user data you'll be downloading, to the permissions required on user devices that will allow your app to work smoothly, as well as what constitutes malicious or deceptive behavior.

It gives a concise description of how you should be transparent about how you are handling user data:

Google Play Privacy Security and Deception Policy: User Data clause

It also includes basic guidelines to follow and notes that you cannot violate the Unwanted Software Policy:

Google Play Privacy Security and Deception Policy: Guidelines clause

There are requirements for what and how you disclose certain aspects of data collection and use that your users may not expect. These requirements include in-app disclosures that request user consent:

Google Play Privacy Security and Deception Policy: Prominent Disclosure Requirement clause

Google offers some examples of violations that occur frequently to help you stay on the right path to compliance:

Google Play Privacy Security and Deception Policy: Examples of common violations section

There are also further parameters around apps that need to access sensitive data, such as banking or e-commerce apps, which you can view in the table below. These requirements range from never publicly disclosing certain types of information, to posting a Privacy Policy that explains aspects of your data collection and sharing:

Google Play Privacy Security and Deception Policy: Excerpt of Activity and Requirement chart

There are a few simple steps you can take to make sure you become compliant and - more importantly - remain compliant. These steps are:

  • Reviewing the Unwanted Software Policy to check if you're violating any rules (even accidentally)
  • Creating a Privacy Policy that covers all the necessary aspects of user safety
  • Asking for explicit consent when collecting certain types of user data
  • Frequently monitoring your software through the Security Issues report for any issues that may have come up, such as malware or deceptive behavior

It's important to review this report often. Failure to do so means you won't be able to fix the issues, and Google may then deem your software as 'unwanted.'

What to Include in Your Privacy Policy

What to Include in Your Privacy Policy

Under the new guidelines, your app's Privacy Policy will now need to be included within the app, and it will need to:

  • Describe the purpose of the app and all its functions in a "clear and unambiguous way"
  • Be easily accessible for users across all devices
  • Describe the information that is being collected, and detail the purpose behind this collection
  • Be separate from your company's Terms of Service

If your app has been classed as unwanted software and you've received warnings to fix it, you can do so within 60 days of receiving the warning. You can also appeal the decision through Google's app verification feature.

PrivacyPolicies.com: Privacy Policy Generator - How to Create your Privacy Policy

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy."
  2. Select the platform/s where your Privacy Policy will be used.

  3. PrivacyPolicies.com: Privacy Policy Generator - Create your Privacy Policy - Step 1

  4. Answer the questions related to your entity type and location.
  5. PrivacyPolicies.com: Privacy Policy Generator - Answer questions - Step 2

  6. Answer the questions relating to what type of information you collect from your users.
  7. PrivacyPolicies.com: Privacy Policy Generator - Answer questions about type of information you collect - Step 3

  8. Select all the ways you wish to allow your users to contact you with questions regarding your Privacy Policy.
  9. PrivacyPolicies.com: Privacy Policy Generator - Select ways you wish to allow your users to contact you - Step 4

  10. Select what kind of Privacy Policy you want to create.
  11. PrivacyPolicies.com: Privacy Policy Generator - What kind of Privacy Policy you want - Step 5

  12. Enter your email address where you'd like your Privacy Policy sent and click Create Privacy Policy.
  13. PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 6

  14. Now you can copy or link to your hosted Privacy Policy.
  15. PrivacyPolicies.com: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 7

Here are some examples of popular apps and how they've implemented these requirements.

In its Privacy Policy, LogMeIn describes the mobile analytics software it uses by disclosing what information the software collects and for what purposes. This is a great example of transparency around snooping behavior, by detailing the user activities the software records.

LogMeIn Privacy Policy: Mobile Analytics clause excerpt

Google's Privacy Policy has a great example of disclosing how users can remove and delete specific Google products or their entire account. This helps make removal simple.

Google Privacy Policy: Export and delete your data clause

Adobe describes what types of information it collects through the website, app and desktop app. This helps with the "clear behavior" requirement.

Adobe Privacy Policy: Information collected through Adobe apps and websites clause

One more important thing to remember is to include a link to your Privacy Policy on your app's page within the Google Play Store. This allows potential users to read it before downloading.

Here is an example of Netflix's inclusion of its Privacy Policy link in its Play Store listing.

Netflix Google Play store listing with Privacy Policy and Permissions highlighted

Including Permissions details is another way to be transparent and have clear behavior. Users can see what they'll need to give the app access to when they download the app. In Netflix's case, it's quite a lengthy list of permissions, including phone, media, storage, microphone, identity, contacts and much more:

Screenshot of Netflix Google Play Store listing Permissions details

To comply with Google's Unwanted Software Policy:

  • Have a Privacy Policy available within your app and wherever users can download your app
  • Make your Privacy Policy informative and transparent
  • Allow users to easily remove or uninstall your app
  • Don't team up with distributors or apps that don't follow security protocols
Last updated on 18 February 2020
Article categories
Elizabeth C.

Legal writer.