Google's rules for the Google Play Android app store are changing in 2022. Developers will need to add extra information about how they collect, store and process users' data.
Let's take a look at what Google will soon start requiring and what you'll need to do to satisfy the requirements.
What Google Already Requires
While the new rules will cover specific points, Google already requires you to follow broad privacy principles when handling user data. These include the following:
- You must "protect the privacy and legal rights of users."
- You must "provide legally adequate privacy notice and protection" to users who provide personal information.
- You may only use personal data "for the limited purposes for which the user has given you permission to do so."
- You may only store information "securely and only for as long as it is needed."
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Here's how Google explains what it means by sensitive data:
Google says the policy you link to must cover what data you collect, use or share, including details of who you share it with. It must also comply with any relevant data privacy laws.
Important legal agreement links should always be displayed to users before they download your app so they can make sure they are ok with your practices and terms.
What New Information Will Google Require
Google is changing its policy to require additional information about data use. This will not only cover what data developers collect and use, but some technical and practical detail about how it works and affects the customer's use of the app.
Developers will have to give details of the types of data they collect. This will most likely involve a tickbox or "Yes/No" answers for a series of predefined categories. Google says possible categories include:
- Approximate/precise location
- Audio files
- Personal information such as name or email address
- Photos and videos
- Storage files (non-media)
Developers will have to give details of the different ways in which they use personal data. This is again likely to involve a checklist of yes/no responses. Google hasn't given as many suggestions of what categories the list will cover, mentioning only "app functionality" and "personalization."
Google will also ask developers a series of questions, known as a safety section, about whether they use specific practices to improve app safety for users. "Safety" in this context refers to the security and privacy of data rather than any physical risks to the user or their device.
Following these practices won't be a requirement when you list an app in Google Play. Instead the idea is that potential users know whether the app follows the practices, helping them make an informed decision on whether to install and use it.
The questions will include the following:
- Does the app use security measures such as encryption? Google hasn't said if this will refer to a specific type or level of encryption.
- Does the app follow Google's Families Policy? This applies if the app is targeted at children, or in cases where the developers don't know if the user is an adult, for example through an age check. The Families Policy brings extra requirements such as making sure both content and ads are appropriate for children and complying with applicable privacy laws.
- Will the app still function if users choose not to provide the requested information?
- If a user decides to uninstall the app, is there a feature in the app to request the developer delete their data?
- Has an independent third-party verified the responses to these safety section questions?
Here's how Google demonstrates when to follow its Families policy:
How the Changes Will Work
Developers can add the new required information to their app details in the Google Play console, whether creating a new app or updating details for an existing app.
Initially, the fields for the new information will be optional to complete. They will be mandatory from a deadline at some point in 2022, as we detail below.
Google's updated policies will explicitly require that any information developers provide to meet the new requirements is true and accurate. If Google discovers (or is told about) any inaccuracy, it will require the developer to correct it.
If developers fail to provide or correct data, the app becomes subject to "policy enforcement," which could include being removed from the Play Store.
Preparing for Google's Required Changes
Here's what will happen, and when:
- Google plans to release the full details of the changes in the third quarter of 2021
- Developers can start adding the extra information from the fourth quarter of 2021
- The information (when provided) will start appearing in Google Play store listings from the first quarter of 2022
- All new apps will have to include the extra information from a yet-to-be-announced deadline in the second quarter of 2022
All existing apps will have to include the extra information on a similar timescale. The most likely implementation is that existing apps must add the extra information before the first update they issue after the update. Google hasn't yet confirmed what will happen with apps that are no longer updated.
While it won't be mandatory to provide Google with the newly required information until 2022, it's well worth checking now that you have all the answers.
Several privacy laws that may already apply to your app require you to provide specific details to customers or offer them privacy choices. Key examples include:
- The General Data Protection Regulation (GDPR) applies if your app is available in a European Union country, if your business has a presence in the EU, or if you process data from the app in the EU. It says you must tell customers what data you collect, why you use it, and whether you share it. It also says you must have a legal basis to process personal data, most commonly that you can show the user has actively consented to the processing.
- The Children's Online Privacy Protection Act (COPPA) applies if your app is targeted at US children aged under 13 or you know such children are using it. If so, you must get the permission of a parent or guardian to collect personal data about the child. You must verify the parent or guardian's identity.
- Your business's name and contact details
- Contact details for your Data Protection Officer (or similar position)
- What personal data you collect from customers (broken down by logical categories)
- How and why you use personal data
- If relevant, what legal basis you rely on to make processing lawful
- What happens if somebody doesn't provide personal data
- Whether you sell or share personal data and, if so, who with
- Whether you use personal data for automated decision making
- How you secure the personal data you store
- How long you keep data
- How people can find out what data you hold about them
- Whether and how they can ask you to delete or correct this data or to provide a copy in portable format
Let's recap what you need to know about Google's changes to app privacy:
- Google already has rules to say app developers using the Play Store must limit their use of personal data and inform users about their privacy practices.
Starting in 2022, the rules will change to require more specific information. This includes:
- Details of whether you collect data in certain categories
- Details of different ways you use data
- A series of yes/no questions about how you protect data and user privacy rights
- You can start providing the information through the Google Play console from the fourth quarter of 2021. The deadline for all new and updated apps to provide the information will be some time in the second quarter of 2022.
- Several laws that could affect app developers already require similar information. These include the GDPR, COPPA and CalOPPA.