Google's rules for the Google Play Android app store changed in 2022. Developers now need to add extra information about how they collect, store and process users' data.
Let's take a look at what Google requires and what you'll need to do to satisfy the requirements.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
What Google Already Required
Google already required you to follow broad privacy principles when handling user data. These include the following:
- You must "protect the privacy and legal rights of users."
- You must "provide legally adequate privacy notice and protection" to users who provide personal information.
- You may only use personal data "for the limited purposes for which the user has given you permission to do so."
- You may only store information "securely and only for as long as it is needed."
Here's how Google explains what it means by sensitive data:
Google says the policy you link to must cover what data you collect, use or share, including details of who you share it with. It must also comply with any relevant data privacy laws.
Important legal agreement links should always be displayed to users before they download your app so they can make sure they are ok with your practices and terms.
What New Information Does Google Require
Google changed its policy to require additional information about data use. This will not only cover what data developers collect and use, but some technical and practical detail about how it works and affects the customer's use of the app.
Developers have to give details of the types of data they collect. This involves a tickbox or "Yes/No" answers for a series of predefined categories. Google says possible categories include:
- Approximate/precise location
- Audio files
- Personal information such as name or email address
- Photos and videos
- Storage files (non-media)
Developers have to give details of the different ways in which they use personal data. This involves a checklist of yes/no responses. Google hasn't given as many suggestions of what categories the list will cover, mentioning only "app functionality" and "personalization."
Google asks developers a series of questions, known as a safety section, about whether they use specific practices to improve app safety for users. "Safety" in this context refers to the security and privacy of data rather than any physical risks to the user or their device.
Following these practices won't be a requirement when you list an app in Google Play. Instead the idea is that potential users know whether the app follows the practices, helping them make an informed decision on whether to install and use it.
The questions include the following:
- Does the app use security measures such as encryption? Google hasn't said if this will refer to a specific type or level of encryption.
- Does the app follow Google's Families Policy? This applies if the app is targeted at children, or in cases where the developers don't know if the user is an adult, for example through an age check. The Families Policy brings extra requirements such as making sure both content and ads are appropriate for children and complying with applicable privacy laws.
- Will the app still function if users choose not to provide the requested information?
- If a user decides to uninstall the app, is there a feature in the app to request the developer delete their data?
- Has an independent third-party verified the responses to these safety section questions?
Here's how Google demonstrates when to follow its Families policy:
How the Changes Work
Developers can add the required information to their app details in the Google Play console, whether creating a new app or updating details for an existing app.
Initially, the fields for the new information will be optional to complete.
Google's updated policies explicitly require that any information developers provide to meet the requirements is true and accurate. If Google discovers (or is told about) any inaccuracy, it will require the developer to correct it.
If developers fail to provide or correct data, the app becomes subject to "policy enforcement," which could include being removed from the Play Store.
- Your business's name and contact details
- Contact details for your Data Protection Officer (or similar position)
- What personal data you collect from customers (broken down by logical categories)
- How and why you use personal data
- If relevant, what legal basis you rely on to make processing lawful
- What happens if somebody doesn't provide personal data
- Whether you sell or share personal data and, if so, who with
- Whether you use personal data for automated decision making
- How you secure the personal data you store
- How long you keep data
- How people can find out what data you hold about them
- Whether and how they can ask you to delete or correct this data or to provide a copy in portable format
Let's recap what you need to know about Google's changes to app privacy:
- Google already has rules to say app developers using the Play Store must limit their use of personal data and inform users about their privacy practices.
Starting in 2022, the rules require more specific information. This includes:
- Details of whether you collect data in certain categories
- Details of different ways you use data
- A series of yes/no questions about how you protect data and user privacy rights