Google's Enhanced Privacy Disclosure Requirements

Google's Enhanced Privacy Disclosure Requirements

Google's rules for the Google Play Android app store are changing in 2022. Developers will need to add extra information about how they collect, store and process users' data.

While the full details of what's required aren't yet available, there's enough information to begin preparing for the change. It also serves as a good opportunity to review your Privacy Policy.

Let's take a look at what Google will soon start requiring and what you'll need to do to satisfy the requirements.


What Google Already Requires

While the new rules will cover specific points, Google already requires you to follow broad privacy principles when handling user data. These include the following:

  • You must "protect the privacy and legal rights of users."
  • You must "provide legally adequate privacy notice and protection" to users who provide personal information.
  • You may only use personal data "for the limited purposes for which the user has given you permission to do so."
  • You may only store information "securely and only for as long as it is needed."

You also have the option to add a URL linking to a Privacy Policy, usually on your own website. If you handle any data that Google defines as sensitive, or your app is aimed at children, you must include this link.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

Here's how Google explains what it means by sensitive data:

Google Play Console Help Policy Center: Personal and Sensitive Information section excerpt

Google says the policy you link to must cover what data you collect, use or share, including details of who you share it with. It must also comply with any relevant data privacy laws.

Disney goes a step beyond this requirement by including links not just to its Privacy Policy but also specific information for California residents where privacy laws vary:

Google Play Console Disneyland app listing with Privacy Policy link highlighted

Important legal agreement links should always be displayed to users before they download your app so they can make sure they are ok with your practices and terms.

What New Information Will Google Require

What New Information Will Google Require

Google is changing its policy to require additional information about data use. This will not only cover what data developers collect and use, but some technical and practical detail about how it works and affects the customer's use of the app.

Data Details

Developers will have to give details of the types of data they collect. This will most likely involve a tickbox or "Yes/No" answers for a series of predefined categories. Google says possible categories include:

  • Approximate/precise location
  • Audio files
  • Contacts
  • Personal information such as name or email address
  • Photos and videos
  • Storage files (non-media)

Data Use

Developers will have to give details of the different ways in which they use personal data. This is again likely to involve a checklist of yes/no responses. Google hasn't given as many suggestions of what categories the list will cover, mentioning only "app functionality" and "personalization."

Safety Section

Google will also ask developers a series of questions, known as a safety section, about whether they use specific practices to improve app safety for users. "Safety" in this context refers to the security and privacy of data rather than any physical risks to the user or their device.

Following these practices won't be a requirement when you list an app in Google Play. Instead the idea is that potential users know whether the app follows the practices, helping them make an informed decision on whether to install and use it.

The questions will include the following:

  • Does the app use security measures such as encryption? Google hasn't said if this will refer to a specific type or level of encryption.
  • Does the app follow Google's Families Policy? This applies if the app is targeted at children, or in cases where the developers don't know if the user is an adult, for example through an age check. The Families Policy brings extra requirements such as making sure both content and ads are appropriate for children and complying with applicable privacy laws.
  • Will the app still function if users choose not to provide the requested information?
  • If a user decides to uninstall the app, is there a feature in the app to request the developer delete their data?
  • Has an independent third-party verified the responses to these safety section questions?

Here's how Google demonstrates when to follow its Families policy:

Google Play Developers: Creating Apps and Games for Children and Families - App Classification and Families Policy image for Target Audience

How the Changes Will Work

Developers can add the new required information to their app details in the Google Play console, whether creating a new app or updating details for an existing app.
Initially, the fields for the new information will be optional to complete. They will be mandatory from a deadline at some point in 2022, as we detail below.

The new requirements won't affect the existing requirement or option to link to a Privacy Policy, even if that policy repeats any of the information you submit through the Google Play console.

Accuracy Requirement

Google's updated policies will explicitly require that any information developers provide to meet the new requirements is true and accurate. If Google discovers (or is told about) any inaccuracy, it will require the developer to correct it.

If developers fail to provide or correct data, the app becomes subject to "policy enforcement," which could include being removed from the Play Store.

Preparing for Google's Required Changes

Preparing for Google's Required Changes

Here's what will happen, and when:

  • Google plans to release the full details of the changes in the third quarter of 2021
  • Developers can start adding the extra information from the fourth quarter of 2021
  • The information (when provided) will start appearing in Google Play store listings from the first quarter of 2022
  • All new apps will have to include the extra information from a yet-to-be-announced deadline in the second quarter of 2022

All existing apps will have to include the extra information on a similar timescale. The most likely implementation is that existing apps must add the extra information before the first update they issue after the update. Google hasn't yet confirmed what will happen with apps that are no longer updated.

While it won't be mandatory to provide Google with the newly required information until 2022, it's well worth checking now that you have all the answers.

Several privacy laws that may already apply to your app require you to provide specific details to customers or offer them privacy choices. Key examples include:

  • The General Data Protection Regulation (GDPR) applies if your app is available in a European Union country, if your business has a presence in the EU, or if you process data from the app in the EU. It says you must tell customers what data you collect, why you use it, and whether you share it. It also says you must have a legal basis to process personal data, most commonly that you can show the user has actively consented to the processing.
  • The Children's Online Privacy Protection Act (COPPA) applies if your app is targeted at US children aged under 13 or you know such children are using it. If so, you must get the permission of a parent or guardian to collect personal data about the child. You must verify the parent or guardian's identity.
  • The California Online Privacy Protection Act (CalOPPA) applies if your app gathers or uses data about people in California. It specifically requires that you publish a Privacy Policy that covers what types of data you collect, who you share it with, how people can access and correct their personal data, and how you will let them know about any changes to your Privacy Policy.

Make Sure You Have a Privacy Policy

Make Sure You Have a Privacy Policy

Writing and publishing a Privacy Policy will not only make it easier to comply with new privacy laws (or existing laws which you become subject to as your business grows or changes) but will save time when Google's new Play Store rules take effect in 2022.

Exactly what you need in your Privacy Policy will vary depending on which laws affect you. That said, including all of the following information in your Privacy Policy will help keep customers informed and confident, while making sure you are on top of your data privacy management:

  • Your business's name and contact details
  • Contact details for your Data Protection Officer (or similar position)
  • What personal data you collect from customers (broken down by logical categories)
  • How and why you use personal data
  • If relevant, what legal basis you rely on to make processing lawful
  • What happens if somebody doesn't provide personal data
  • Whether you sell or share personal data and, if so, who with
  • Whether you use personal data for automated decision making
  • How you secure the personal data you store
  • How long you keep data
  • How people can find out what data you hold about them
  • Whether and how they can ask you to delete or correct this data or to provide a copy in portable format

Summary

Let's recap what you need to know about Google's changes to app privacy:

  • Google already has rules to say app developers using the Play Store must limit their use of personal data and inform users about their privacy practices.
  • Starting in 2022, the rules will change to require more specific information. This includes:

    • Details of whether you collect data in certain categories
    • Details of different ways you use data
    • A series of yes/no questions about how you protect data and user privacy rights
  • You can start providing the information through the Google Play console from the fourth quarter of 2021. The deadline for all new and updated apps to provide the information will be some time in the second quarter of 2022.
  • Several laws that could affect app developers already require similar information. These include the GDPR, COPPA and CalOPPA.
  • Google already requires some app listings to include a link to a Privacy Policy.
  • Publishing or reviewing your Privacy Policy now will make it easier to comply with laws and Google's policies as and when they affect you.