Google's Enhanced Privacy Disclosure Requirements

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 20 October 2022.

Google's Enhanced Privacy Disclosure Requirements

Google's rules for the Google Play Android app store changed in 2022. Developers now need to add extra information about how they collect, store and process users' data.

Let's take a look at what Google requires and what you'll need to do to satisfy the requirements.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:

    3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  3. Answer a few questions about your business:

    4. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  4. Enter the country and click on the "Next Step" button:

    5. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  5. Continue with building your Privacy Policy while answering on questions from our wizard:

    6. FreePrivacyPolicy: Privacy Policy Generator - Answer on questions from our wizard - Step 3

  6. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



What Google Already Required

Google already required you to follow broad privacy principles when handling user data. These include the following:

  • You must "protect the privacy and legal rights of users."
  • You must "provide legally adequate privacy notice and protection" to users who provide personal information.
  • You may only use personal data "for the limited purposes for which the user has given you permission to do so."
  • You may only store information "securely and only for as long as it is needed."

You also have the option to add a URL linking to a Privacy Policy, usually on your own website. If you handle any data that Google defines as sensitive, or your app is aimed at children, you must include this link.

Here's how Google explains what it means by sensitive data:

Google Play Console Help Policy Center: Personal and Sensitive Information section excerpt

Google says the policy you link to must cover what data you collect, use or share, including details of who you share it with. It must also comply with any relevant data privacy laws.

Disney goes a step beyond this requirement by including links not just to its Privacy Policy but also specific information for California residents where privacy laws vary:

Google Play Console Disneyland app listing with Privacy Policy link highlighted

Important legal agreement links should always be displayed to users before they download your app so they can make sure they are ok with your practices and terms.

What New Information Does Google Require

Google changed its policy to require additional information about data use. This will not only cover what data developers collect and use, but some technical and practical detail about how it works and affects the customer's use of the app.

Data Details

Developers have to give details of the types of data they collect. This involves a tickbox or "Yes/No" answers for a series of predefined categories. Google says possible categories include:

  • Approximate/precise location
  • Audio files
  • Contacts
  • Personal information such as name or email address
  • Photos and videos
  • Storage files (non-media)

Data Use

Developers have to give details of the different ways in which they use personal data. This involves a checklist of yes/no responses. Google hasn't given as many suggestions of what categories the list will cover, mentioning only "app functionality" and "personalization."

Safety Section

Google asks developers a series of questions, known as a safety section, about whether they use specific practices to improve app safety for users. "Safety" in this context refers to the security and privacy of data rather than any physical risks to the user or their device.

Following these practices won't be a requirement when you list an app in Google Play. Instead the idea is that potential users know whether the app follows the practices, helping them make an informed decision on whether to install and use it.

The questions include the following:

  • Does the app use security measures such as encryption? Google hasn't said if this will refer to a specific type or level of encryption.
  • Does the app follow Google's Families Policy? This applies if the app is targeted at children, or in cases where the developers don't know if the user is an adult, for example through an age check. The Families Policy brings extra requirements such as making sure both content and ads are appropriate for children and complying with applicable privacy laws.
  • Will the app still function if users choose not to provide the requested information?
  • If a user decides to uninstall the app, is there a feature in the app to request the developer delete their data?
  • Has an independent third-party verified the responses to these safety section questions?

Here's how Google demonstrates when to follow its Families policy:

Google Play Developers: Creating Apps and Games for Children and Families - App Classification and Families Policy image for Target Audience

How the Changes Work

Developers can add the required information to their app details in the Google Play console, whether creating a new app or updating details for an existing app.
Initially, the fields for the new information will be optional to complete.

Accuracy Requirement

Google's updated policies explicitly require that any information developers provide to meet the requirements is true and accurate. If Google discovers (or is told about) any inaccuracy, it will require the developer to correct it.

If developers fail to provide or correct data, the app becomes subject to "policy enforcement," which could include being removed from the Play Store.

Make Sure You Have a Privacy Policy

Make Sure You Have a Privacy Policy

Writing and publishing a Privacy Policy will not only make it easier to comply with new privacy laws (or existing laws which you become subject to as your business grows or changes) but also with Google's Play Store rules.

Exactly what you need in your Privacy Policy will vary depending on which laws affect you. That said, including all of the following information in your Privacy Policy will help keep customers informed and confident, while making sure you are on top of your data privacy management:

  • Your business's name and contact details
  • Contact details for your Data Protection Officer (or similar position)
  • What personal data you collect from customers (broken down by logical categories)
  • How and why you use personal data
  • If relevant, what legal basis you rely on to make processing lawful
  • What happens if somebody doesn't provide personal data
  • Whether you sell or share personal data and, if so, who with
  • Whether you use personal data for automated decision making
  • How you secure the personal data you store
  • How long you keep data
  • How people can find out what data you hold about them
  • Whether and how they can ask you to delete or correct this data or to provide a copy in portable format

Summary

Let's recap what you need to know about Google's changes to app privacy:

  • Google already has rules to say app developers using the Play Store must limit their use of personal data and inform users about their privacy practices.

  • Starting in 2022, the rules require more specific information. This includes:

    • Details of whether you collect data in certain categories
    • Details of different ways you use data
    • A series of yes/no questions about how you protect data and user privacy rights
  • Publishing or reviewing your Privacy Policy now will make it easier to comply with laws and Google's policies as and when they affect you.

About this article

Last updated

This article was last updated on 20 October 2022.

Author

John Lister

FreePrivacyPolicy Legal writer

Category

Disclaimer

Please note that legal information, including legal templates and legal policies, is not legal advice.

Try out our free generators

Free Privacy Policy Generator

Free Cookie Consent

Free Terms and Conditions Generator

Free Cookies Policy Generator

Free Disclaimer Generator

Free EULA Generator

Free Return & Refund Policy Generator



What our customers says

I like the steps to create a Privacy Policy.

— Anonymous



Thank you for making it so simple and easy to create a proper and compliant privacy policy!

— Andrea - Toronto Success Coach



Quick and easy way to secure our company website. Thanks for making this a great user experience.

— Anthony - Canine Behavioral Services



Thank you for your time and help. Setting up a Privacy Policy, and Terms of Service is easier than I thought.

— Casey H - Casis Boutique

Read more from our blog

A Privacy Policy for Facebook Apps: Why and How

A Privacy Policy for Facebook Apps: Why and How

Whether you're a Facebook app developer or simply wish to incorporate a Facebook login option into your mobile application, it will be necessary to meet Facebook's Privacy Policy requirements. This article...

FTC Requirements for Influencers

FTC Requirements for Influencers

The Federal Trade Commission's (FTC) rules regarding influencers and endorsers are a wakeup call to social media stars and brands all over the world. The FTC's mission is to create...

Will a Privacy Policy Satisfy the CCPA/CPRA's Notice at Collection Requirement?

Will a Privacy Policy Satisfy the CCPA/CPRA's Notice at Collection Requirement?

The California Consumer Privacy Act (CCPA/CPRA) requires affected businesses to take several actions, including publishing particular information in particular forms. This includes a narrow list of information when collecting personal data...