If you develop apps for the Google Play Store, you’re likely already familiar with their data protection policies.
Since July 20, 2022, all apps approved for the store must have a privacy policy, as outlined in the User Data section of their Play Console Help Center. You must also complete a Data Safety Form and keep it adequately updated.
In this guide, I’ll explain all of the Google Play Store privacy policy requirements so you can properly prepare one for your app.
Does the Google Play Store Require a Privacy Policy?
Yes, the Google Play Store requires you to have a privacy policy before publishing an app.
Privacy policies explain your personal data collection and processing activities to the people who use your services. It also informs them about their rights over how their data gets used.
Laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), have strict privacy policy requirements.
Google Play updated its privacy policy expectations in 2022 to require all apps on their store to disclose the types of data they collect, store, and share, regardless of the target audience.
Their privacy policy expectations appear in the User Data section of their Play Console Help Center, screenshotted in part below.
In their Help Center, Google explains that you must also complete a Data Safety Form consistent with your privacy policy. Read more about it in the screenshot below.
Google imposes these privacy obligations on app developers for several reasons. Notably, if you violate any applicable data privacy laws, it removes the liabilities off of Google’s plate and puts them back onto yours.
It also helps ensure that every app on the Play Store respects and takes data privacy seriously.
Google Play Store’s Compliance With Worldwide Privacy Laws
New and updated data privacy laws worldwide heavily influenced the Google developer “agreements” I’ve covered throughout this guide.
To comply with these global privacy laws, app developers must offer more transparency to their users. So, Google made this transparency a requirement for all apps before they get published in their Play Store.
As a developer, you must clearly and explicitly detail what type of data is collected, why you’re collecting it, with whom you may share it, and how users can control their data.
Google Play Store Privacy Policy Requirements
Let’s cover the specific requirements Google has in place that impact your privacy policy and how your app collects, uses, and stores personal information from users.
What Personal and Sensitive Data Your App Collects
The first clause required in your Google Play Store privacy policy must explain what types of personal and sensitive data your app collects from users.
Types of collected data that you must report include, but aren’t limited to:
- Personally identifiable information (PII), including name, number, email address, etc.
- Photos and videos
- Saved audio files
- Collected data shared with third parties
- Data pinpointing a user’s approximate or precise location
- Inventory of other apps on the device
- SMS and call-related data
- Financial and payment information
- Health related data
If you fall under specific privacy laws with their own definition of sensitive data, such as the GDPR and the CCPA, you must also report it based on the obligations outlined by those pieces of legislation.
You also need to present the information in an easy-to-read and understandable format and cannot leave anything out.
Explanation of How You Use Personal Data
The Play Store also requires app developers to disclose why personal data are collected. For example, some reasons could include:
- App functionality
- Personalization of content and recommendations
- Analytics about how users use the app
- Fraud prevention and security
- Communications from developers
If you fall under specific privacy laws, you must also only collect data based on the obligations outlined by those pieces of legislation.
Prominent Disclosure
Google specifies in their Play Console Help Center that you must limit the collection, access, use, and sharing of personal and sensitive data for purposes that are “reasonably expected by the user.”
To collect data in a way that’s not reasonably expected by the user, like background collection that happens when users aren’t engaged with your app, you must provide a prominent disclosure that:
- Exists within the app itself, not just in the description or on a website
- Is displayed in the normal usage of the app and doesn’t require the user to navigate to a specific menu or settings
- Describes the data being accessed or collected
- Explains how that data will be used and or shared
- Exists in multiple locations and not just within your privacy policy or terms of service
- Is not included with other disclosures unrelated to personal data collection
Consent
Along with prominently disclosing your app’s privacy policy, the Google Play Store also requires that you request in-app user consent and runtime permissions immediately before the disclosure appears.
Your consent request must meet all of the following guidelines:
- Be presented using a consent dialog that is unambiguous
- Require an affirmative user action (i.e., tapping to accept or ticking a check-box)
- Not assume that navigating away from the disclosure counts as consent
- Not use expiring messages or auto-dismissing as a means of consent
You must also obtain consent from your users before your app collects or access their personal and sensitive data.
Deceptive Behaviors
Google introduced new guidelines covering deceptive behaviors in August 2023. Your app cannot make any misleading or false claims, including the information you put in your privacy policy.
Read more about the Google Play Store’s Deceptive Behavior Policy in the screenshot below.
Adding this to their Developer guidelines allows Google to take further disciplinary action if an app violates their terms.
If you change your app’s systems, you must notify users, obtain their consent, and allow that consent to be reversible.
Additionally, deceptive behaviors and techniques used to evade the app review process are also no longer allowed.
Sensitive Personal Information
You must disclose your use of any API that accesses sensitive personal information in your privacy policy to get approved for the Google Play Store.
Google outlines some additional requirements regarding sensitive information and APIs.
Notably, the request for this data must make sense to users, and you should only request permissions and access to this highly vulnerable data if it’s necessary for implementing current features of services in your app as promoted in your Google Play listing.
You can read more about this in the screenshot below.
Data Deletion Policy
To give consumers more control over their data, Google introduced new account deletion requirements to their User Data Policy that go into effect December 7, 2023.
The account deletion methods and their impact on your data retention policy must go in your privacy policy.
If users can create accounts in your app, you must provide a way for them to request to delete said account.
Options must be readily available to users within and outside your app. If you post one of these methods on your website, you must include a link to that page in a designated field within your Play Console.
You must also delete all user data associated with that app account unless you must retain the information for legitimate reasons, like security, fraud prevention, or regulatory compliance.
Protecting Children’s Data
Google describes data privacy guidelines for apps that target children in their Google Play Families Policy.
If you target an audience that includes children, you must disclose the collection of any personal and sensitive data — including through APIs or Software Development Kits (SDKs).
You must follow all applicable privacy regulations, many of which now require verifiable parental consent before collecting any information from a user under 13.
You can see more details in the screenshot below.
Google also explains that you must ensure your app fully complies with the Children’s Online Privacy and Protection Act (COPPA).
These strict requirements followed a 2018 study by the International Computer Science Institute, which found that over half of the free Android apps in the “Designed For Families” section of the Google Play Store showed signs of violating child privacy rules.
What Goes Inside Your Google Play Store Privacy Policy?
According to Google’s Play Console Help Center, your privacy policy must include:
- Developer information and a point of contact or mechanism to submit inquiries about privacy
- The types of personal and sensitive user information your app accesses, collects, uses, and shares (and any third-parties with which the data is shared)
- Your secure data handling procedures for personal and sensitive user data
- Your data retention policy and deletion policy
- A clear title or label denoting the document to be a privacy policy
Additionally, if your app is subject to any data privacy laws, you must also meet all privacy obligations outlined by those pieces of legislation.
In this next section, I’ll focus on clauses the Google Play Store requires you to have in your privacy policy
Developer Information and a Privacy Point of Contact
You must include proper developer details in your app’s privacy policy to get approved for the Play Store.
Additionally, you need a request mechanism or privacy point of contact so your app users can submit inquiries regarding your privacy practices.
See how the music streaming app Spotify writes this clause, which they put at the end of their policy, in the screenshot below.
What Data You Collect
You must include a clause in your app’s privacy policy that explains what data you collect, access, use, and process. The Play Store won’t publish your app without this clause.
See how the video streaming platform Disney+ writes this clause in their privacy policy.
Any Third Parties You Share Data With
If you share personal data from your app users with any third parties, you must disclose that information in your Google Play Store privacy policy clause.
This includes data shared through APIs or SDKs.
Below, see an example of how the social media service Snapchat writes this clause.
Your Secure Handling Procedures
The Google Play Store developer guidelines require you to explain your safety and security practices regarding user data somewhere in your privacy policy.
See a sample of this clause from Spotify’s privacy policy below.
Your Data Retention and Deletion Policy
You must also explain your data retention and deletion policy to get approved for the Google Play Store.
Remember, if you allow your users to make an account, you must also allow them to delete that account and all associated data.
See a sample of how Disney+ handles this clause below.
What Is the Google Play Safety Section?
Since April 2022, Google Play’s safety section has been in place to help users make more informed decisions about the apps they download and install on their mobile devices.
By filling out this form, every app published on the Google Play Store must declare how it collects, protects, and handles private user data.
The safety section in Google Play informs users and helps them understand:
- What type of data an app collects
- Why the app collects that data
- Which data is shared with third-parties
- Whether users have control over their data
- If the information is optional or needed for app functionality
- How the app protects data through security practices like encryption
Every app published to the Google Play Store must have a fully completed Safety Section, and it’s your responsibility to keep it updated so it always remains accurate.
Below, see two examples of the data safety section in the Google Play listing for Snapchat.
Next, let’s talk about how the Play Store’s safety section came to be.
A Timeline of the Play Store Safety Section
Google’s Play Store safety section was implemented for about one year, starting in May 2021, until it fully entered into action in April 2022.
Below, see a screenshot of the timeline of these policies as it appeared on the Android Developers Blog.
Next, let’s go over the history of these Google Play Store developer policies in more detail.
October 2021: Declarations Begin
In October 2021, developers were required to complete and submit the Data Safety questionnaire in the “App privacy & security” section on the App content page in the Google Play Console.
Some feedback and guidance became available at this stage, app submissions continued, and privacy policy links started appearing on all app listing pages.
Early 2022: Safety Section Becomes Visible
In early 2022, users could view the then-new safety section on the Google Play Store.
Google rejected any new app submissions that didn’t adequately meet the safety policy.
Additionally, content wasn’t displayed to users if there were inconsistencies in any information.
All apps also included a working privacy policy link as a part of the app safety section.
April 2022: Deadline for All New and Existing Apps
Finally, by April 2022, the new safety section required all Play Console apps to be consistent and compliant.
This marked the final deadline, and any apps that didn’t adapt to the new rules faced penalties.
Google rejected new apps and updates if they found any discrepancies in the information provided (or if unresolved issues within the questionnaire remained).
Since this date, completing the “App privacy & security” section has been mandatory. You must now link a privacy policy in your app’s safety section and disclose all third-party providers to your users.
Google has removed all existing apps on the Play Store that continued to not comply with the new rules.
How Does Google Enforce Its Privacy Policy Rules?
If Google finds that a developer misrepresented their data collection practices, the developer has to fix the indiscretions immediately. Apps that fail to comply may be suspended or removed from the app store.
You could also face fines or other legal troubles, depending on what laws apply to your app.
How Can Termly Help?
Termly can help you make a privacy policy for your app that meets all requirements outlined by the Google Play Store.
I highly recommend our Privacy Policy Generator. It asks basic questions about your app and its data collection and makes a unique policy based on your answers.
It can even help you comply with data privacy laws like the GDPR and the CCPA.
See a sample of what it looks like below.
We also offer a privacy policy template that you can download and customize to fit the needs of your mobile app. Templates take more work, as you’ll have to fill in the blank sections with information about your app.
But they’re an excellent solution for simple apps that don’t collect very much (or any) personal data from users.
Below, see an example of what it looks like.
Summary
You’re now caught up on all the data privacy and privacy policy obligations the Google Play Store requires.
Google does its best to keep up with new and changing data privacy laws, which means its policies are subject to change (but always with notice!).
So check back often to see if and when anything adapts and how it may impact your Play Store privacy policy.
More about the author
Written by Etienne Cussol CIPP/E, CIPM
Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author
