If you develop apps for the Google Play Store, you’re likely already familiar with their data protection policies.
Privacy policies explain your personal data collection and processing activities to the people who use your services. It also informs them about their rights over how their data gets used.
Google imposes these privacy obligations on app developers for several reasons. Notably, if you violate any applicable data privacy laws, it removes the liabilities off of Google’s plate and puts them back onto yours.
It also helps ensure that every app on the Play Store respects and takes data privacy seriously.
Google Play Store’s Compliance With Worldwide Privacy Laws
New and updated data privacy laws worldwide heavily influenced the Google developer “agreements” I’ve covered throughout this guide.
To comply with these global privacy laws, app developers must offer more transparency to their users. So, Google made this transparency a requirement for all apps before they get published in their Play Store.
As a developer, you must clearly and explicitly detail what type of data is collected, why you’re collecting it, with whom you may share it, and how users can control their data.
What Personal and Sensitive Data Your App Collects
Types of collected data that you must report include, but aren’t limited to:
- Personally identifiable information (PII), including name, number, email address, etc.
- Photos and videos
- Saved audio files
- Collected data shared with third parties
- Data pinpointing a user’s approximate or precise location
- Inventory of other apps on the device
- SMS and call-related data
- Financial and payment information
- Health related data
If you fall under specific privacy laws with their own definition of sensitive data, such as the GDPR and the CCPA, you must also report it based on the obligations outlined by those pieces of legislation.
You also need to present the information in an easy-to-read and understandable format and cannot leave anything out.
Explanation of How You Use Personal Data
The Play Store also requires app developers to disclose why personal data are collected. For example, some reasons could include:
- App functionality
- Personalization of content and recommendations
- Analytics about how users use the app
- Fraud prevention and security
- Communications from developers
If you fall under specific privacy laws, you must also only collect data based on the obligations outlined by those pieces of legislation.
Google specifies in their Play Console Help Center that you must limit the collection, access, use, and sharing of personal and sensitive data for purposes that are “reasonably expected by the user.”
To collect data in a way that’s not reasonably expected by the user, like background collection that happens when users aren’t engaged with your app, you must provide a prominent disclosure that:
- Exists within the app itself, not just in the description or on a website
- Is displayed in the normal usage of the app and doesn’t require the user to navigate to a specific menu or settings
- Describes the data being accessed or collected
- Explains how that data will be used and or shared
- Is not included with other disclosures unrelated to personal data collection
Your consent request must meet all of the following guidelines:
- Be presented using a consent dialog that is unambiguous
- Require an affirmative user action (i.e., tapping to accept or ticking a check-box)
- Not assume that navigating away from the disclosure counts as consent
- Not use expiring messages or auto-dismissing as a means of consent
You must also obtain consent from your users before your app collects or access their personal and sensitive data.
Read more about the Google Play Store’s Deceptive Behavior Policy in the screenshot below.
Adding this to their Developer guidelines allows Google to take further disciplinary action if an app violates their terms.
If you change your app’s systems, you must notify users, obtain their consent, and allow that consent to be reversible.
Additionally, deceptive behaviors and techniques used to evade the app review process are also no longer allowed.
Sensitive Personal Information
Google outlines some additional requirements regarding sensitive information and APIs.
Notably, the request for this data must make sense to users, and you should only request permissions and access to this highly vulnerable data if it’s necessary for implementing current features of services in your app as promoted in your Google Play listing.
You can read more about this in the screenshot below.
Data Deletion Policy
To give consumers more control over their data, Google introduced new account deletion requirements to their User Data Policy that go into effect December 7, 2023.
If users can create accounts in your app, you must provide a way for them to request to delete said account.
Options must be readily available to users within and outside your app. If you post one of these methods on your website, you must include a link to that page in a designated field within your Play Console.
You must also delete all user data associated with that app account unless you must retain the information for legitimate reasons, like security, fraud prevention, or regulatory compliance.
Protecting Children’s Data
Google describes data privacy guidelines for apps that target children in their Google Play Families Policy.
If you target an audience that includes children, you must disclose the collection of any personal and sensitive data — including through APIs or Software Development Kits (SDKs).
You must follow all applicable privacy regulations, many of which now require verifiable parental consent before collecting any information from a user under 13.
You can see more details in the screenshot below.
Google also explains that you must ensure your app fully complies with the Children’s Online Privacy and Protection Act (COPPA).
These strict requirements followed a 2018 study by the International Computer Science Institute, which found that over half of the free Android apps in the “Designed For Families” section of the Google Play Store showed signs of violating child privacy rules.
- Developer information and a point of contact or mechanism to submit inquiries about privacy
- The types of personal and sensitive user information your app accesses, collects, uses, and shares (and any third-parties with which the data is shared)
- Your secure data handling procedures for personal and sensitive user data
- Your data retention policy and deletion policy
Additionally, if your app is subject to any data privacy laws, you must also meet all privacy obligations outlined by those pieces of legislation.
Developer Information and a Privacy Point of Contact
Additionally, you need a request mechanism or privacy point of contact so your app users can submit inquiries regarding your privacy practices.
See how the music streaming app Spotify writes this clause, which they put at the end of their policy, in the screenshot below.
What Data You Collect
Any Third Parties You Share Data With
This includes data shared through APIs or SDKs.
Below, see an example of how the social media service Snapchat writes this clause.
Your Secure Handling Procedures
Your Data Retention and Deletion Policy
You must also explain your data retention and deletion policy to get approved for the Google Play Store.
Remember, if you allow your users to make an account, you must also allow them to delete that account and all associated data.
See a sample of how Disney+ handles this clause below.
What Is the Google Play Safety Section?
Since April 2022, Google Play’s safety section has been in place to help users make more informed decisions about the apps they download and install on their mobile devices.
By filling out this form, every app published on the Google Play Store must declare how it collects, protects, and handles private user data.
The safety section in Google Play informs users and helps them understand:
- What type of data an app collects
- Why the app collects that data
- Which data is shared with third-parties
- Whether users have control over their data
- If the information is optional or needed for app functionality
- How the app protects data through security practices like encryption
Every app published to the Google Play Store must have a fully completed Safety Section, and it’s your responsibility to keep it updated so it always remains accurate.
Below, see two examples of the data safety section in the Google Play listing for Snapchat.
Next, let’s talk about how the Play Store’s safety section came to be.
A Timeline of the Play Store Safety Section
Google’s Play Store safety section was implemented for about one year, starting in May 2021, until it fully entered into action in April 2022.
Below, see a screenshot of the timeline of these policies as it appeared on the Android Developers Blog.
Next, let’s go over the history of these Google Play Store developer policies in more detail.
October 2021: Declarations Begin
In October 2021, developers were required to complete and submit the Data Safety questionnaire in the “App privacy & security” section on the App content page in the Google Play Console.
Early 2022: Safety Section Becomes Visible
In early 2022, users could view the then-new safety section on the Google Play Store.
Google rejected any new app submissions that didn’t adequately meet the safety policy.
Additionally, content wasn’t displayed to users if there were inconsistencies in any information.
April 2022: Deadline for All New and Existing Apps
Finally, by April 2022, the new safety section required all Play Console apps to be consistent and compliant.
This marked the final deadline, and any apps that didn’t adapt to the new rules faced penalties.
Google rejected new apps and updates if they found any discrepancies in the information provided (or if unresolved issues within the questionnaire remained).
Google has removed all existing apps on the Play Store that continued to not comply with the new rules.
If Google finds that a developer misrepresented their data collection practices, the developer has to fix the indiscretions immediately. Apps that fail to comply may be suspended or removed from the app store.
You could also face fines or other legal troubles, depending on what laws apply to your app.
How Can Termly Help?
See a sample of what it looks like below.
But they’re an excellent solution for simple apps that don’t collect very much (or any) personal data from users.
Below, see an example of what it looks like.
Google does its best to keep up with new and changing data privacy laws, which means its policies are subject to change (but always with notice!).