After Google was fined huge fines at the beginning of 2022 for breaching privacy requirements, such as the General Data Protection Regulation (GDPR), it pays attention to complying with the latest privacy regulations for all of its products. Read about the new requirements for Android apps on Google Play Console.
New Google Play Console Requirements
Increasing privacy requirements for software developers is a part of the global online data privacy trend that originated with GDPR in 2018, followed by CCPA in 2020, and other privacy laws. This is going all together with the awareness of Internet users and their concerns over how their data is collected, processed, or shared. In response to this, Google introduced new requirements for Google Play Console Android apps.
From July 20, 2022, each app, present at the Google Play Console, must:
- have a Privacy Policy;
- fill out Google's Data Safety Form.
App developers must properly disclose the data they collect, if and how it’s processed or shared with third parties, and more. In addition, they must fill out Google's data safety form to provide details about how they collect, process, and share user data, and must have a Privacy Policy.
What Is a Privacy Policy for Android Apps?
It is a requirement by the General Data Protection Regulation (GDPR) to have a Privacy Policy if you collect, use, or share any personal data of your users. If you do not have a Privacy Policy, you may be fined by data protection authorities.
The GDPR applies to all companies that provide services for European citizens, independently of the place of origin of the companies.
The main purpose of a Privacy Policy is to tell your users that you are collecting their data, what you are using their data for, how their personal data is used, and what are your users' rights.
Privacy Policy requirements
Google Play Console Privacy Policy should provide the following basic information:
- The owner of the app, including the company name, address, and contacts.
- The users' data that is being collected. How is that data being collected?
- Is the data processed and for what purposes? Is it used for analytics or marketing?
- The third parties, if any, that could access users' data. Will any third party collect data through widgets, like social buttons, or integrations?
- Notify users about their rights. Inform users how they could request to see the data you have on them, to rectify or remove their data. Under European regulations these user rights are mandatory.
- Provide a legal basis for the data collection. Under most privacy laws, you must receive user consent to collect and process their data BEFORE the actual data collection takes place.
- Describe a process for notifying users of changes or updates to the privacy policy.
- Provide the effective date of the privacy policy.
If you use any personal or sensitive user data, you must disclose the use of this data, and how you use it.
Personal or sensitive user data is data, that could contain personal or sensitive information, and is collected through the following means:
- CALENDAR
- CAMERA
- CONTACTS
- LOCATION
- MICROPHONE
- PAYMENT APPS
- PHONE
- SMS
- STORAGE.
If your app processes personal data for reasons unrelated to the functionality of your app, you’re required to make additional disclosures about this usage and get users' consent to it. In this case, a separate user notice and consent are required in addition to your privacy policy. Do not process the data BEFORE you get consent for it.
The title of your privacy policy should include “privacy policy”.
The privacy policy should be available on an active URL, not a PDF, and should be non-editable.
CookieScript Consent Management Platform can take care of your website's or app's privacy issues. Our Privacy Policy Generator can automatically create a unique and up-to-date Privacy Policy for you.
What Is the Data Safety Form?
Google requires all app owners to complete the data safety form, which is available in the Google Play Console. This information will be shown on the store to help Google Play users understand how your app collects and shares user data before they download the app. After you complete and submit the data safety form, the information you provide will be reviewed by Google, if it complies with the requirements.
According to Google, “Even developers with apps that do not collect any user data are required to complete the data safety form and provide a link to their privacy policy. In this case, the completed form and privacy policy can indicate that no user data is collected or shared”.
In addition, all developers that have an app published on Google Play must complete the data safety form, including apps on closed, open, or production testing tracks.
In the Data Safety Form, the app owners need to disclose the following actions:
Data Collection
“Data collection” means transmitting data from your user's app outside a user’s device. Apps may collect data via third-party libraries, SDKs, or web view.
Apps need to declare all data types they collect, like basic personal information, location data, contacts, phone storage data, or financial information. User data, collected pseudonymously, must also be disclosed.
However, if the data does not leave the user’s device, it is not in scope for data collection for the data safety form.
Data Sharing
“Data sharing” refers to transferring user data, collected from your app to a third party. If apps share user data with third parties like service providers or legal authorities, they must disclose this data sharing in the data safety form.
Data Handling
Apps must clarify which data is required and which data is optional for the functionality of the app. Optional data should include the possibility to opt into or opt-out of data collection.
Data Types
App developers must disclose each type of user data they collect, process, and share. It includes information about the user’s or device’s physical location, personal information (name, e-mail address, phone number, user ID, race and ethnicity, political or religious beliefs, sexual orientation), financial information, health and fitness, messages, photos and videos, audio files, data related to calendars and contacts, app activity, and other information about the user.
Purposes
App developers must disclose the purposes for the collection and use of each data type. Purposes include but are not limited to: app functionality, analytics, developer communications, advertising, marketing, fraud prevention, security, personalization, or account management.
In addition to the above-mentioned requirements, you may choose to declare in your data safety form the following actions:
- your app has been independently validated against a global security standard;
- you follow Google Play's Families policy requirements; or
- your app uses encryption in transit to protect the flow of user data from the user’s device to the server.
- Web developers can also explain the data deletion request mechanism.
Differences Between Google Data Safety Form and the GDPR
Google introduced new requirements for Google Play Console apps concerning privacy policies like GDPR. However, filling out the data safety form does not automatically make your app GDPR compliant. Compliance with the GDPR and the Google Play Console is different. The differences include the following (but are not limited to):
Data collection
Google states that if the data is collected but does not leave the user's device, it is not considered data collection, and does not have to be disclosed in the data safety form.
Under the GDPR, however, such type of action is considered a data collection and should be disclosed in the privacy policy.
Ephemeral (temporary) data processing
According to Google, if the data is collected and used temporarily, while the data is only stored in memory and retained for no longer than necessary to service the specific action in real time, this is not considered data processing. For example, using users' geo-location for a navigation app is not data processing- the app only keeps location data in memory temporarily and does not store it once the request has been fulfilled.
Under the GDPR, even temporary data processing is considered a collection of personal data and should be disclosed in the privacy policy.
Encrypted data
If the data is encrypted, Google does not require it to disclose in the data safety form.
According to the GDPR, encrypted data is still personal data, and should be disclosed in the privacy policy.
Data types and purposes
The data safety form asks the app owners to provide information about just certain data types, like location, personal information, financial information, etc.
Contrary to this, under the GDPR, all data types should be listed in the privacy policy.
Data Sharing
If an app shares data to service providers for legal purposes or based on a specific action of a user, Google does not consider it as data sharing.
In contrast, under the GDPR, such an action is considered data sharing and should be disclosed in the privacy policy.
In conclusion, the GDPR treats personal data collection and processing in a much stricter way. Thus, to have a GDPR compliant privacy policy, you need to disclose more information about how you collect, process, or share users' personal data.
Need a Privacy Policy for your company, website, or app? Use CookieScript Privacy Policy Generator to create GDPR and other privacy laws compliant Privacy Policy.
Frequently Asked Questions
What are the new requirements of Google Play Console?
Starting from July 20, 2022, Google asks app developers to have a Privacy Policy and fill out Google's Data Safety Form. CookieScript Privacy Policy Generator can create your Privacy Policy, which is GDPR and other privacy laws compliant.
What are Google Play Console privacy policy requirements?
A privacy policy should provide the following information: the owner of the app, the users' data that is being collected, is the data processed and for what purposes, and the third parties, if any, that could access users' data. App developers should also notify users about their rights and provide a legal basis for the data collection.
What Is the Data Safety Form?
Google requires all app owners to complete the data safety form, which is available in the Google Play Console. This information will be shown on the Google Play Store to help users understand how your app collects and shares user data before they download the app.
Does Privacy Policy requirements apply to all apps or just new apps?
All apps on the Google Play Store must comply with the Google Play Store privacy policy rules. Thus, all existing apps must also update their privacy policy and fill out the data safety form. Use CookieScript to automatically generate your Privacy Policy.
What happens if you fail to comply with Google Play Store Privacy Policy requirements?
Starting from July 20, 2022, Google will reject app submissions and app updates if it detects issues with the data safety form or the privacy policy. Google also warns that it may also remove the app altogether if there is an issue with the data safety form.
Are the requirements of the Google Play Console data safety form and the GDPR the same?
No, the GDPR treats personal data collection and processing in a much stricter way. Thus, to have a GDPR compliant privacy policy, you need to disclose more information about how you collect, process, or share users' personal data.