| Posted by Miks Ulmanis
Google introduced stricter requirements for Google Play Store apps concerning privacy policies and disclosure.
In addition, from July 20, 2022, apps must fill out Google's data safety form to provide details about how they collect, use and share user data.
Here is our Ultimate Guide to Privacy Policies if you want to learn more.
Google requires all app owners to complete the data safety form by July 20, 2022. It is available in the Google Play Console. The form consists of questions related to how the app processes user data.
Once Google approves the form and the app, the users will be able to see the details on how you use user data in Google Play’s Data safety section.
It will be shown to Google Play users before they download your app to help them understand how you collect and share user data.
The form requests the app owners to disclose the following:
“Collect” means transmitting data from your app OFF (or outside) a user’s device.
Apps need to declare all data types they collect, such as basic personal information, location data, and financial information.
Also, apps may collect data via SDKs, webview, and third-party libraries.
If the data does not leave the user’s device, it is not data collection for the purpose of the data safety form.
“Sharing” refers to transferring user data collected from your app to a third party.
Apps may disclose user data to third parties like service providers and legal authorities. Thus, they must disclose this data sharing in the data safety form.
Apps must clarify which data is required and which data is optional.
Apps disclose each type of user data they collect, use, and share. It includes information about the user’s or device’s physical location, name, e-mail address, phone number, financial information, photos and videos, audio files, data related to calendar and contacts, activity in the app, and other information about the user.
Apps must disclose the purposes for the use and collection of each data type. For instance, purposes include but are not limited to: app functionality, analytics, advertising, marketing, and fraud prevention.
The data safety form enables apps to show users extra security measures they take. For example, apps may disclose that they encrypt data in transit. Furthermore, they can explain the data deletion request mechanism.
developer information and a privacy point of contact or a mechanism to submit enquiries
You need to provide your app’s name and information, such as your name/business name, address, and other relevant details. Furthermore, you need to give details of a contact person so that users can get in touch for their inquiries. Instead, you can create a mechanism for users to submit their questions and concerns.
disclosing the types of personal and sensitive user data that your app accesses, collects, uses and shares; and any parties with which any personal or sensitive user data is shared
All data types you collect, use, access and share. This may cover basic personal information such as name, e-mail and financial information.
While you can take the Data Safety Section’s list of data types as a reference, Google explicitly stated that this is not an exhaustive list. Therefore, you must disclose all types of user data you collect and use.
secure data handling procedures for personal and sensitive user data
the developer’s data retention and deletion policy
On its User Data Policy, Google explains how it will enforce the new requirements and describes the enforcement actions.
Furthermore, it highlights two critical deadlines and their consequences for the apps:
App users will be able to see Google Play Data safety section and learn how each app collects and uses data.
Furthermore, Google warns apps that it may also remove the app altogether if there is an issue with the data safety form.
App developers must note that compliance with the General Data Protection Regulation (GDPR) and the Google Play Store is different. GDPR and Google Play Store interpret the terms differently and have different disclosure rules.
Google states that if the data stays on the user device, it is not considered “collection”. Therefore, it does not have to be disclosed in the data safety form.
According to Google, “collection” is not taking place if user data is accessed and used while the data is only stored in memory and retained for no longer than necessary to service the specific request in real-time.
As an example of temporary use of data, Google mentions a weather app that transmits user location from the device to fetch the current weather at the user's location. It only uses location data in memory and does not store it once the request has been fulfilled.
The GDPR does not have such an exception, and this example would be considered a collection of personal data.
Google does not consider it as data “sharing” if an app shares data to service providers, for legal purposes, based on a specific user-initiated action or consent.
Google’s requirements contain many exceptions from the requirement to disclose information. However, not all of these exceptions are the same under the GDPR.
Google issued a severe warning that if an app fails to meet the new requirements, Google can remove the app from the Play Store after July 20, 2022.
Other Ligalio blog posts you may be interested in: