Google introduced stricter requirements for Google Play Store apps concerning privacy policies and disclosure.
From July 20, 2022, each app must have a privacy policy.
This privacy policy must include specific details about the access, collection, use, and sharing of personal data.
In addition, from July 20, 2022, apps must fill out Google's data safety form to provide details about how they collect, use and share user data.
Google Play Store New Requirements
All Apps Must Have a Privacy Policy
Previously, an app had to include a privacy policy if it was processing personal and sensitive user data.
However, the new Google guideline states that all apps need to have a privacy policy even if they don't collect or share personal or sensitive user data.
Furthermore, each app’s privacy policy must cover specific details described by Google.
Google Asks Apps to Fill Out the Data Safety Form
In addition to having a privacy policy, all Android apps must provide more comprehensive information about collecting, using and sharing personal and sensitive user data by filling out Google's data safety form.
What Is a Privacy Policy?
When using personal data, you must tell your users what you are using their data for, how you use their data, and what are your users' rights. It’s best to have this written down in a document called a privacy policy.
Here is our Ultimate Guide to Privacy Policies if you want to learn more.
What Is the Data Safety Form?
Google requires all app owners to complete the data safety form by July 20, 2022. It is available in the Google Play Console. The form consists of questions related to how the app processes user data.
Once Google approves the form and the app, the users will be able to see the details on how you use user data in Google Play’s Data safety section.
It will be shown to Google Play users before they download your app to help them understand how you collect and share user data.
The form requests the app owners to disclose the following:
Data Collection
“Collect” means transmitting data from your app OFF (or outside) a user’s device.
Apps need to declare all data types they collect, such as basic personal information, location data, and financial information.
Also, apps may collect data via SDKs, webview, and third-party libraries.
If the data does not leave the user’s device, it is not data collection for the purpose of the data safety form.
Data Sharing
“Sharing” refers to transferring user data collected from your app to a third party.
Apps may disclose user data to third parties like service providers and legal authorities. Thus, they must disclose this data sharing in the data safety form.
Data Handling
Apps must clarify which data is required and which data is optional.
Data Types
Apps disclose each type of user data they collect, use, and share. It includes information about the user’s or device’s physical location, name, e-mail address, phone number, financial information, photos and videos, audio files, data related to calendar and contacts, activity in the app, and other information about the user.
Purposes
Apps must disclose the purposes for the use and collection of each data type. For instance, purposes include but are not limited to: app functionality, analytics, advertising, marketing, and fraud prevention.
Other app and data disclosures
The data safety form enables apps to show users extra security measures they take. For example, apps may disclose that they encrypt data in transit. Furthermore, they can explain the data deletion request mechanism.
What Should Your Google Play Store Privacy Policy Include?
Google’s User Data Guidelines list the elements that must be included in your Google Play Store privacy policy:
developer information and a privacy point of contact or a mechanism to submit enquiries
You need to provide your app’s name and information, such as your name/business name, address, and other relevant details. Furthermore, you need to give details of a contact person so that users can get in touch for their inquiries. Instead, you can create a mechanism for users to submit their questions and concerns.
disclosing the types of personal and sensitive user data that your app accesses, collects, uses and shares; and any parties with which any personal or sensitive user data is shared
All data types you collect, use, access and share. This may cover basic personal information such as name, e-mail and financial information.
While you can take the Data Safety Section’s list of data types as a reference, Google explicitly stated that this is not an exhaustive list. Therefore, you must disclose all types of user data you collect and use.
secure data handling procedures for personal and sensitive user data
Your privacy policy must explain how you ensure the security and confidentiality of user data. For example, this may include technical measures you apply, such as encryption.
the developer’s data retention and deletion policy
Your privacy policy should describe data retention periods, how you delete user data and cover other details related to your data retention, and deletion practices.
clear labelling as a privacy policy (e.g. listed as "privacy policy" in the title)
The title should include “privacy policy”.
The privacy policy is essential to be available on an active URL (no PDFs) and should be non-editable.
Does This Apply to All Apps or Just New Apps?
All apps on the Google Play Store must comply with the new Google Play Store privacy policy rules.
Therefore, all existing apps must also update their privacy policy and fill out the data safety form.
What if You Fail Google Play Store Privacy Policy Requirements?
On its User Data Policy, Google explains how it will enforce the new requirements and describes the enforcement actions.
Furthermore, it highlights two critical deadlines and their consequences for the apps:
From Late April 2022
App users will be able to see Google Play Data safety section and learn how each app collects and uses data.
From July 20, 2022
Google will reject app submissions and app updates if it detects issues with the data safety form or the privacy policy.
Furthermore, Google warns apps that it may also remove the app altogether if there is an issue with the data safety form.
The Data Safety Form Does Not Make You GDPR-Compliant
App developers must note that compliance with the General Data Protection Regulation (GDPR) and the Google Play Store is different. GDPR and Google Play Store interpret the terms differently and have different disclosure rules.
The Data Safety Form Gives a Different Meaning to “Collection”
Google states that if the data stays on the user device, it is not considered “collection”. Therefore, it does not have to be disclosed in the data safety form.
Under the GDPR, however, this amounts to the collection and should be disclosed in the privacy policy.
Google Considers That Ephemeral (Temporary) Processing of User Data Is Not a Collection
According to Google, “collection” is not taking place if user data is accessed and used while the data is only stored in memory and retained for no longer than necessary to service the specific request in real-time.
As an example of temporary use of data, Google mentions a weather app that transmits user location from the device to fetch the current weather at the user's location. It only uses location data in memory and does not store it once the request has been fulfilled.
The GDPR does not have such an exception, and this example would be considered a collection of personal data.
If the Data Is End-To-End Encrypted, the Data Safety Form Does Not See It as a Collection
Contrary to this, encrypted data is still personal data under the GDPR and should be disclosed in the privacy policy.
The Data Safety Form Does Not Include All Data Types and Purposes
The data safety form asks the app owners about a limited number of data types. In contrast, under the GDPR, all data types should be listed in a privacy policy.
Google Data Safety Form Gives a Different Meaning to “Sharing”
Google does not consider it as data “sharing” if an app shares data to service providers, for legal purposes, based on a specific user-initiated action or consent.
However, a GDPR-compliant privacy policy should list this as data sharing.
To Sum Up
Google’s requirements contain many exceptions from the requirement to disclose information. However, not all of these exceptions are the same under the GDPR.
Thus, to have a GDPR-compliant privacy policy, you need to disclose more information about how you collect, share and otherwise use personal data.
Is GDPR-Compliant Privacy Policy Enough?
Having a GDPR-compliant privacy policy is not enough to comply with the Google Play Store requirements because, in addition, you must:
- Fill in the data safety form
- Make sure that your privacy policy is clearly labelled as a privacy policy
- Describe secure data handling procedures for personal and sensitive user data
Also, you should note that the GDPR requires a privacy policy only if you use personal data.
However, Google requires that even apps that do not collect any user data are required to have a privacy policy and a completed data safety form. In this case, the privacy policy and the completed data safety form can indicate that no user data is collected or shared.
Key Takeaways
If you have an app on the Google Play Store or you are planning to launch a new app, you must consider the new Google Play Store privacy policy requirements.
Google issued a severe warning that if an app fails to meet the new requirements, Google can remove the app from the Play Store after July 20, 2022.
App developers should not confuse the GDPR-compliant privacy policy requirements with the Google Play Store privacy policy requirements. These are two separate and different requirements. Therefore, you should consider Google’s and GDPR’s requirements separately and ensure that the app’s privacy policy complies with both.
Other Ligalio blog posts you may be interested in:
Is Google Analytics Illegal in the EU?
The Ultimate Privacy Policy Guide
Article 6 GDPR and How to Apply It
If you need a privacy policy, check out our privacy policy generator! 🚀