Google introduced stricter requirements for Google Play Store apps concerning privacy policies and disclosure.
In addition, from July 20, 2022, apps must fill out Google's data safety form to provide details about how they collect, use and share user data.
Google Play Store New Requirements
Google Asks Apps to Fill Out the Data Safety Form
Here is our Ultimate Guide to Privacy Policies if you want to learn more.
What Is the Data Safety Form?
Google requires all app owners to complete the data safety form by July 20, 2022. It is available in the Google Play Console. The form consists of questions related to how the app processes user data.
Once Google approves the form and the app, the users will be able to see the details on how you use user data in Google Play’s Data safety section.
It will be shown to Google Play users before they download your app to help them understand how you collect and share user data.
The form requests the app owners to disclose the following:
“Collect” means transmitting data from your app OFF (or outside) a user’s device.
Apps need to declare all data types they collect, such as basic personal information, location data, and financial information.
Also, apps may collect data via SDKs, webview, and third-party libraries.
If the data does not leave the user’s device, it is not data collection for the purpose of the data safety form.
“Sharing” refers to transferring user data collected from your app to a third party.
Apps may disclose user data to third parties like service providers and legal authorities. Thus, they must disclose this data sharing in the data safety form.
Apps must clarify which data is required and which data is optional.
Apps disclose each type of user data they collect, use, and share. It includes information about the user’s or device’s physical location, name, e-mail address, phone number, financial information, photos and videos, audio files, data related to calendar and contacts, activity in the app, and other information about the user.
Apps must disclose the purposes for the use and collection of each data type. For instance, purposes include but are not limited to: app functionality, analytics, advertising, marketing, and fraud prevention.
Other app and data disclosures
The data safety form enables apps to show users extra security measures they take. For example, apps may disclose that they encrypt data in transit. Furthermore, they can explain the data deletion request mechanism.
developer information and a privacy point of contact or a mechanism to submit enquiries
You need to provide your app’s name and information, such as your name/business name, address, and other relevant details. Furthermore, you need to give details of a contact person so that users can get in touch for their inquiries. Instead, you can create a mechanism for users to submit their questions and concerns.
disclosing the types of personal and sensitive user data that your app accesses, collects, uses and shares; and any parties with which any personal or sensitive user data is shared
All data types you collect, use, access and share. This may cover basic personal information such as name, e-mail and financial information.
While you can take the Data Safety Section’s list of data types as a reference, Google explicitly stated that this is not an exhaustive list. Therefore, you must disclose all types of user data you collect and use.
secure data handling procedures for personal and sensitive user data
the developer’s data retention and deletion policy
Does This Apply to All Apps or Just New Apps?
On its User Data Policy, Google explains how it will enforce the new requirements and describes the enforcement actions.
Furthermore, it highlights two critical deadlines and their consequences for the apps:
From Late April 2022
App users will be able to see Google Play Data safety section and learn how each app collects and uses data.
From July 20, 2022
Furthermore, Google warns apps that it may also remove the app altogether if there is an issue with the data safety form.
The Data Safety Form Does Not Make You GDPR-Compliant
App developers must note that compliance with the General Data Protection Regulation (GDPR) and the Google Play Store is different. GDPR and Google Play Store interpret the terms differently and have different disclosure rules.
The Data Safety Form Gives a Different Meaning to “Collection”
Google states that if the data stays on the user device, it is not considered “collection”. Therefore, it does not have to be disclosed in the data safety form.
Google Considers That Ephemeral (Temporary) Processing of User Data Is Not a Collection
According to Google, “collection” is not taking place if user data is accessed and used while the data is only stored in memory and retained for no longer than necessary to service the specific request in real-time.
As an example of temporary use of data, Google mentions a weather app that transmits user location from the device to fetch the current weather at the user's location. It only uses location data in memory and does not store it once the request has been fulfilled.
The GDPR does not have such an exception, and this example would be considered a collection of personal data.
If the Data Is End-To-End Encrypted, the Data Safety Form Does Not See It as a Collection
The Data Safety Form Does Not Include All Data Types and Purposes
Google Data Safety Form Gives a Different Meaning to “Sharing”
Google does not consider it as data “sharing” if an app shares data to service providers, for legal purposes, based on a specific user-initiated action or consent.
To Sum Up
Google’s requirements contain many exceptions from the requirement to disclose information. However, not all of these exceptions are the same under the GDPR.
- Fill in the data safety form
- Describe secure data handling procedures for personal and sensitive user data
Google issued a severe warning that if an app fails to meet the new requirements, Google can remove the app from the Play Store after July 20, 2022.
Other Ligalio blog posts you may be interested in:
Is Google Analytics Illegal in the EU?
Article 6 GDPR and How to Apply It