After Google was fined huge fines at the beginning of 2022 for breaching privacy requirements, such as the General Data Protection Regulation (GDPR), it pays attention to complying with the latest privacy regulations for all of its products. Read about the new requirements for Android apps on Google Play Console.
New Google Play Console Requirements
Increasing privacy requirements for software developers is a part of the global online data privacy trend that originated with GDPR in 2018, followed by CCPA in 2020, and other privacy laws. This is going all together with the awareness of Internet users and their concerns over how their data is collected, processed, or shared. In response to this, Google introduced new requirements for Google Play Console Android apps.
From July 20, 2022, each app, present at the Google Play Console, must:
- fill out Google's Data Safety Form.
The GDPR applies to all companies that provide services for European citizens, independently of the place of origin of the companies.
- The owner of the app, including the company name, address, and contacts.
- The users' data that is being collected. How is that data being collected?
- Is the data processed and for what purposes? Is it used for analytics or marketing?
- The third parties, if any, that could access users' data. Will any third party collect data through widgets, like social buttons, or integrations?
- Notify users about their rights. Inform users how they could request to see the data you have on them, to rectify or remove their data. Under European regulations these user rights are mandatory.
- Provide a legal basis for the data collection. Under most privacy laws, you must receive user consent to collect and process their data BEFORE the actual data collection takes place.
If you use any personal or sensitive user data, you must disclose the use of this data, and how you use it.
Personal or sensitive user data is data, that could contain personal or sensitive information, and is collected through the following means:
- PAYMENT APPS
What Is the Data Safety Form?
Google requires all app owners to complete the data safety form, which is available in the Google Play Console. This information will be shown on the store to help Google Play users understand how your app collects and shares user data before they download the app. After you complete and submit the data safety form, the information you provide will be reviewed by Google, if it complies with the requirements.
In addition, all developers that have an app published on Google Play must complete the data safety form, including apps on closed, open, or production testing tracks.
In the Data Safety Form, the app owners need to disclose the following actions:
“Data collection” means transmitting data from your user's app outside a user’s device. Apps may collect data via third-party libraries, SDKs, or web view.
Apps need to declare all data types they collect, like basic personal information, location data, contacts, phone storage data, or financial information. User data, collected pseudonymously, must also be disclosed.
However, if the data does not leave the user’s device, it is not in scope for data collection for the data safety form.
“Data sharing” refers to transferring user data, collected from your app to a third party. If apps share user data with third parties like service providers or legal authorities, they must disclose this data sharing in the data safety form.
Apps must clarify which data is required and which data is optional for the functionality of the app. Optional data should include the possibility to opt into or opt-out of data collection.
App developers must disclose each type of user data they collect, process, and share. It includes information about the user’s or device’s physical location, personal information (name, e-mail address, phone number, user ID, race and ethnicity, political or religious beliefs, sexual orientation), financial information, health and fitness, messages, photos and videos, audio files, data related to calendars and contacts, app activity, and other information about the user.
App developers must disclose the purposes for the collection and use of each data type. Purposes include but are not limited to: app functionality, analytics, developer communications, advertising, marketing, fraud prevention, security, personalization, or account management.
In addition to the above-mentioned requirements, you may choose to declare in your data safety form the following actions:
- your app has been independently validated against a global security standard;
- you follow Google Play's Families policy requirements; or
- your app uses encryption in transit to protect the flow of user data from the user’s device to the server.
- Web developers can also explain the data deletion request mechanism.
Differences Between Google Data Safety Form and the GDPR
Google introduced new requirements for Google Play Console apps concerning privacy policies like GDPR. However, filling out the data safety form does not automatically make your app GDPR compliant. Compliance with the GDPR and the Google Play Console is different. The differences include the following (but are not limited to):
Google states that if the data is collected but does not leave the user's device, it is not considered data collection, and does not have to be disclosed in the data safety form.
Ephemeral (temporary) data processing
According to Google, if the data is collected and used temporarily, while the data is only stored in memory and retained for no longer than necessary to service the specific action in real time, this is not considered data processing. For example, using users' geo-location for a navigation app is not data processing- the app only keeps location data in memory temporarily and does not store it once the request has been fulfilled.
If the data is encrypted, Google does not require it to disclose in the data safety form.
Data types and purposes
The data safety form asks the app owners to provide information about just certain data types, like location, personal information, financial information, etc.
If an app shares data to service providers for legal purposes or based on a specific action of a user, Google does not consider it as data sharing.
Frequently Asked Questions
What are the new requirements of Google Play Console?
What Is the Data Safety Form?
Google requires all app owners to complete the data safety form, which is available in the Google Play Console. This information will be shown on the Google Play Store to help users understand how your app collects and shares user data before they download the app.
Are the requirements of the Google Play Console data safety form and the GDPR the same?