Google announcement it will roll out a “Data Security” section for apps listed on its app marketplace, Google Play, similar to Apple’s privacy nutrition labels. The Data Security section will provide consumers with a summary of an App’s privacy and security practices, including but not limited to User Data that an App “collects” or “shares”. Application developers (“Developers”) must complete the data security form before July 20, 2022. Notably, Google has not implemented opt-in tracking, such as Apple Tracking Transparency, in association with the Data Safety initiative. As your application’s data security disclosure will serve as de facto your organization’s supplemental privacy notice, development and product teams should consult with legal/privacy counsel as they complete the information. Below, we provide high-level instructions on completing Google’s data security form (“Form”) and additional privacy requirements. If you want more information on this topic, we have detailed guidance on Google’s data security, as well as Apple’s requirements for privacy nutrition labels and app tracking transparency, including including step-by-step instructions on how to complete the forms (with screenshots), available for a flat fee.
Apps published on Google Play must display a data security section by July 20, 2022.
Google’s guidelines state that an application (including updates) will not be published on Google Play if the developer does not provide the required information or if the developer does not fix the problems identified by Google. Google has indicated that it can take between 1 and 2 weeks for data security updates to be reflected on an app’s Google Play listing, and possibly longer if issues are identified during of the review process. Therefore, developers should plan the timing of their form submissions accordingly.
How to add a data security section
To fill in the information in the Data Security section, the developer must submit a form through Play Console, Google’s developer portal. Google will use the developer’s responses to the form to assess an app’s compliance with Google’s privacy requirements.
At a high level, developers should declare the following categories of information in the form:
What types of data are “collected” by the app, including app data transferred off-device, but excluding certain types of collection activities. The data types listed include, but are not limited to, location information, personal information, financial information, health and fitness information, devices, and other identifiers. “Collect”, as defined by Google in its guidelines, includes, among other things, data transferred off-device (1) that is pseudonymous data; or (2) via libraries and/or SDKs, either by the Developer or its third party partner. “Collect” excludes (1) user data accessed by the app that is not sent from the user’s device; or (2) User Data processed with end-to-end encryption so that it is unreadable to anyone other than the sender and recipient.
The purposes of use and processing of the data collected, type of data by type of data. The purposes are listed and include: application functionality, analytics, developer communications, advertising or marketing, fraud prevention, personalization, and account management.
How the app “shares” user data collected by the app, on a data type by data type basis. For example, “sharing” includes off-device server-to-server transfers, on-device transfer to another app, app transfers directly to third parties (g., via in-app SDKs), or by pushing app data to a third-party webview. This excludes, for example, transfers of Application Data to service providers performing services on Developer’s behalf.
Information about any other privacy and security practices (g., whether the app encrypts data in transit or whether the app allows users to request deletion of their data).
Although Google’s Data Security section shares similarities with what must be disclosed in Apple’s Application Privacy section (also commonly referred to as Apple’s “Nutritional Privacy Labels”), the information required by both is not not identical. Additionally, Apple requires developers to complete a separate form from that required by Google. Therefore, developers must separately assess their app’s disclosures and submit different forms, depending on whether they publish on Google Play or Apple’s App Store.
Other privacy-related legal requirements for Google Play apps
In addition to the disclosures required for the data security section discussed above, Google also has many other privacy-specific requirements for developers publishing apps on Google Play, including, but not limited to, the following elements :
The app should be transparent about how it processes user data and disclose information about how the app accesses, collects, uses, and shares user data.
The application must limit its use of the data it collects to the purposes communicated to the user.
The app must follow Google’s restrictions on how an app can access personal and sensitive data (g., no publication or disclosure of personal or sensitive user data related to financial or payment activities or any government identification number).
If the app contains third-party code (g.SDK), the developer must ensure that the application’s third-party code also complies with the Google Developer Program policies.
In-app disclosure (eg via a privacy notice) should inform users how the app accesses, collects, uses and shares personal and sensitive data. This in-app disclosure cannot be aggregated with other in-app disclosures that are not related to personal and sensitive data. For example, this disclosure should appear separately from the app’s terms of service.
The app must comply with Google Play requirements and all applicable privacy and data protection laws.
Key points to remember
© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 132