On March 1, Google updated its Play Store policies with a host of changes that took effect on March 15, including a requirement that app developers post a privacy policy to the store listing and provide certain in-app privacy disclosures.

Google Play’s Developer Policy Center summarized the company’s position on privacy and security, stating “You must be transparent in how you handle user data (e.g., information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure.”

If an app handles personal or sensitive data—defined to include personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data—then the app must include a privacy policy within the app itself and in the store listing. Further, user data must be handled securely and transmissions must be sent using modern cryptography (over HTTPS, for example).

The privacy policy must “comprehensively” disclose how data is collected, used and shared, and the types of parties with whom the data is shared. Apps that monitor or track a user’s behavior on a device must present users with a persistent notification and a unique icon that “clearly” identifies the app, Google mandated.

In addition, if the app collects personal data unrelated to the app’s functionality, then it must “prominently” highlight how that data will be used prior to the collection and ensure that the user provides affirmative consent for such use.

More specific requirements were added for certain types of data. An app that handles financial or payment information must “never publicly disclose any personal or sensitive user data related to financial or payment activities,” and the unauthorized publishing or disclosure of people’s nonpublic phonebook or contact information is forbidden.

Google provided examples of common violations, such as apps that do not treat a user’s inventory of installed apps or phone and contact books as personal or sensitive data, all of which runs afoul of the company’s Privacy Policy, Secure Transmission, and Prominent Disclosure requirements.

To read the privacy and security requirements in Google Play’s Developer Policy Center, click here.

Why it matters: The updated privacy requirements are a must-read for all app developers, particularly as Google has been sending letters to nudge developers into compliance, cautioning them that their app could be removed from the store if it fails to meet the new requirements.