Google announced it will be rolling out a “Data Safety” section for apps listed on its app marketplace, Google Play, similar to Apple’s Privacy Nutrition Labels. The Data Safety section will provide consumers with a summary of an app’s privacy and security practices, including but not limited to what user data an app “collects” or “shares”. App developers (“Developers”) must complete the Data Safety form by July 20, 2022. Notably, Google has not implemented a tracking opt-in, like Apple Tracking Transparency, in association with the Data Safety initiative. As your app’s Data Safety disclosure will serve as a de facto additional privacy notice of your organization, development and product teams should consult with the legal/privacy counsel as they populate the information. Below, we provide high-level instructions on populating the Data Safety Form (“Form”) and additional Google privacy requirements. If you are interested in further information on this topic, we have detailed guidance on Google Data Safety, as well as Apple’s Privacy Nutrition Labels and App Tracking Transparency requirements, including detailed instructions on how to complete the forms (with screenshots), available for a fixed fee.
Timeline for Compliance
Apps published on Google Play must display a Data Safety section by July 20, 2022.
Google’s guidance states that an app (including updates) will not be published on Google Play if the Developer does not provide the required information or if the Developer fails to address issues identified by Google. Google has advised that it may take anywhere from 1-2 weeks for Data Safety updates to reflect on an app’s Google Play listing, and maybe more if issues are identified during the review process. Therefore, Developers should plan the timing of their Form submissions accordingly.
How to Add Data Safety Section
To populate the information into the Data Safety section, the Developer must submit a Form through Play Console, Google’s Developer portal. Google will use the Developer’s responses to the Form to evaluate an app’s compliance with Google’s privacy-related requirements.
At a high level, Developers must declare the following categories of information in the Form:
- What data types are “collected” by the app, including app data transferred off device, but excluding certain types of collection activities. The enumerated data types include, but are not limited to, location information, personal information, financial information, health and fitness information, device and other IDs. “Collect,” as defined by Google in its guidance, includes, among others, data transferred off device (1) that is pseudonymous data; or (2) through libraries and/or SDKs whether by the Developer or its third party partner. “Collect” excludes (1) user data accessed by the app not sent off the user’s device; or (2) user data treated with end-to-end encryption so that it is unreadable to anyone other than the sender and recipient.
- The purposes for using and processing the data collected, on a data type-by-data type basis. The purposes are enumerated and include: app functionality, analytics, developer communications, advertising or marketing, fraud prevention, personalization, and account management.
- How the app “shares” user data collected by the app, on a data type-by-data type basis. For example, “sharing” includes off-device server-to-server transfers, on-device transfer to another app, transfers from the app directly to third parties (g., via SDKs embedded in-app), or transferring app data to a third-party web view. It excludes, for example, app data transfers to service providers performing services on behalf of the Developer.
- Information on any other privacy and security practices (g., whether app encrypts data in transit, or if app has a way for users to request deletion of their data).
Although Google’s Data Safety section shares similarities with what must be disclosed in Apple’s App Privacy section (also commonly referred to as Apple’s “Privacy Nutrition Labels”), the information required by both are not identical. In addition, Apple requires Developers to complete a separate form than what is required by Google. Therefore, Developers must assess their app disclosures separately and submit different forms, depending on whether they are publishing on Google Play or the Apple App Store.
Other Privacy-Related Legal Requirements for Google Play Apps
In addition to the required disclosures for the Data Safety section discussed above, Google also has numerous other privacy-specific requirements for Developers that publish apps on Google Play, including but not limited to the following:
- The app must be transparent regarding how it handles user data and disclose information pertaining to how the app accesses, collects, uses, and shares user data.
- The app must limit its use of the data it collects to the purposes disclosed to the user.
- The app must comply with Google’s restrictions on how an app may access personal and sensitive data (g., no publishing or disclosure of personal or sensitive user data related to financial or payment activities or any government identification numbers).
- If the app has third-party code (g., SDKs), the Developer must ensure that the third-party code in the app is also compliant with the Google Developer Program policies.
- The app must comply with both Google Play requirements and all applicable privacy and data protection laws.