Beginning March 15, 2017, Google began removing apps from Google Play, its online marketplace where apps and other digital media are offered for download and use on the Android platform, for failing to comply with Google’s User Data Policy. Google began contacting app developers in February to announce that it planned to begin such removal starting in March. Through these actions, Google joins state and federal regulators in their concerted and continued efforts to protect consumer privacy. Are your apps at risk of being removed from Google Play?
Google’s User Data Policy requires two things for apps offered through Google Play that collect personally-identifiable information, financial or payment information, authentication information, phonebook or contact data, microphone data, or camera sensor data, all of which Google considers “personal or sensitive user data”: (1) a privacy policy, and (2) secure handling of user information.
Privacy Policy
Apps offered through Google Play must have a compliant privacy policy prominently posted in two places: (1) in the Google Play store listing for the app, and (2) within the app itself. Merely posting a privacy policy is not enough, however – Google will now require app developers to disclose certain information in their privacy policies. In order to avoid the risk of having your app removed by Google from Google Play due to noncompliance with the User Data Policy, consider the following:
- In your privacy policy, are you transparent and clear about how user data is handled? Does your privacy policy clearly address, in particular:
- What types of data are collected or stored, such as personally identifiable information, financial or payment information, contact data, sensor data, device information, log information, or location (including geolocation) information?
- How data is collected through your app, such as through active user input, or passively?
- Ways in which you use user data, such as for developing improvements to your app, communicating with your app users, or other reasons?
- How you share user data, describing the types of third parties with whom it’s shared, such as advertisers and marketers?
- What your app users’ options are for updating or changing preferences for data collection (i.e., what are the app’s privacy settings)?
- Does your app collect and transmit personal or sensitive user data that is unrelated to the app’s functionality per its description in the app’s Google Play listing or within the app itself? If so, then in accordance with Google’s new “prominent disclosure” requirement, you must, prior to collection and transmission, (1) conspicuously highlight to your app’s users precisely how their data will be used by you, and (2) obtain such users’ affirmative consent to use that data in the manner described .
To opt out of Google’s requirements, app developers can remove from their app’s functionality any and all requests (both active and passive) for personal or sensitive information.
Secure Handling
Apps offered through Google Play also must handle (i.e., collect, store and transmit) “personal or sensitive” user information in a secure manner. This includes transmitting it using modern cryptography (for example, over HTTPS). Apple recently rolled out a similar secure transmission requirement: on January 1, 2017, Apple began requiring developers of apps offered through Apple’s App Store to enable “App Transport Security,” which forces applicable apps to connect to web services using HTTPS, rather than the unsecure HTTP standard.
Google’s announcement and assurances regarding improving protection of user privacy will also benefit developers. Some of the noncompliant legacy or effectively abandoned apps that Google removes from Google Play through enforcement of its User Data Policy may contain security vulnerabilities. By enforcing its User Data Policy, Google can help promote consumer trust in Google Play: Google’s app removal effort will allow app users to better find apps with up-to-date security protections, and app developers can more easily reach their audience. Google’s latest announcement is just one of many reasons for app developers to be sure to monitor and update their apps’ security protections, and to reconsider and, if necessary, revise their applicable privacy policies.