Google Play has made it a basic requirement to make certain privacy-related disclosures to users, in accordance with applicable law. These disclosures are typically made available to users via a privacy notice that is easily accessible from within the app.
👀 In this comprehensive guide we explain all the main legal privacy requirements for Android apps and how you can easily generate a privacy for your app. Let’s dive in!
Short on time? Jump to… ⬇️
Here’s what Google had to say in their Developer Policy Center’s User Data guidelines:
You must be transparent in how you handle user data (e.g., information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law.
However, it is critical to note here that, platform requirements aside, under the vast majority of legislations, and particularly under the GDPR, privacy notices are legally required.
Generally, failure to adhere to these laws can result in hefty fines, sanctions, audits and/or leave you open to litigation.
Let’s start with the legal minimum requirements.
In addition to the above, you need to make sure that you disclose your use of any of the following “dangerous” permission groups.
These personal or sensitive user data mentioned earlier include:
You have two options:
If your app processes the personal data of users for reasons unrelated to the functionality of your app, you’re required to make additional, easily visible disclosures about this usage and collect user consent where required.
If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
Your in-app disclosure:
- Must be within the app itself, not only in the Play listing or a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the type of data being collected;
- Must explain how the data will be used;
- Cannot be included with other disclosures unrelated to personal or sensitive data collection.
Your app’s request for consent:
- Must present the consent dialog in a clear and unambiguous way;
- Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
- Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
- Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
- Must not utilize auto-dismissing or expiring messages.
💡 It’s worth noting that it seems that Google considers any data collection activity that isn’t made obvious from your app page or from within your interface to be covered by this prominent disclosure policy.
👉 Furthermore, under regulations like the GDPR, you are legally required to obtain informed, explicit consent before processing any personal data of users specifically where it falls outside the what’s required for the functioning of your service.
With this in mind, you have 2 options when it comes to dealing with this kind of data processing. You can either:
Google has introduced a few policy updates in order to make the Play Store more child-friendly. If an app is likely to be used by kids, developers are subject to additional safety requirements which came into force on September 1, 2019.
Apps on Google Play are categorized, and policies applied, according to the following target audience groups: children, children and older users, older users. Google states that they will verify that the target audience selected is in fact correct.
All apps whose target audience is primarily children must follow Families policy and Designed for Families program requirements.
💡 We have a great recap on app privacy requirements for kids. Read it here!
Apps that solely target children must not contain any APIs or SDKs that are not approved for use in child-directed services.
Apps that target both children and older audiences should not implement APIs or SDKs that are not approved for use in child-directed services unless they are used behind a neutral age screen or implemented in a way that does not result in the collection of data from children.
“A neutral age screen is a mechanism to verify a user’s age in a way that doesn’t encourage them to falsify their age and gain access to areas of your app that aren’t designed for children, for example an age gate. An example of this would be a system that asks users to freely enter their month, day, and year of birth. An incorrect setup of a neutral age screen would be presetting the birth date to the required age (e.g., 13 years old) or indicating that a certain age is required to access areas of the app.”
Google also wants developers to ensure that their apps don’t inadvertently attract children (for example with youthful animations or young characters in the graphic assets) if their content is actually designed for adults. More info on how to display the “Not designed for children” label in the store listing can be found here.
In general, you’ll likely need to set Terms and Conditions if you have an app that participates in some form of commerce (whether selling to users directly or facilitating trading). Additionally, some specific instances where they might be needed are where you:
👋 Learn more on how to write Terms and Conditions for your app.
iubenda makes solving this issue easy: with hundreds of available clauses, our privacy policies contain all elements commonly required across many regions and services, while applying the strictest standards by default – giving you the option to fully customize as needed.
🚀 Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.
The process is straightforward and intuitive, simply:
🎉 Congratulations! Your policy has been created. Simply check that all the details are correct, then embed.
Whichever embed method you choose, remember that you’re required to choose a location that is easily accessible and visible to users.