Android apps must provide privacy information by April 2022

Google Play

Google has announced today more details regarding their upcoming Google Play ‘Safety section’ feature that provides users information about the data collected and used by an Android app.

In May, Google pre-announced upcoming changes to the Google Play Store requiring app developers to share what info their apps collect, how collected data is used, and what privacy/security features the apps utilize.

This information will appear in a new ‘Safety section’ for each app on Google play starting in the first quarter of 2022, allowing users to see the types of data collected by the app, its privacy policy, and  security features before they install it.

Google Play safety section for an Android app
Google Play safety section for an Android app
Source: Google

Some of the information users will see for an app include what data is collected, what data is shared with third parties, whether an app uses data encryption, follows Google’s Families policies, or whether it has been independently audited against global security standards.

Today, Google also announced additional policy changes that are requiring all app developers to include a privacy policy and that they must also disclose data used by an app’s third-party libraries or SDKs.

In addition, Google provides developers an updated timeline for when they can begin submitting this information, when users can start to see the Safety section, and the deadline for developers to provide the information.

Timeline for developers
Timeline for developers
Source: Google

Starting in October 2021, the “App privacy & security” will become available on an app’s content page on Play Console. Developers can then begin to complete the questionnaire to provide information about the data collected, security features used, and the app’s privacy policy.

In early 2022, Google Play users will now begin to see an app’s “App privacy & security,” including all of the data provided by the app developer. For this section to appear, the developer must have provided a privacy policy for the app.

Finally, in April 2022, all apps will be required to have a completed “App Privacy & security,” including a privacy policy. If there are unresolved issues with this section, Google Play will reject all app updates until complete.

Features and data usage that must be disclosed

Google’s Help Center has provided  developers a list of features, accessed data types, and purposes for using the data that will need to be disclosed as part of this process.

Some of the questions that developers must answer about their app’s features and security practices include:

  • Encryption in transit: Is data collected or shared by your app encrypted in transit? You’ll have the opportunity to disclose this on your label.

  • Deletion mechanism: Do you provide a way for users to request deletion of their data? You’ll have the opportunity to disclose this on your label.

  • Families policy: Does your app’s data collection practices comply with Google Play’s Families Policy

  • Independent security review: Are you interested in taking your app through an external security review based on a global standard? You’ll have the opportunity to have this displayed on your label.

  • How it’s collected: Is data collection optional or required to use the app?

Some of the data types that app developers must disclose their apps collect or share are listed below:

  • Location data like user approximate or precise location

  • Personal information like user name, phone number and email address

  • Financial info like user credit card number and bank account account number

  • Health and fitness information

  • Photos or videos

  • Audio files like sound recordings and music files

  • Storage like files and docs

  • Emails or texts

  • Calendar information

  • Contacts information

  • Installed apps on user device

  • Actions in apps like page views

  • App performance like crash logs and performance diagnostics

  • Identifiers like device id

Finally, developers will need to disclose the purposes that they use the above data, such as:

  • app functionality required for the app to work; 

  • developer communications like reminders, notifications, promotions, and similar communications;

  • analytics about how users use the app and how it performs; 

  • fraud prevention and security; or 

  • personalization of things like content and recommendations.

Google says they will be providing a complete list of purposes in the future.

Source link

Sign up for our daily Cyber Security Analysis and Threat Intelligence news.