February 2, 2023

Volume XIII, Number 33


February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

Google to Require Apps to Display “Data Safety” Information by July 20, 2022

Google announced it will be rolling out a “Data Safety” section for apps listed on its app marketplace, Google Play, similar to Apple’s Privacy Nutrition Labels. The Data Safety section will provide consumers with a summary of an app’s privacy and security practices, including but not limited to what user data an app “collects” or “shares”. App developers (“Developers”) must complete the Data Safety form by July 20, 2022. Notably, Google has not implemented a tracking opt-in, like Apple Tracking Transparency, in association with the Data Safety initiative. As your app’s Data Safety disclosure will serve as a de facto additional privacy notice of your organization, development and product teams should consult with the legal/privacy counsel as they populate the information. Below, we provide high-level instructions on populating the Data Safety Form (“Form”) and additional Google privacy requirements. If you are interested in further information on this topic, we have detailed guidance on Google Data Safety, as well as Apple’s Privacy Nutrition Labels and App Tracking Transparency requirements, including detailed instructions on how to complete the forms (with screenshots), available for a fixed fee.  

Timeline for Compliance

Apps published on Google Play must display a Data Safety section by July 20, 2022.

Google’s guidance states that an app (including updates) will not be published on Google Play if the Developer does not provide the required information or if the Developer fails to address issues identified by Google. Google has advised that it may take anywhere from 1-2 weeks for Data Safety updates to reflect on an app’s Google Play listing, and maybe more if issues are identified during the review process. Therefore, Developers should plan the timing of their Form submissions accordingly.

How to Add Data Safety Section

To populate the information into the Data Safety section, the Developer must submit a Form through Play Console, Google’s Developer portal. Google will use the Developer’s responses to the Form to evaluate an app’s compliance with Google’s privacy-related requirements.

At a high level, Developers must declare the following categories of information in the Form:

  • What data types are “collected” by the app, including app data transferred off device, but excluding certain types of collection activities. The enumerated data types include, but are not limited to, location information, personal information, financial information, health and fitness information, device and other IDs. “Collect,” as defined by Google in its guidance, includes, among others, data transferred off device (1) that is pseudonymous data; or (2) through libraries and/or SDKs whether by the Developer or its third party partner. “Collect” excludes (1) user data accessed by the app not sent off the user’s device; or (2) user data treated with end-to-end encryption so that it is unreadable to anyone other than the sender and recipient.

  • The purposes for using and processing the data collected, on a data type-by-data type basis. The purposes are enumerated and include: app functionality, analytics, developer communications, advertising or marketing, fraud prevention, personalization, and account management.

  • How the app “shares” user data collected by the app, on a data type-by-data type basis. For example, “sharing” includes off-device server-to-server transfers, on-device transfer to another app, transfers from the app directly to third parties (g., via SDKs embedded in-app), or transferring app data to a third-party web view. It excludes, for example, app data transfers to service providers performing services on behalf of the Developer.

  • Information on any other privacy and security practices (g., whether app encrypts data in transit, or if app has a way for users to request deletion of their data).

Although Google’s Data Safety section shares similarities with what must be disclosed in Apple’s App Privacy section (also commonly referred to as Apple’s “Privacy Nutrition Labels”), the information required by both are not identical. In addition, Apple requires Developers to complete a separate form than what is required by Google. Therefore, Developers must assess their app disclosures separately and submit different forms, depending on whether they are publishing on Google Play or the Apple App Store.

Other Privacy-Related Legal Requirements for Google Play Apps

In addition to the required disclosures for the Data Safety section discussed above, Google also has numerous other privacy-specific requirements for Developers that publish apps on Google Play, including but not limited to the following:

  • The app must be transparent regarding how it handles user data and disclose information pertaining to how the app accesses, collects, uses, and shares user data.

  • The app must limit its use of the data it collects to the purposes disclosed to the user.

  • The app must comply with Google’s restrictions on how an app may access personal and sensitive data (g., no publishing or disclosure of personal or sensitive user data related to financial or payment activities or any government identification numbers).

  • If the app has third-party code (g., SDKs), the Developer must ensure that the third-party code in the app is also compliant with the Google Developer Program policies.

  • Developers must post a link to the applicable Privacy Policy in-app and also in the app listing on Google Play. All apps must post a valid Privacy Policy starting July 20, 2022.

  • The in-app disclosure (such as through a Privacy Notice) must inform users of how the app accesses, collects, uses, and shares personal and sensitive data. This in-app disclosure cannot be bundled with other in-app disclosures that are unrelated to personal and sensitive data. For example, this disclosure must appear separate from the app’s Terms of Use.

  • The app must comply with both Google Play requirements and all applicable privacy and data protection laws.

Key Takeaways

If your business has an app that is available on Google Play, you must consider Google’s privacy-related requirements discussed above, namely completion of the Data Safety section by July 20, 2022, and including a link to your Privacy Policy on the Google Play app listing and in-app. Of course, you should also consider legal requirements as part of your app product counseling, including the coming onslaught of 2023 state privacy laws.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 132

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

Gicel Tomimbang Los Angeles California Associate Attorney Data Privacy Cybersecurity Squire Patton Boggs LLP

Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice.

A significant portion of Gicel’s practice focuses on the intersection of healthcare with privacy. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule.

Gicel previously...