May 24, 2019

May 24, 2019

Subscribe to Latest Legal News and Analysis

May 23, 2019

Subscribe to Latest Legal News and Analysis

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

Heads Up, App Developers: Google Is Getting Serious About Privacy and Data Security in Apps

Beginning March 15, 2017, Google began removing apps from Google Play, its online marketplace where apps and other digital media are offered for download and use on the Android platform, for failing to comply with Google’s User Data Policy. Google began contacting app developers in February to announce that it planned to begin such removal starting in March. Through these actions, Google joins state and federal regulators in their concerted and continued efforts to protect consumer privacy. Are your apps at risk of being removed from Google Play?

Google’s User Data Policy requires two things for apps offered through Google Play that collect personally-identifiable information, financial or payment information, authentication information, phonebook or contact data, microphone data, or camera sensor data, all of which Google considers “personal or sensitive user data”: (1) a privacy policy, and (2) secure handling of user information.

Privacy Policy

Apps offered through Google Play must have a compliant privacy policy prominently posted in two places: (1) in the Google Play store listing for the app, and (2) within the app itself. Merely posting a privacy policy is not enough, however – Google will now require app developers to disclose certain information in their privacy policies. In order to avoid the risk of having your app removed by Google from Google Play due to noncompliance with the User Data Policy, consider the following:

  • In your privacy policy, are you transparent and clear about how user data is handled? Does your privacy policy clearly address, in particular:

    • What types of data are collected or stored, such as personally identifiable information, financial or payment information, contact data, sensor data, device information, log information, or location (including geolocation) information?

    • How data is collected through your app, such as through active user input, or passively?

    • Ways in which you use user data, such as for developing improvements to your app, communicating with your app users, or other reasons?

    • How you share user data, describing the types of third parties with whom it’s shared, such as advertisers and marketers?

    • What your app users’ options are for updating or changing preferences for data collection (i.e., what are the app’s privacy settings)?

  • Does your app collect and transmit personal or sensitive user data that is unrelated to the app’s functionality per its description in the app’s Google Play listing or within the app itself? If so, then in accordance with Google’s new “prominent disclosure” requirement, you must, prior to collection and transmission, (1) conspicuously highlight to your app’s users precisely how their data will be used by you, and (2) obtain such users’ affirmative consent to use that data in the manner described .

To opt out of Google’s requirements, app developers can remove from their app’s functionality any and all requests (both active and passive) for personal or sensitive information.

Secure Handling

Apps offered through Google Play also must handle (i.e., collect, store and transmit) “personal or sensitive” user information in a secure manner. This includes transmitting it using modern cryptography (for example, over HTTPS). Apple recently rolled out a similar secure transmission requirement: on January 1, 2017, Apple began requiring developers of apps offered through Apple’s App Store to enable “App Transport Security,” which forces applicable apps to connect to web services using HTTPS, rather than the unsecure HTTP standard.

Google’s announcement and assurances regarding improving protection of user privacy will also benefit developers. Some of the noncompliant legacy or effectively abandoned apps that Google removes from Google Play through enforcement of its User Data Policy may contain security vulnerabilities. By enforcing its User Data Policy, Google can help promote consumer trust in Google Play: Google’s app removal effort will allow app users to better find apps with up-to-date security protections, and app developers can more easily reach their audience. Google’s latest announcement is just one of many reasons for app developers to be sure to monitor and update their apps’ security protections, and to reconsider and, if necessary, revise their applicable privacy policies.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Richard Caira, Womble Carlyle Law Firm, Information Technology Attorney
Partner

Richard was in-house counsel for a large software company for a number of years, where he negotiated enterprise-wide license and services agreements with Fortune 100 customers in retail, financial, manufacturing and other industries, and where he was also instructive in the refinement of the company’s form agreements and interfacing with R&D functions. Richard returned to private practice at Womble Carlyle Sandridge & Rice and focuses primarily on transactions relating to information technology. Richard currently negotiates and advises wide-ranging clients on...

919-484-2315
Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm
Associate

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.

Education

J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

919-484-2306