In July and October 2021, we announced additional details for the Data safety section on Google
Play following our initial blog post in May 2021. Developers are required to tell us about their apps' privacy and security practices by completing a form in Play Console. This information will be shown on your app's store listing to help Google Play users understand how your app collects and shares user data before they download. This article provides
an overview of the new requirements, what you need to do to complete the form, and a timeline of upcoming events. COLLAPSE ALL EXPAND ALL The Data safety section on Google
Play is a simple way for you to help people understand what user data your app collects or shares, as well as showcase your app’s key privacy and security practices. This information helps users make more informed choices when deciding which apps to install. By July 20, 2022, all developers must declare how they collect and handle user data for the apps they publish on Google Play, and provide details about how they protect this data through security practices like encryption. This
includes data collected and handled through any third-party libraries or SDKs used in their apps. You may want to refer to your SDK providers’ published Data safety information for details. Check Google Play SDK Index to see if your provider has provided a link to their guidance. You can provide this information through a form in the new Data safety section on the App content page (Policy > App content) in Play Console. After you complete and submit the Data safety form, the information you provide will be reviewed by Google as part of the app review process. It will be shown on your store listing to help Google Play users understand how you collect and share data before they download your app. You
alone are responsible for making complete and accurate declarations in your app’s store listing on Google Play. Google Play reviews apps across all policy requirements; however we cannot make determinations on behalf of the developers of how they handle user data. Only you possess all the information required to complete the Data safety form. When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement
action. You can expand the section below to see how your store listing will look to Google Play users. What users will see if your app shares user data Note: Images are examples and subject to change What users will see if your app doesn't collect or share any user data Users will see the following information if your app doesn't collect or share any user data with other companies or organizations: Users will see the following information if your app doesn't share any user data with other companies or organizations: Note: Images are examples and subject to change Which developers need to complete the Data safety form in Play Console?All developers that have an app published on Google Play must complete the Data safety form, including apps on closed, open, or production testing tracks. Effective October 24th, 2022, tracks that are active on internal testing tracks are exempt from inclusion in the data safety section. Apps that are exclusively active on this track do not need to complete the declaration. Exceptions provided in the interim. If your app includes artifacts active on any other track, you must still submit a declaration form. Even developers with apps that do not collect any user data are required to complete this form and provide a link to their privacy policy. In this case, the completed form and privacy policy can indicate that no user data is collected or shared. Getting your information readyTo prepare for these changes, we recommend that you:
You can expand the section below to see the planned timeline for the Data safety form roll-out in Play Console. Timeline information We anticipate the following timeline for the Data safety form roll-out in Play Console. Note that this timeline is subject to change; updates will be posted in this article.
Watch the Data safety form walkthrough video What developers need to disclose in the Data safety formThis section explains what information you need to disclose in the Data safety form in Play Console, and lists the user data types and purposes you can select. What developers need to declare across data typesClick on the sections below to expand or collapse them. Data collection “Collect” means transmitting data from your app off a user’s device. Please note the following guidelines:
Not in scope for data collection
Data sharing “Sharing” refers to transferring user data collected from your app to a third party. This includes user data transferred:
The following types of data transfers do not need to be disclosed as “sharing”:
First and third parties.
Data handling You can also disclose whether each data type collected by your app is “optional” or “required.” “Optional” includes the ability to opt into or opt out of data collection. For example, you can declare a data type as “optional” where a user has control over its collection and can use the app without providing it; or where a user chooses whether to manually provide that data type. If your app’s primary functionality requires the data type, you should declare that data as “required.” You can declare that your app collects certain data optionally only if all users – regardless of device or region – can either optionally provide information, opt-out, or opt-in to have the data collected. Examples of optional data collection include:
Other app and data disclosures The Data safety section is also an opportunity for you to showcase your app’s privacy and security practices to your users. For example, you can highlight the following information:
Committed to follow the Families policy (available March 2022 to applicable apps) Apps that have children as a target audience or have chosen to opt into Google Play’s Designed for Families program must follow Google Play's Families policy requirements. If your app falls in this category and you’ve reviewed its compliance with the Families policy requirements, you can choose to display a badge on your Data safety section stating that you have “Committed to follow the Play Families Policy.” To display the badge, go to the "Security practices" section of your Data safety form and click Go to Target audience and content to opt-in Independent security review (available to all apps) You may choose to declare in your Data safety form that your app has been independently validated against a global security standard. This is an optional review undertaken and paid for by developers. Through MASA (Mobile Application Security Assessment) developers can work directly with a Google Authorized Lab to have their apps evaluated against OWASP’s MASVS (Mobile Application Security Verification Standard). The third-party organizations performing the reviews are doing so on the developer’s behalf. If you're interested in participating, you can contact a Google Authorized Lab directly to initiate the testing process. Once the lab has verified your app satisfies all security requirements, you can choose to display a badge on your Data safety section stating that you have completed the “Independent Security Review.” Authorized Labs have a dedicated practice area around mobile app security and provide comprehensive security testing capabilities and experience. These labs also comply with ISO 17025 or an equivalent industry-recognized standard. If you meet this criteria and are interested in becoming a lab partner, please complete and submit this form with your company details. Important: This independent review may not be scoped to verify the accuracy and completeness of your Data safety declarations. Even if you use third-party tools to diagnose your app’s security controls, you remain solely responsible for making complete and accurate declarations in your app’s store listing on Google Play. Data types and purposesClick on the sections below to expand or collapse them. Data types Developers will be asked to provide collection, sharing, and other practices for a range of user data types, as well as the purposes for which you use that data.
Purposes
Completing the Data safety form in Play ConsoleYou can tell us about your app’s privacy and security practices in the Data safety form on the App content page in Play Console. OverviewFirst, you'll be asked whether your app collects or shares certain types of user data. This is where you let us know whether your app collects or shares any of the required user data types. If it does, you'll be asked some questions about your privacy and security practices. If you're unsure about any of these questions, you can save your form as a draft at any time and return to it later. Next, you'll answer some questions about each type of user data. If your app does collect or share any of the required user data types, you'll be asked to select them. For each type of data, you'll be asked questions about how the data is used and handled. Before you submit, you'll see a preview of what will be shown to users on your store listing. After you submit, the information you provided will be reviewed by Google as part of the app review process. Google’s review process is not designed to verify the accuracy and completeness of your data safety declarations. While we may detect certain discrepancies in your declarations and we will be taking appropriate enforcement measures when we do, only you possess all the information required to complete the Data safety form. You alone are responsible for making complete and accurate declarations in your app’s store listing on Google Play. Complete and submit your formWhen you're ready to start, here's how you complete and submit your Data safety form in Play Console:
If you're ready to submit your completed form, select Submit. If you want to go back and change something, you can select Back to amend your answers. If you're not sure about something, you can select Save as draft and return to the form later. If you select Discard changes, you'll need to start the form again. Import or export your form responsesYou can export your form responses to a CSV file. You can also download a sample CSV, complete the form offline, and import your completed form from the CSV. Click click here to download a sample CSV. Understand the CSV format The CSV contains one row per response. Responses for multiple choice and single choice questions span multiple rows, matching the number of available choices. To respond to a question, enter TRUE or FALSE in the corresponding cell in the "Response value" column, or you can leave the cell blank if the question is optional or you're responding to a multiple choice question. The column "Answer requirement" indicates whether or not a response is mandatory, and can contain the following values:
The table below provides an example for the “Name” and “Approximate location” sections of the Data safety form. It contains:
Export to a CSV file
Import from a CSV file Important: Answers already entered into your form will be overwritten when you import a CSV.
After you submit your Data safety formAfter you submit, the information you provided will be reviewed by Google as part of the app review process. Until July 20, 2022, you can temporarily proceed to publish app updates regardless of whether we find issues with the information you've disclosed. If there are no issues, your app will be approved and you won't need to do anything. If there are issues, you will need to revert your Data safety form's status to "Draft" in Play Console to publish your app update. We will also send the developer account owner an email, an Inbox message in Play Console, and show this information on the Policy status (Policy > Policy status) page. After July 20, 2022, all apps will be required to have completed an accurate Data safety form that discloses their data collection and sharing practices (including apps that do not collect any user data). Optional format for SDKsIf you're an SDK provider, you can click on the section below to view an optional format you can use to publish guidance for your users. Developers will need to disclose their app's data collection, sharing, and security practices as part of Google Play’s new Data safety section. To assist developers in helping build user data and security transparency, the guidance below can be used to publish SDK guidance for developers incorporating your SDK into their apps. Google Play is publishing this optional structure for SDK developers to use at your convenience, but you may use any format or none based on the needs of your users. Optional format for SDKs
Frequently asked questionsCOLLAPSE ALL EXPAND ALL App submission and reviewWhat if I need additional time to comply with the new requirements? We opened Play Console in October for Data safety form submissions and will provide a grace period until July 20, 2022, which should be ample lead time. At this point, we have no plans to grant extensions. Can an app be blocked by Google Play due to the information submitted by a developer as part of this feature? In short, yes after July 20, 2022. Developers should provide accurate information that reflects their app’s data collection and handling practices. They are accountable for the information they provide. Google Play reviews apps across all policy requirements; however we cannot make determinations on behalf of the developers of how they handle user data. Only you possess all the information required to complete the Data safety form. If we find that a developer has misrepresented the data they’ve provided and is in violation of the policy, we will require the developer to fix it. Apps that don’t become compliant are subject to policy enforcement, like blocked updates or removal from Google Play. Will this new feature impact app review times? Until July 20, 2022, during the optional period, app review times will not be impacted and developers can continue updating existing apps with ongoing releases. After the optional period ends, developers' new app submissions and app updates will be rejected if they do not provide information that’s compliant with the policy, but developers may still publish app updates or new apps without a compliant Data safety section until July 20, 2022. How long does it take for Data safety updates made through Play Console to show on Google Play? After you submit a new app or an update to an existing app on your Play Console, it can take some time for your app to be processed for standard publishing on Google Play. Certain apps may be subject to expanded reviews, which may result in review times of up to 7 days or longer in exceptional cases. What can I do to troubleshoot if I’m not seeing my Data safety section published? App updates and new submissions must comply with Google Play's Developer Program Policy. You can go to the Publishing overview page in Play Console to check if your app submission is still pending review. If your latest update is ready, and you are still not seeing the Data safety section form on Google Play, you can check if managed publishing is turned on in Play Console. If managed publishing is turned on, your release won't be made available until you publish it. You can roll out the release from the Publishing overview page. The approved submission will then be published and available on Google Play shortly afterwards. If you updated the Data safety section content, but are not seeing the latest on Google Play, try refreshing the app page. Note that, due to device connectivity and varying server load, it may take several days (in some cases up to 7 days) for app updates to reach all devices. We kindly request your patience while Google Play registers and delivers your app update. I just submitted similar information for iOS. How much of that work can I re-use for the Data safety form? It’s great that you have a good handle on your app’s data practices. The Data safety form will ask for additional and different information that you may not have used previously, so we want you to expect that this will still take effort for your team. The taxonomy and framework of the Data safety section on Google Play may differ materially from those used in other app stores. How will you make sure developers share accurate information? We’ve seen that this information is not always accurate in the industry. Similar to a privacy policy, or app details like screenshots and descriptions, developers are responsible for the information disclosed in their Data safety section. Google Play’s User Data policy requires developers to provide accurate information. If we find that a developer has misrepresented the data they’ve provided and is in violation of the policy, we will require the developer to fix it. Apps that don’t become compliant will be subject to policy enforcement. Is Google going to regulate if the collected data by the developer is ultimately appropriate? Google Play users should feel confident that their data is safe. We continuously launch new features and policies to protect user privacy and keep Google Play a trusted place for everyone. Some of Google Play’s new features and policies have enhanced user controls and transparency. Others help ensure that developers only access personal data when it’s needed for the primary use of the app. Existing Google Play Developer Program policies like these contain a number of requirements around data transparency and control. Apps that don’t comply with Google Play Developer Program policies are subject to policy enforcement. How often does my Data safety section need to be updated? You should update your Data safety section when there are relevant changes to the data practices of the app. Your Data safety form responses must remain accurate and complete at all times. Will the launch of the Data safety section on Google Play impact app downloads? The Data safety section can help people make the right decision for themselves about which apps to download. It also helps developers build trust and get more engaged users who feel confident that their data will be treated responsibly. Developers have shared that they want clearer ways to communicate with their users about their data practices. Completing the Data safety formWhat if my app behaves differently in different supported Android versions? Google Play will have one global Data safety form and Data safety section in the Google Play store listing per package name that is agnostic to usage, app version, region, and user age. In other words, if any of the collection, uses, or linkages are present in any version of the app presently distributed on Google Play, anywhere in the world, you must indicate such on the form. Therefore, your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. You can use the “About this app” section to share version-specific information with your users. How can I show that we may have different practices in different regions? For example, we don’t use certain libraries in Europe, but we may use them in others. At this time, we reflect the global representation of your data practices per app. Your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. You can use the “About this app” section to share version-specific information with your users. The Data safety section will include a clarification for Google Play users that an app’s data collection and security practices may vary based on a number of factors such as the region. Are the Data safety sections gated by a consent mechanism for users? Do we need to take any extra steps and create an in-app prominent disclosure? No, the Data safety section is only presented on your app's store listing on Google Play; there is no new disclosure in the user app install process, and there is no new user consent related to this feature. Developers that collect personal and sensitive user data must implement in-app disclosures and consent where required by the existing Google Play User Data policy. How should I mark required or optional collection when different versions of my app that show a Data safety section do different things? Your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. If any version of your app requires the collection of certain data, you must declare its collection as required for the Data safety section. You should not describe collection as optional if it is required for any of your app’s users. You can use the “About this app” section to share version-specific information with your users. Do I need to declare data if my app includes a permission but does not actually collect or share the data? You do not need to declare collection or sharing unless data is actually collected and/or shared. Your app must comply with all Google Play Developer Program policies, including our policy for Permissions and APIs that Access Sensitive Information. If one data type is collected as part of another, should I declare both? For example, if I collected Contacts which includes the user's email, do I declare both the "Contacts" and "Email address" data types? If you are purposefully collecting a data type during the collection of another data type, you should disclose both. For example, if you collect user photos and use them to determine users’ characteristics (such as ethnicity or race) you should also disclose the collection of ethnicity and race. Am I required to provide a deletion mechanism? Must it be for any and all user data? The Data safety section provides a surface for developers to share if they provide a mechanism to receive data deletion requests from users. As part of completing the Data safety form, developers are required to indicate if you provide such a mechanism. Is there a specific type of mechanism that I must provide to indicate my app supports user data deletion requests? There is no prescribed mechanism, however as best practice the request mechanism should be easily discoverable and accessible by users. Common examples of mechanisms that clearly indicate a path by which users can request data deletion may include but are not limited to: in-app features, contact forms, or a dedicated email alias. How should I indicate in my Data safety form that I provide a request for deletion mechanism for data that is automatically deleted or anonymized? Developers may select the deletion request mechanism badge in Data safety form if they:
Developers may select the deletion request mechanism badge even if they need to retain certain data for legitimate reasons such as legal compliance or abuse prevention. What if the deletion mechanism I provide is not available globally to all users – can I still indicate I provide a deletion request mechanism? Google Play provides one global Data safety form and Data safety section in the Google Play store listing per package name that should cover data practices based on any usage, app version, region, and user age. In other words, if any of the data practices are present in any version of the app presently distributed on Google Play, anywhere in the world, you must indicate these practices on the form. Therefore, your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. What kinds of techniques can be used to make data anonymous? There are a variety of potential methods to anonymize data such that it cannot be associated with an individual user. You should consult with your privacy and security experts to identify the methods applicable to your use case. As an example, this page discusses some of the data anonymization methods used by Google, such as differential privacy. How should I treat the collection and use of IP addresses? As with other data types, developers should disclose their collection, use and sharing of IP addresses based on their particular usage and practices. For example, where developers use IP addresses as a means to determine location, then that data type should be declared. How should I disclose the collection and sharing of other kinds of identifiers? As with other data types, you should disclose your collection, use and sharing of different kinds of identifiers based on your particular usage and practices. For example, the collection of an account name associated with an identifiable person should be declared as a “Personal identifier,” and the collection of a user’s Android Advertising ID should be declared as “Device or other identifiers.” As another example, an identifier related to a specific in-app event, but that does not reasonably relate to an individual device, browser or app, would not need to be disclosed as “Device or other identifiers.” As noted above, the collection of data pseudonymously should be disclosed on your survey under the relevant data type. For example, if you collect diagnostic information with a device identifier, you should still disclose the collection of “Diagnostics” in your Data safety form. What kinds of activities can “service providers” perform? A service provider may only process user data on your behalf. For example, an analytics provider that processes user data from your app solely on your behalf, or a cloud provider hosting user data from your app for your use, will typically qualify as “service providers.” On the other hand, if an SDK provider is building advertising profiles across multiple customers based on your app data, that would not be considered “service provider” activity for purposes of the Data safety section, and would need to be disclosed as "sharing" in your Data safety form. My app uses an external payment service to enable financial transactions. Does my app need to disclose financial information like credit card info in its Safety section? It depends on the nature of your integration with the payment service. If your app uses a payment service such as PayPal, Google Pay, Google Play's billing system, or similar services to complete payment transactions, you don’t need to declare collection of the data that the payment service collects in connection with its processing of financial transactions, such as a credit card number, if the following conditions are met:
You should review your integration with the payment service closely to ensure that your app’s Data safety section declares any relevant data collection and sharing that does not meet these conditions. You should also consider whether your app collects other financial information, like purchase history, and whether your app receives any relevant data from the payments service, for example for risk and anti-fraud purposes. My app enables users to upload their data directly to Google Drive or Dropbox for backup or storage. My app does not access any of this data. Should that still be disclosed as “collection”? It depends on the particular implementation. If the user chooses to upload their data directly to their own external drive or cloud storage account (such as Google Drive, Dropbox, or similar services) and this upload is governed by the external drive or cloud storage provider's terms of service and privacy policy, and your app never collects or accesses the data in question, then your app does not need to declare the collection of this data. How should I encrypt data in transit? You should follow best industry standards to safely encrypt your app’s data in transit. Common encryption protocols include TLS (Transport Layer Security) and HTTPS. My app lets the user create an account or add information to their account, for example, birthday or gender. How should I declare the data that the user adds to their account? You should declare the collection of this data for account management, denoting (if applicable) where collection is optional for the user. In addition, as with any data types collected by your app, you should disclose this data for the purpose(s) for which your app uses it. For example, if your app allows a user to add a birthday to their account and also uses that data to send timely push notifications, your app should also declare this purpose in addition to account management. Account management can be used to cover general uses of account data that are not specific to the particular app. For example, if you use account information for fraud prevention, advertising, marketing, or developer communications across your services, and this use is not specific to your app, or activities in your app, declaring “account management” as the purpose of collecting this account data will be sufficient to cover those general uses in your Data safety section. However, your app must always declare all purposes for which the app itself uses the data. As a best practice, we recommend disclosing how your app handles user data for account services as part of your account-level documentation and sign-up process. What are System services? System services are pre-installed software that support core system functionality. System services can apply for an exemption from completing the Data safety form. My app’s Data safety section submission was approved but I recently received a notification regarding an update. How do I check the current status of my submission and is that not permanent? You can check the status of your submission on the App content page (Policy > App content) in Play Console. If your submission is compliant, you will see a green check mark in the “Data safety” section. Note: Our policies are enforced through systems and processes that are continuously improved over time. Additionally, changes and updates to our policies can result in apps which were approved earlier to be enforced upon at a later time following initial submission due to non-compliance. Google Play will notify developers regarding any updates. You can check our User Data policy and this Help Center article to make sure you are aware of the most up to date guidance. How do I declare collection of data that is used in a transient way to load pages and service other client-side requests in real time before that data is logged on our servers and used for other purposes? If this use is ephemeral, you do not need to include it in your form response. However, you must declare any use of that user data beyond the ephemeral processing, including any purposes for which you use the user data that you log. Please review the definition of ephemeral processing in the Data collection section above. What is the difference between the permissions list and the Data safety section of an app? Google gathers information for the permissions list based on the install-time permissions that an app declares in its manifest. The Data safety section shares what data the app collects and shares with third parties. Change logYou can refer to this section to see a revision history for this article, so you can keep track of changes over time. We'll add dated entries here whenever we make significant changes to this article in the future. August 24, 2022 We updated the Which developers need to complete the Data safety form in Play Console? section to reflect that, effective October 24th, 2022, tracks that are active on internal testing tracks are exempt from inclusion in the data safety section. Apps that are exclusively active on this track do not need to complete the declaration. Exceptions provided in the interim. If your app includes artifacts active on any other track, you must still submit a declaration form. July 20, 2022 We updated the Timeline information details in the "Getting your information ready" section to explain that non-compliant new app submissions and app updates will receive warnings that submissions and app updates will be rejected in Play Console if there are unresolved issues with the form. We also updated this section with details of what will happen after this warning period ends on August 22, 2022. In the What developers need to disclose in the Data safety form section, we made the following changes in the Independent security review (now available to all apps) subsection:
We made the following changes to the Frequently asked questions section:
June 28, 2022 April 26, 2022 In the Overview section, we added a line encouraging certain developers to refer to their SDK providers’ published data safety information for details, like Firebase and AdMob. We updated the Timeline information details in the "Getting your information ready" section with a reference to the message users would see on Google Play in the July 2022 entry (previously, this read "No data available," which has been updated to "No info available") In the FAQs section, we made the following changes:
April 8, 2022 On April 8, 2022, we corrected the name of the data type "Photos and videos" (this was previously listed as "Photos or videos"). February 24, 2022 On February 24, 2022, we made a number of changes to this article, which are described below. Timeline information changesWe updated the Timeline information details in the "Getting your information ready" section as follows:
We updated other references to dates in the article to be consistent with the revised dates above. Clarifications regarding what developers need to disclose across data typesIn the "What developers need to disclose in the Data safety form" section, we made the following changes in the "What developers need to disclose across data types" subsection:
Data types and purposes updatesWe made minor naming changes to our data types:
We made clarifications to our data purposes:
Other changesIn the Overview section, we added additional images to show what users will see if your app doesn't share any user data. We added new FAQs including topics relating to account management, user-initiated actions, use of payments platforms, and encryption. We updated the definition for ephemeral processing in the Data collection section and added a new FAQ regarding this topic. December 14, 2021 On December 14, 2021, we updated the data type that was originally named "Sexual orientation and gender identity." This data type is now named "Sexual orientation" and refers to only sexual orientation. We also updated the "Other personal info" data type to include gender identity as an example of other personal information. Other resources
Was this helpful? How can we improve it? Which of these rights from the First Amendment guarantees the right of individuals to become a part of interest groups quizlet?Interest groups are protected by the first amendment: the right to assemble & petition against government. How does the government invite interest group participation? The legislative/ executive branches of government allow the right to petition.
What is the single biggest benefit of interest groups to policymakers?Interest groups facilitate citizen participation in government, organizing individuals to take collective action through voting, fundraising, and disseminating information about their issues to elected officials and the public.
Which of the following is a primary criticism of the practice known as the revolving door quizlet?The revolving door is the practice of former legislators becoming lobbyists and using their inside knowledge of the legislature to benefit their clients. It is a somewhat pejorative term, as some criticize the practice as being underhanded and unfair.
Which of the following features are most important to an interest group that seeks to be influential and effective quizlet?Which of the following features are most important to an interest group that seeks to be influential and effective? promote consumer, environmental, and general public issues.
|