As with the General Data Protection Regulation (GDPR) that takes effect in May 2018, Google also announced much tougher privacy disclosure for mobile app owners. Google’s new requirements become effective January 30th, 2018, about 4 months before the very strict General Data Protection Regulation (GDPR) that affects both mobile app and website owners.
Google has not clearly defined how it plans on enforcing their new requirements for mobile app owners, however, it is safe to assume that non-compliant mobile app owners may see a decline in their app visibility and downloads or the total removal of their mobile app from the app store.
Both Google and the GDPR will significantly change the way mobile app and website owners collect and process users’ information. The GDPR is not only strict, but it comes with some hefty penalties and fines.
Here are some of Google’s new privacy requirements for mobile app owners:
If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data) then your mobile app must:
• Post a privacy notice in both the designated field in the Play Console and from within the Play distributed mobile app itself.
• Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
The privacy notice must, together with any in-app disclosures, comprehensively disclose how your mobile app collects, uses and shares user data, including the types of parties with whom it’s shared.
Prominent Disclosure Requirement
If your app collects and transmits personal or sensitive user data unrelated to the functionality described prominently in the mobile app’s listing on Google Play or in the mobile app interface, then before the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
Your in-app disclosure:
• Must be within the mobile app itself, not only in the Play listing or a website;
• Must be displayed in the normal usage of the mobile app and not require the user to navigate into a menu or settings;
• Must describe the type of data being collected;
• Must explain how the data will be used;
• And the types of parties with whom it’s shared;
• Cannot only be placed in a privacy notice or terms of service; and
• Cannot be included with other disclosures unrelated to personal or sensitive data collection.
Your app’s request for consent:
• Must present the consent dialog in a clear and unambiguous way;
• Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
• Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
• Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
• Must not use auto-dismissing or expiring messages.
Besides the requirements above, the information below describes requirements for specific activities.
If your mobile app handles financial or payment information or government identification numbers, then it must never publicly disclose any personal or sensitive user data related to financial or payment activities or any government identification numbers. If your mobile app handles nonpublic phonebook or contact information, you can’t allow unauthorized publishing or disclosure of people’s nonpublic contact information.
Mobile app owners will need to update their privacy notice and disclosures
Considering Google’s new privacy requirements, it appears likely that almost all mobile app owners will need to make changes to not only their privacy notice but also to the design of their mobile app platform.