In July and October 2021, we announced additional details for the Data safety section on Google Play following our initial blog post in May 2021. Developers are required to tell us about their apps' privacy and security practices by completing a form in Play Console. This information will be shown on your app's store listing to help Google Play users understand how your app collects and shares user data before they download. This article provides an overview of the new requirements, what you need to do to complete the form, and a timeline of upcoming events. The Data safety section on Google Play is a simple way for you to help people understand what user data your app collects or shares, as well as showcase your app’s key privacy and security practices. This information helps users make more informed choices when deciding which apps to install. By July 20, 2022, all developers must declare how they collect and handle user data for the apps they publish on Google Play, and provide details about how they protect this data through security practices like encryption. This includes data collected and handled through any third-party libraries or SDKs used in their apps. You may want to refer to your SDK providers’ published Data safety information for details. Check Google Play SDK Index to see if your provider has provided a link to their guidance. You can provide this information through a form in the new Data safety section on the App content page (Policy > App content) in Play Console. After you complete and submit the Data safety form, the information you provide will be reviewed by Google as part of the app review process. It will be shown on your store listing to help Google Play users understand how you collect and share data before they download your app. You alone are responsible for making complete and accurate declarations in your app’s store listing on Google Play. Google Play reviews apps across all policy requirements; however we cannot make determinations on behalf of the developers of how they handle user data. Only you possess all the information required to complete the Data safety form. When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement action. You can expand the section below to see how your store listing will look to Google Play users. Note: Images are examples and subject to change What users will see if your app doesn't collect or share any user dataUsers will see the following information if your app doesn't collect or share any user data with other companies or organizations: Users will see the following information if your app doesn't share any user data with other companies or organizations: Note: Images are examples and subject to change Which developers need to complete the Data safety form in Play Console?All developers that have an app published on Google Play must complete the Data safety form, including apps on closed, open, or production testing tracks. Effective October 24th, 2022, tracks that are active on are exempt from inclusion in the data safety section. Apps that are exclusively active on this track do not need to complete the declaration. Exceptions provided in the interim. If your app includes artifacts active on any other track, you must still submit a declaration form. Even developers with apps that do not collect any user data are required to complete this form and provide a link to their privacy policy. In this case, the completed form and privacy policy can indicate that no user data is collected or shared.
Getting your information readyTo prepare for these changes, we recommend that you:
You can expand the section below to see the planned timeline for the Data safety form roll-out in Play Console. Timeline informationWe anticipate the following timeline for the Data safety form roll-out in Play Console. Note that this timeline is subject to change; updates will be posted in this article.
This video takes you through all the resources and steps required to complete the Data safety form. Google Play PolicyBytes - Data safety form walkthroughWhat developers need to disclose in the Data safety formThis section explains what information you need to disclose in the Data safety form in Play Console, and lists the user data types and purposes you can select. What developers need to declare across data typesClick on the sections below to expand or collapse them. Data collection“Collect” means transmitting data from your app off a user’s device. Please note the following guidelines:
Not in scope for data collection
“Sharing” refers to transferring user data collected from your app to a third party. This includes user data transferred:
The following types of data transfers do not need to be disclosed as “sharing”:
First and third parties.
You can also disclose whether each data type collected by your app is “optional” or “required.” “Optional” includes the ability to opt into or opt out of data collection. For example, you can declare a data type as “optional” where a user has control over its collection and can use the app without providing it; or where a user chooses whether to manually provide that data type. If your app’s primary functionality requires the data type, you should declare that data as “required.” You can declare that your app collects certain data optionally only if all users – regardless of device or region – can either optionally provide information, opt-out, or opt-in to have the data collected. Examples of optional data collection include:
The Data safety section is also an opportunity for you to showcase your app’s privacy and security practices to your users. For example, you can highlight the following information:
Apps that have children as a target audience must follow Google Play's Families policy requirements. If your app falls in this category and you’ve reviewed its compliance with the Families policy requirements, you can choose to display a badge on your Data safety section stating that you have “Committed to follow the Play Families Policy.” To display the badge, go to the "Security practices" section of your Data safety form and click Go to Target audience and content to opt-in Independent security review (available to all apps)You may choose to declare in your Data safety form that your app has been independently validated against a global security standard. This is an optional review undertaken and paid for by developers. Through MASA (Mobile Application Security Assessment) developers can work directly with a Google Authorized Lab to have their apps evaluated against OWASP’s MASVS (Mobile Application Security Verification Standard). The third-party organizations performing the reviews are doing so on the developer’s behalf. If you're interested in participating, you can contact a Google Authorized Lab directly to initiate the testing process. Once the lab has verified your app satisfies all security requirements, you can choose to display a badge on your Data safety section stating that you have completed the “Independent Security Review.” Authorized Labs have a dedicated practice area around mobile app security and provide comprehensive security testing capabilities and experience. These labs also comply with ISO 17025 or an equivalent industry-recognized standard. If you meet this criteria and are interested in becoming a lab partner, please complete and submit this form with your company details. Important: This independent review may not be scoped to verify the accuracy and completeness of your Data safety declarations. Even if you use third-party tools to diagnose your app’s security controls, you remain solely responsible for making complete and accurate declarations in your app’s store listing on Google Play. Data types and purposesClick on the sections below to expand or collapse them. Data typesDevelopers will be asked to provide collection, sharing, and other practices for a range of user data types, as well as the purposes for which you use that data. CategoryData typeDescriptionLocation Approximate location User or device physical location to an area greater than or equal to 3 square kilometers, such as the city a user is in, or location provided by Android’s ACCESS_COARSE_LOCATION permission.Precise location User or device physical location within an area less than 3 square kilometers, such as location provided by Android’s ACCESS_FINE_LOCATION permission.Personal infoNameHow a user refers to themselves, such as their first or last name, or nickname.Email addressA user’s email address.User IDs Identifiers that relate to an identifiable person. For example, an account ID, account number, or account name.Address A user’s address, such as a mailing or home address.Phone number A user’s phone number.Race and ethnicity Information about a user’s race or ethnicity.Political or religious beliefs Information about a user’s political or religious beliefs.Sexual orientation Information about a user’s sexual orientation.Other info Any other personal information such as date of birth, gender identity, veteran status, etc. Financial info User payment info Information about a user’s financial accounts such as credit card number.Purchase history Information about purchases or transactions a user has made.Credit score Information about a user’s credit score.Other financial info Any other financial information such as user salary or debts.Health and fitness Health info Information about a user's health, such as medical records or symptoms.Fitness info Information about a user's fitness, such as exercise or other physical activity.Messages Emails A user’s emails including the email subject line, sender, recipients, and the content of the email.SMS or MMS A user’s text messages including the sender, recipients, and the content of the message.Other in-app messages Any other types of messages. For example, instant messages or chat content.Photos and videos Photos A user’s photos.Videos A user’s videos.Audio files Voice or sound recordings A user’s voice such as a voicemail or a sound recording.Music files A user’s music files.Other audio files Any other user-created or user-provided audio files.Files and docs Files and docs A user’s files or documents, or information about their files or documents such as file names.Calendar Calendar events Information from a user’s calendar such as events, event notes, and attendees.Contacts Contacts Information about the user’s contacts such as contact names, message history, and social graph information like usernames, contact recency, contact frequency, interaction duration and call history.App activity App interactions Information about how a user interacts with the app. For example, the number of times they visit a page or sections they tap on. In-app search history Information about what a user has searched for in your app.Installed apps Information about the apps installed on a user's device.Other user-generated content Any other user-generated content not listed here, or in any other section. For example, user bios, notes, or open-ended responses.Other actions Any other user activity or actions in-app not listed here such as gameplay, likes, and dialog options.Web browsing Web browsing history Information about the websites a user has visited.App info and performance Crash logs Crash log data from your app. For example, the number of times your app has crashed, stack traces, or other information directly related to a crash.Diagnostics Information about the performance of your app. For example battery life, loading time, latency, framerate, or any technical diagnostics.Other app performance data Any other app performance data not listed here.Device or other IDs Device or other IDs Identifiers that relate to an individual device, browser or app. For example, an IMEI number, MAC address, Widevine Device ID, Firebase installation ID, or advertising identifier.PurposesData purposeDescriptionExampleApp functionalityUsed for features that are available in the appFor example to enable app features, or authenticate users.Analytics Used to collect data about how users use the app or how it performs For example, to see how many users are using a particular feature, to monitor app health, to diagnose and fix bugs or crashes, or to make future performance improvements.Developer communicationsUsed to send news or notifications about the app or the developer.For example, sending a push notification to inform users about an important security update, or informing users about new features of the app.Advertising or marketingUsed to display or target ads or marketing communications, or measuring ad performanceFor example, displaying ads in your app, sending push notifications to promote other products or services, or sharing data with advertising partners.Fraud prevention, security, and complianceUsed for fraud prevention, security, or compliance with laws. For example, monitoring failed login attempts to identify possible fraudulent activity. PersonalizationUsed to customize your app, such as showing recommended content or suggestions.For example, suggesting playlists based on the user's listening habits or delivering local news based on the user’s location. Account managementUsed for the setup or management of a user’s account with the developer.For example, to enable users to create accounts or add information to an account the developer provides for use across its services, log in to your app, or verify their credentials.Completing the Data safety form in Play ConsoleYou can tell us about your app’s privacy and security practices in the Data safety form on the App content page in Play Console. OverviewFirst, you'll be asked whether your app collects or shares certain types of user data. This is where you let us know whether your app collects or shares any of the required user . If it does, you'll be asked some questions about your privacy and security practices. If you're unsure about any of these questions, you can save your form as a draft at any time and return to it later. Next, you'll answer some questions about each type of user data. If your app does collect or share any of the required user data types, you'll be asked to select them. For each type of data, you'll be asked questions about how the data is used and handled. Before you submit, you'll see a preview of what will be shown to users on your store listing. After you submit, the information you provided will be reviewed by Google as part of the app review process. Google’s review process is not designed to verify the accuracy and completeness of your data safety declarations. While we may detect certain discrepancies in your declarations and we will be taking appropriate enforcement measures when we do, only you possess all the information required to complete the Data safety form. You alone are responsible for making complete and accurate declarations in your app’s store listing on Google Play. Complete and submit your formWhen you're ready to start, here's how you complete and submit your Data safety form in Play Console:
If you're ready to submit your completed form, select Submit. If you want to go back and change something, you can select Back to amend your answers. If you're not sure about something, you can select Save as draft and return to the form later. If you select Discard changes, you'll need to start the form again. Import or export your form responsesYou can export your form responses to a CSV file. You can also download a sample CSV, complete the form offline, and import your completed form from the CSV. Click click here to download a sample CSV. Understand the CSV formatThe CSV contains one row per response. Responses for multiple choice and single choice questions span multiple rows, matching the number of available choices. To respond to a question, enter TRUE or FALSE in the corresponding cell in the "Response value" column, or you can leave the cell blank if the question is optional or you're responding to a multiple choice question. The column "Answer requirement" indicates whether or not a response is mandatory, and can contain the following values:
The table below provides an example for the “Name” and “Approximate location” sections of the Data safety form. It contains:
Question ID (machine readable)Response valueAnswer requirementHuman-friendly question labelPSL_DATA_ TYPES_ PERSONALPSL_NAMETRUEMULTIPLE_ CHOICEPersonal info Name... PSL_DATA_ TYPES_ LOCATIONPSL_ APPROX_ LOCATIONTRUEMULTIPLE_ CHOICELocation Approximate location... PSL_DATA_USAGE_ RESPONSES: PSL_NAME: PSL_DATA_USAGE_ COLLECTION_AND_ SHARINGPSL_DATA_ USAGE_ONLY_ COLLECTEDTRUEMULTIPLE_ CHOICEData usage and handling (Name) Is this data collected, shared, or both? CollectedPSL_DATA_USAGE_ RESPONSES: PSL_NAME: PSL_DATA_USAGE_ COLLECTION_AND_ SHARINGPSL_DATA_ USAGE_ONLY_ SHARED MULTIPLE_ CHOICEData usage and handling (Name) Is this data collected, shared, or both? SharedPSL_DATA_USAGE_ RESPONSES: PSL_NAME: PSL_DATA_USAGE_ EPHEMERAL TRUEMAYBE_ REQUIREDData usage and handling (Name) Is this data processed ephemerally?PSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_USER_ CONTROLPSL_DATA_ USAGE_USER_ CONTROL_ OPTIONALTRUESINGLE_ CHOICEData usage and handling (Name) Is this data required for your app, or can users choose whether it's collected? Users can choose whether this data is collectedPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_USER_ CONTROLPSL_DATA_ USAGE_USER_ CONTROL_ REQUIRED SINGLE_ CHOICEData usage and handling (Name) Is this data required for your app, or can users choose whether it's collected? Data collection is required (users can't turn off this data collection)PSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_APP_ FUNCTIONALITYTRUEMULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. App functionalityPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_ANALYTICSTRUEMULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. AnalyticsPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_DEVELOPER_ COMMUNICATIONS MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. Developer communicationsPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_FRAUD_ PREVENTION_ SECURITY MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. Fraud prevention, security, and compliancePSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_ADVERTISING MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. Advertising or marketingPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_ PERSONALIZATION MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. PersonalizationPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ COLLECTION_ PURPOSEPSL_ACCOUNT_ MANAGEMENT MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data collected? Select all that apply. Account managementPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_APP_ FUNCTIONALITY MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. App functionalityPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_ANALYTICS MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. AnalyticsPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_DEVELOPER_ COMMUNICATIONS MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. Developer communicationsPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_FRAUD_ PREVENTION_ SECURITY MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. Fraud prevention, security, and compliancePSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_ ADVERTISING MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. Advertising or marketingPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_ PERSONALIZATION MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. PersonalizationPSL_DATA_USAGE_ RESPONSES: PSL_NAME: DATA_USAGE_ SHARING_ PURPOSEPSL_ACCOUNT_ MANAGEMENT MULTIPLE_ CHOICEData usage and handling (Name) Why is this user data shared? Select all that apply. Account managementExport to a CSV file
Important: Answers already entered into your form will be overwritten when you import a CSV.
After you submit your Data safety formAfter you submit, the information you provided will be reviewed by Google as part of the app review process. Until July 20, 2022, you can temporarily proceed to publish app updates regardless of whether we find issues with the information you've disclosed. If there are no issues, your app will be approved and you won't need to do anything. If there are issues, you will need to revert your Data safety form's status to "Draft" in Play Console to publish your app update. We will also send the developer account owner an email, an Inbox message in Play Console, and show this information on the Policy status (Policy > Policy status) page. After July 20, 2022, all apps will be required to have completed an accurate Data safety form that discloses their data collection and sharing practices (including apps that do not collect any user data). Optional format for SDKsIf you're an SDK provider, you can click on the section below to view an optional format you can use to publish guidance for your users. Developers will need to disclose their app's data collection, sharing, and security practices as part of Google Play’s new Data safety section. To assist developers in helping build user data and security transparency, the guidance below can be used to publish SDK guidance for developers incorporating your SDK into their apps. Google Play is publishing this optional structure for SDK developers to use at your convenience, but you may use any format or none based on the needs of your users. Optional format for SDKs[SDK Name]SDK / SDK feature that may collect or share data Data type SDK accesses and collects Note: Consider providing accurate technical information that will help your customers to determine which of the Play Data safety section definitions of data types applies to the data your SDK collects. In some cases, you may be comfortable using a Data safety section definition (e.g., “approximate location”) because the applicable data type is clear and does not depend on extraneous factors. In other cases, the data type definition may depend on how the given data is used after it is collected, or on the developer’s particular interpretation of Play Data safety section definitions. For example, IP addresses may be used alternatively to infer location, or to extract identifiers, or for a variety of other purposes depending on the nature of the SDK, its implementation by any given app, and other factors. Note: Developers do not have to declare data access as collection if it occurs solely on the user’s device as long as the data is never transmitted off the user’s device. For each data type listed:
App level notes [complete section for any data collected or shared]
Frequently asked questions
App submission and reviewWhat if I need additional time to comply with the new requirements?We opened Play Console in October for Data safety form submissions and will provide a grace period until July 20, 2022, which should be ample lead time. At this point, we have no plans to grant extensions. Can an app be blocked by Google Play due to the information submitted by a developer as part of this feature?In short, yes after July 20, 2022. Developers should provide accurate information that reflects their app’s data collection and handling practices. They are accountable for the information they provide. Google Play reviews apps across all policy requirements; however we cannot make determinations on behalf of the developers of how they handle user data. Only you possess all the information required to complete the Data safety form. If we find that a developer has misrepresented the data they’ve provided and is in violation of the policy, we will require the developer to fix it. Apps that don’t become compliant are subject to policy enforcement, like blocked updates or removal from Google Play. Will this new feature impact app review times?Until July 20, 2022, during the optional period, app review times will not be impacted and developers can continue updating existing apps with ongoing releases. After the optional period ends, developers' new app submissions and app updates will be rejected if they do not provide information that’s compliant with the policy, but developers may still publish app updates or new apps without a compliant Data safety section until July 20, 2022. How long does it take for Data safety updates made through Play Console to show on Google Play?After you submit a new app or an update to an existing app on your Play Console, it can take some time for your app to be processed for standard publishing on Google Play. Certain apps may be subject to expanded reviews, which may result in review times of up to 7 days or longer in exceptional cases. What can I do to troubleshoot if I’m not seeing my Data safety section published?App updates and new submissions must comply with Google Play's Developer Program Policy. You can go to the Publishing overview page in Play Console to check if your app submission is still pending review. If your latest update is ready, and you are still not seeing the Data safety section form on Google Play, you can check if managed publishing is turned on in Play Console. If managed publishing is turned on, your release won't be made available until you publish it. You can roll out the release from the Publishing overview page. The approved submission will then be published and available on Google Play shortly afterwards. If you updated the Data safety section content, but are not seeing the latest on Google Play, try refreshing the app page. Note that, due to device connectivity and varying server load, it may take several days (in some cases up to 7 days) for app updates to reach all devices. We kindly request your patience while Google Play registers and delivers your app update. I just submitted similar information for iOS. How much of that work can I re-use for the Data safety form?It’s great that you have a good handle on your app’s data practices. The Data safety form will ask for additional and different information that you may not have used previously, so we want you to expect that this will still take effort for your team. The taxonomy and framework of the Data safety section on Google Play may differ materially from those used in other app stores. How will you make sure developers share accurate information? We’ve seen that this information is not always accurate in the industry.Similar to a privacy policy, or app details like screenshots and descriptions, developers are responsible for the information disclosed in their Data safety section. Google Play’s User Data policy requires developers to provide accurate information. If we find that a developer has misrepresented the data they’ve provided and is in violation of the policy, we will require the developer to fix it. Apps that don’t become compliant will be subject to policy enforcement. Is Google going to regulate if the collected data by the developer is ultimately appropriate?Google Play users should feel confident that their data is safe. We continuously launch new features and policies to protect user privacy and keep Google Play a trusted place for everyone. Some of Google Play’s new features and policies have enhanced user controls and transparency. Others help ensure that developers only access personal data when it’s needed for the primary use of the app. Existing Google Play Developer Program policies like these contain a number of requirements around data transparency and control. Apps that don’t comply with Google Play Developer Program policies are subject to policy enforcement. How often does my Data safety section need to be updated?You should update your Data safety section when there are relevant changes to the data practices of the app. Your Data safety form responses must remain accurate and complete at all times. Will the launch of the Data safety section on Google Play impact app downloads?The Data safety section can help people make the right decision for themselves about which apps to download. It also helps developers build trust and get more engaged users who feel confident that their data will be treated responsibly. Developers have shared that they want clearer ways to communicate with their users about their data practices. Completing the Data safety formWhat if my app behaves differently in different supported Android versions?Google Play will have one global Data safety form and Data safety section in the Google Play store listing per package name that is agnostic to usage, app version, region, and user age. In other words, if any of the collection, uses, or linkages are present in any version of the app presently distributed on Google Play, anywhere in the world, you must indicate such on the form. Therefore, your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. You can use the “About this app” section to share version-specific information with your users. How can I show that we may have different practices in different regions? For example, we don’t use certain libraries in Europe, but we may use them in others.At this time, we reflect the global representation of your data practices per app. Your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. You can use the “About this app” section to share version-specific information with your users. The Data safety section will include a clarification for Google Play users that an app’s data collection and security practices may vary based on a number of factors such as the region. Are the Data safety sections gated by a consent mechanism for users? Do we need to take any extra steps and create an in-app prominent disclosure?No, the Data safety section is only presented on your app's store listing on Google Play; there is no new disclosure in the user app install process, and there is no new user consent related to this feature. Developers that collect personal and sensitive user data must implement in-app disclosures and consent where required by the existing Google Play User Data policy. How should I mark required or optional collection when different versions of my app that show a Data safety section do different things?Your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. If any version of your app requires the collection of certain data, you must declare its collection as required for the Data safety section. You should not describe collection as optional if it is required for any of your app’s users. You can use the “About this app” section to share version-specific information with your users. Do I need to declare data if my app includes a permission but does not actually collect or share the data?You do not need to declare collection or sharing unless data is actually collected and/or shared. Your app must comply with all Google Play Developer Program policies, including our policy for Permissions and APIs that Access Sensitive Information. If one data type is collected as part of another, should I declare both? For example, if I collected Contacts which includes the user's email, do I declare both the "Contacts" and "Email address" data types?If you are purposefully collecting a data type during the collection of another data type, you should disclose both. For example, if you collect user photos and use them to determine users’ characteristics (such as ethnicity or race) you should also disclose the collection of ethnicity and race. Am I required to provide a deletion mechanism? Must it be for any and all user data?The Data safety section provides a surface for developers to share if they provide a mechanism to receive data deletion requests from users. As part of completing the Data safety form, developers are required to indicate if you provide such a mechanism. Is there a specific type of mechanism that I must provide to indicate my app supports user data deletion requests?There is no prescribed mechanism, however as best practice the request mechanism should be easily discoverable and accessible by users. Common examples of mechanisms that clearly indicate a path by which users can request data deletion may include but are not limited to: in-app features, contact forms, or a dedicated email alias. How should I indicate in my Data safety form that I provide a request for deletion mechanism for data that is automatically deleted or anonymized?Developers may select the deletion request mechanism badge in Data safety form if they:
Developers may select the deletion request mechanism badge even if they need to retain certain data for legitimate reasons such as legal compliance or abuse prevention. What if the deletion mechanism I provide is not available globally to all users – can I still indicate I provide a deletion request mechanism?Google Play provides one global Data safety form and Data safety section in the Google Play store listing per package name that should cover data practices based on any usage, app version, region, and user age. In other words, if any of the data practices are present in any version of the app presently distributed on Google Play, anywhere in the world, you must indicate these practices on the form. Therefore, your Data safety section will describe the sum of your app’s data collection and sharing across all its versions currently distributed on Google Play. What kinds of techniques can be used to make data anonymous?There are a variety of potential methods to anonymize data such that it cannot be associated with an individual user. You should consult with your privacy and security experts to identify the methods applicable to your use case. As an example, this page discusses some of the data anonymization methods used by Google, such as differential privacy. How should I treat the collection and use of IP addresses?As with other data types, developers should disclose their collection, use and sharing of IP addresses based on their particular usage and practices. For example, where developers use IP addresses as a means to determine location, then that data type should be declared. How should I disclose the collection and sharing of other kinds of identifiers?As with other data types, you should disclose your collection, use and sharing of different kinds of identifiers based on your particular usage and practices. For example, the collection of an account name associated with an identifiable person should be declared as a “Personal identifier,” and the collection of a user’s Android Advertising ID should be declared as “Device or other identifiers.” As another example, an identifier related to a specific in-app event, but that does not reasonably relate to an individual device, browser or app, would not need to be disclosed as “Device or other identifiers.” As noted above, the collection of data pseudonymously should be disclosed on your survey under the relevant data type. For example, if you collect diagnostic information with a device identifier, you should still disclose the collection of “Diagnostics” in your Data safety form. What kinds of activities can “service providers” perform?A service provider may only process user data on your behalf. For example, an analytics provider that processes user data from your app solely on your behalf, or a cloud provider hosting user data from your app for your use, will typically qualify as “service providers.” On the other hand, if an SDK provider is building advertising profiles across multiple customers based on your app data, that would not be considered “service provider” activity for purposes of the Data safety section, and would need to be disclosed as "sharing" in your Data safety form. My app uses an external payment service to enable financial transactions. Does my app need to disclose financial information like credit card info in its Safety section?It depends on the nature of your integration with the payment service. If your app uses a payment service such as PayPal, Google Pay, Google Play's billing system, or similar services to complete payment transactions, you don’t need to declare collection of the data that the payment service collects in connection with its processing of financial transactions, such as a credit card number, if the following conditions are met:
You should review your integration with the payment service closely to ensure that your app’s Data safety section declares any relevant data collection and sharing that does not meet these conditions. You should also consider whether your app collects other financial information, like purchase history, and whether your app receives any relevant data from the payments service, for example for risk and anti-fraud purposes. My app enables users to upload their data directly to Google Drive or Dropbox for backup or storage. My app does not access any of this data. Should that still be disclosed as “collection”?It depends on the particular implementation. If the user chooses to upload their data directly to their own external drive or cloud storage account (such as Google Drive, Dropbox, or similar services) and this upload is governed by the external drive or cloud storage provider's terms of service and privacy policy, and your app never collects or accesses the data in question, then your app does not need to declare the collection of this data. How should I encrypt data in transit?You should follow best industry standards to safely encrypt your app’s data in transit. Common encryption protocols include TLS (Transport Layer Security) and HTTPS. My app lets the user create an account or add information to their account, for example, birthday or gender. How should I declare the data that the user adds to their account?You should declare the collection of this data for account management, denoting (if applicable) where collection is optional for the user. In addition, as with any data types collected by your app, you should disclose this data for the purpose(s) for which your app uses it. For example, if your app allows a user to add a birthday to their account and also uses that data to send timely push notifications, your app should also declare this purpose in addition to account management. Account management can be used to cover general uses of account data that are not specific to the particular app. For example, if you use account information for fraud prevention, advertising, marketing, or developer communications across your services, and this use is not specific to your app, or activities in your app, declaring “account management” as the purpose of collecting this account data will be sufficient to cover those general uses in your Data safety section. However, your app must always declare all purposes for which the app itself uses the data. As a best practice, we recommend disclosing how your app handles user data for account services as part of your account-level documentation and sign-up process. What are System services?System services are pre-installed software that support core system functionality. System services can apply for an exemption from completing the Data safety form. My app’s Data safety section submission was approved but I recently received a notification regarding an update. How do I check the current status of my submission and is that not permanent?You can check the status of your submission on the App content page (Policy > App content) in Play Console. If your submission is compliant, you will see a green check mark in the “Data safety” section. Note: Our policies are enforced through systems and processes that are continuously improved over time. Additionally, changes and updates to our policies can result in apps which were approved earlier to be enforced upon at a later time following initial submission due to non-compliance. Google Play will notify developers regarding any updates. You can check our User Data policy and this Help Center article to make sure you are aware of the most up to date guidance. How do I declare collection of data that is used in a transient way to load pages and service other client-side requests in real time before that data is logged on our servers and used for other purposes?If this use is ephemeral, you do not need to include it in your form response. However, you must declare any use of that user data beyond the ephemeral processing, including any purposes for which you use the user data that you log. Please review the definition of ephemeral processing in the section above. What is the difference between the permissions list and the Data safety section of an app?Google gathers information for the permissions list based on the install-time permissions that an app declares in its manifest. The Data safety section shares what data the app collects and shares with third parties. Change logYou can refer to this section to see a revision history for this article, so you can keep track of changes over time. We'll add dated entries here whenever we make significant changes to this article in the future. August 24, 2022We updated the section to reflect that, effective October 24th, 2022, tracks that are active on are exempt from inclusion in the data safety section. Apps that are exclusively active on this track do not need to complete the declaration. Exceptions provided in the interim. If your app includes artifacts active on any other track, you must still submit a declaration form. July 20, 2022We updated the details in the "Getting your information ready" section to explain that non-compliant new app submissions and app updates will receive warnings that submissions and app updates will be rejected in Play Console if there are unresolved issues with the form. We also updated this section with details of what will happen after this warning period ends on August 22, 2022. In the section, we made the following changes in the subsection:
We made the following changes to the section:
In the section, we added a line encouraging developers to check Google Play SDK Index to see if their provider has provided a link to their guidance. You can read the Make informed choices with Google Play SDK Index Help Center article to learn more. In the section, we added a recommendation to watch the Google Play PolicyBytes Data safety form walkthrough video, which takes you through all the resources and steps required to complete the Data safety form. April 26, 2022In the section, we added a line encouraging certain developers to refer to their SDK providers’ published data safety information for details, like Firebase and AdMob. We updated the details in the "Getting your information ready" section with a reference to the message users would see on Google Play in the July 2022 entry (previously, this read "No data available," which has been updated to "No info available") In the section, we made the following changes:
On April 8, 2022, we corrected the name of the "Photos and videos" (this was previously listed as "Photos or videos"). February 24, 2022On February 24, 2022, we made a number of changes to this article, which are described below. Timeline information changesWe updated the details in the "Getting your information ready" section as follows:
We updated other references to dates in the article to be consistent with the revised dates above. Clarifications regarding what developers need to disclose across data typesIn the "" section, we made the following changes in the "What developers need to disclose across data types" subsection:
Data types and purposes updatesWe made minor naming changes to our :
We made clarifications to our :
Other changesIn the section, we added additional images to show . We added new including topics relating to account management, user-initiated actions, use of payments platforms, and encryption. We updated the definition for ephemeral processing in the section and added a new FAQ regarding this topic. December 14, 2021On December 14, 2021, we updated the that was originally named "Sexual orientation and gender identity." This data type is now named "Sexual orientation" and refers to only sexual orientation. We also updated the "Other personal info" data type to include gender identity as an example of other personal information. What is the signature injury in veterans who served in the Operation Enduring Freedom?Traumatic brain injury (TBI) has been described as the “signature injury” of recent military conflicts Operation Iraqi Freedom (OIF) and Operation Enduring Freedom (OEF). According to the US Department of Defense (DOD), over 63,000 service members were diagnosed with TBI between January 2003 and September 2009.
Who shall have borne the battle?“… To care for him who shall have borne the battle and for his widow and his orphan...” The wise words of President Abraham Lincoln and the motto of the Veterans Administration remind us so vividly why we in Congress need to work on behalf of our nation's veterans.
What is considered PII in Virginia?PII is any information maintained by VA about an individual, such as education, financial transactions, medical history, and criminal or employment history, which can reasonably be used to identify that individual and information which can be used to distinguish or trace an individual's identity.
|