Comment & Opinion

App and game developers have only 60 days to comply with the new Google Play user privacy guidelines

App and game developers have only 60 days to comply with the new Google Play user privacy guidelines

Ronnie Sternberg is Co-founder & VP Business Development at SafeDK

With May 2018 getting closer, companies worldwide are giving extra focus to user privacy, as the EU’s General Data Protection Regulation (GDPR) is coming into effect.

The GDPR aims to return personal data control to European nationals and to simplify the regulatory environment for international businesses. Mobile app and web developers have already started gaining a preliminary understanding of what they need to change to comply with the new regulations.

But, if app companies thought they still have time to complete and enrol all relevant changes, they have been proven wrong: Google is already strengthening its user privacy requirements, and in less than 60 days the new User Privacy requirements within the Google Play Developer Policy restrictions will come into effect.

Your app, your responsibility

Starting February 2018, Google is tightening the security around unwanted and harmful mobile behaviour on Android. As part of their enforcement, Google will show a warning on apps or websites that collect private data without getting the user's consent.

In less than 60 days the new User Privacy requirements for Google Play developers will come into effect

Private user data refers to user phone numbers, emails, location, installed apps and more. Google distinguishes between apps that handle personal user data as part of the app’s functionality vs. apps that collect the data even though it’s unrelated to their offering.

If the app indeed handles personal user data or device data for the original purpose of the app, it will require the app to prompt users and provide its own privacy policy in the app. Otherwise, the app must highlight how the user data will be used and get user consent for such use. This goes well with Google’s October guidelines, which are aimed to protect users by limiting how and when developers should make permission requests.

These data collection requirements apply to all functions of the app, which aren’t limited to only the app itself, but also to the 3rd party SDKs that are integrated within it. SDKs (software development kits) are not really the app owner's code, yet the app owners are liable for them and their activity.

Therefore, if SDKs have been implemented within the mobile app and try to access personal data, the responsibility for the data collection and usage is still on the app publisher.

Do you know what data your SDKs are accessing?

Validating the compliance of every SDK that goes into the app becomes challenging. It becomes even more critical with the recent SafeDK study showing that 67% of apps have at least one SDK accessing private user data. Specifically, over 50% of apps have at least one SDK that accesses the user’s location and 40% have SDKs that access the list of installed apps on the user’s device.

It is the app’s responsibility to make sure they advise their users regarding any information the SDKs are trying to access, whether it is through their privacy policy in the app or a pop-up message that requests user consent.

Currently, many app publishers do not even know what information their SDKs are accessing, and now publishers have a very limited time to find a solution to help them comply with the new requirements.

Source: SafeDK Mobile SDK Market Trend Report

So what should app publishers expect from Google in 60 days? Google says it plans to present warnings on user devices and on web pages that lead to these apps. Google’s app verification process comes into play here as they warn users when potentially harmful apps are being installed, or even block the installation of the breached apps.

As app publishers, the last thing you want to witness is Google warning your users on privacy issues in your app, or even worse – banning your app from the Play Store because of SDKs accessing private user data.

It is true that the GDPR will come into effect in May, but app publishers do not have that long – they need to need to make sure their apps comply with all regulations ASAP.


No comments
View options
  • Order by latest to oldest
  • Order by oldest to latest
  • Show all replies
Important information

This site uses cookies to store information on your computer. By continuing to use our site, you consent to Steel Media's privacy policy.

Steel Media websites use two types of cookie: (1) those that enable the site to function and perform as required; and (2) analytical cookies which anonymously track visitors only while using the site. If you are not happy with this use of these cookies please review our Privacy Policy to learn how they can be disabled. By disabling cookies some features of the site will not work.