Back in May 2021, Google announced that privacy labels would be coming to the Google Play Store. Now, almost a year later, the company has announced that it will soon roll out these labels to the Play Store with requirements for application developers. The Google Play Store already has an expandable permission section. However, while this section provides a fairly detailed look at all the connections and device features that an app can try to access, it does not make clear what information the app can access, collect, or even sell.
Listings in the Google Play Store will soon include a new “Data Security Section” with three primary categories: shared data, collected data, and security practices. Each category is further divided into subsections, each of which can be expanded for more details, including a description of the purpose. According to Google, “Users want to know for what purpose their data is being collected and whether the developer shares user data with third parties. In addition, users want to understand how app developers secure user data after an app is downloaded.”
The Data Security section will also indicate whether an app is required to follow Google Play’s family policies, as well as whether users can delete their data, and whether an app’s security practices have been validated against a global security standard. Google specifically refers to the Mobile Application Security Verification Standard (MASVS) in its blog post.
This new Google Play Store feature comes after Apple implemented an app privacy section in its App Store back in December 2020. This privacy statement was part of a larger privacy promotion from Apple, where it threatened to exclude apps from the app. the store that tracks users without their permission. This pressure on privacy seems to have shattered Facebook’s data mining of iOS users and forced Google to change its ad tracking technology.
However, it has not yet been seen how strictly Google will enforce transparency in data collection. Google will require app developers to complete the data security section, but not all developers may provide accurate information about their data collection practices, especially as Google says apps will be rejected from the Play Store if their stated data collection practices do not comply with the Developer Program data transparency and control policies.
Google’s documentation states that it will take enforcement action in the event that a developer does not provide accurate information, but it is highly unlikely that Google will be able to manually review each app and app update to ensure that their data security sections are truthful. The documentation even indicates that the notification process does not exist for this purpose: “Google’s review process is not designed to verify the accuracy and completeness of your data security statements. Although we may detect certain discrepancies in your statements and we will take appropriate enforcement action when we do so, only you will have all the information necessary to complete the data security form. You are solely responsible for making complete and accurate statements in your app store list on Google Play.”
While we’ll have to see how well Google manages real data collection transparency with this new feature, a data security section is a welcome addition to the Play Store. Aurora Store, a third-party Google Play Store client, has relied on Exodus Privacy reports to show the trackers found in Android apps, but even this feature has not made it clear which user data apps are collecting and sharing and for what purpose.
According to Google’s blog post announcing the feature, users will start seeing the new data security section in Play Store listings every day now, but app developers have until July 20 to fully complete this section. Google has begun notifying developers of this requirement using its rolling email system.