Personal and Sensitive User Data
Examples of common violations
Personal and sensitive user data includes, but isn't limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, Health Connect data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data. If your app handles personal and sensitive user data, then you must:
Prominent Disclosure & Consent Requirement
In cases where users may not reasonably expect that their personal and sensitive user data will be required to provide or improve the policy compliant features or functionality within your app (e.g., data collection occurs in the background of your app), you must meet the following requirements:
You must provide an in-app disclosure of your data access, collection, use, and sharing. The in-app disclosure:
Your in-app disclosure must accompany and immediately precede a request for user consent and, where available, an associated runtime permission. You may not access or collect any personal and sensitive data until the user consents. The app's request for consent:
To meet policy requirements, it’s recommended that you reference the following example format for Prominent Disclosure when it’s required:
Restrictions for Personal and Sensitive Data Access
In addition to the requirements above, the table below describes requirements for specific activities.
Data safety section
Please refer to this article for additional information on completing the Data safety section.
Usage of App Set ID
Android will introduce a new ID to support essential use cases such as analytics and fraud prevention. Terms for the use of this ID are below.
EU-U.S., Swiss Privacy Shield
If you access, use, or process personal information made available by Google that directly or indirectly identifies an individual and that originated in the European Union or Switzerland (“EU Personal Information”), then you must:
You must monitor your compliance with these conditions on a regular basis. If, at any time, you cannot meet these conditions (or if there is a significant risk that you will not be able to meet them), you must immediately notify us by email to firstname.lastname@example.org and immediately either stop processing EU Personal Information or take reasonable and appropriate steps to restore an adequate level of protection.
As of July 16, 2020, Google no longer relies on the EU-U.S. Privacy Shield to transfer personal data that originated in the European Economic Area or the UK to the United States. (Learn More.) More information is set forth in Section 9 of the DDA.