Personal and sensitive information
Personal and sensitive user data includes, but isn't limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS- and call-related data, inventory of other apps on the device, microphone, camera and other sensitive device or usage data. If your app handles personal and sensitive user data, then you must:
Prominent disclosure and consent requirement
In cases where users may not reasonably expect that their personal and sensitive user data will be required to provide or improve the policy compliant features or functionality within your app (e.g.,data collection occurs in the background of your app), you must meet the following requirements:
You must provide an in-app disclosure of your data access, collection, use and sharing. The in-app disclosure:
Your in-app disclosure must accompany and immediately precede a request for user consent and, where available, an associated runtime permission. You may not access or collect any personal and sensitive data until the user consents. The app's request for consent:
Examples of common violations
Restrictions for personal and sensitive data access
In addition to the requirements above, the table below describes requirements for specific activities.
Data safety section
Usage of app set ID
Android will introduce a new ID to support essential use cases such as analytics and fraud prevention. Terms for the use of this ID are below.
EU-U.S. Swiss Privacy Shield
If you access, use or process personal information made available by Google that directly or indirectly identifies an individual, and that originated in the European Union or Switzerland ('EU Personal Information'), then you must:
You must monitor your compliance with these conditions on a regular basis. If, at any time, you cannot meet these conditions (or if there is a significant risk that you will not be able to meet them), you must immediately notify us by email to firstname.lastname@example.org and immediately either stop processing EU personal information or take reasonable and appropriate steps to restore an adequate level of protection.
As of 16 July 2020, Google no longer relies on the EU-U.S. Privacy Shield to transfer personal data that originated in the European Economic Area or the UK to the United States. (Learn more.) More information is set forth in Section 9 of the DDA.