We're updating the following policies. All new and existing apps will receive a grace period of at least 30 days from May 11, 2022 (unless otherwise stated) to comply with the following changes.
Effective October 3, 2022
Personal and sensitive user data includes, but isn't limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, Health Connect data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data. If your app handles personal and sensitive user data, then you must:
- Limit your access, collection, use, and sharing of personal and sensitive user data acquired through the app to purposes directly related to providing and improving the features of the app (e.g., user anticipated functionality that is documented and promoted in the app's description on Google Play). Sharing personal and sensitive user data includes using SDKs or other third party services that cause data to be transferred to a third party. Apps that extend usage of personal and sensitive user data for serving advertising must be in compliance with our Ads Policy.
- Handle all personal and sensitive user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
- Use a runtime permissions request whenever available, prior to accessing data gated by Android permissions.
- Not sell personal and sensitive user data.
Prominent Disclosure & Consent Requirement
In cases where users may not reasonably expect that their personal and sensitive user data will be required to provide or improve the policy compliant features or functionality within your app (e.g., data collection occurs in the background of your app), you must meet the following requirements:
You must provide an in-app disclosure of your data access, collection, use, and sharing. The in-app disclosure:
- Must be within the app itself, not only in the app description or on a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the data being accessed or collected;
- Must explain how the data will be used and/or shared;
- Cannot be included with other disclosures unrelated to personal and sensitive user data collection.
Your in-app disclosure must accompany and immediately precede a request for user consent and, where available, an associated runtime permission. You may not access or collect any personal and sensitive data until the user consents. The app's request for consent:
- Must present the consent dialog clearly and unambiguously;
- Must require affirmative user action (e.g., tap to accept, tick a check-box);
- Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
- Must not use auto-dismissing or expiring messages as a means of obtaining user consent.
To meet policy requirements, it’s recommended that you reference the following example format for Prominent Disclosure when it’s required:
- “[This app] collects/transmits/syncs/stores [type of data] to enable ["feature"], [in what scenario]."
- Example: “Fitness Funds collects location data to enable fitness tracking even when the app is closed or not in use and is also used to support advertising.”
- Example: “Call buddy collects read and write call log data to enable contact organization even when the app is not in use.”
Data accessed through Health Connect Permissions is regarded as personal and sensitive user data subject to the User Data policy, and the following additional requirements:
Appropriate Access to and Use of Health Connect
Requests to access data through Health Connect must be clear and understandable. Health Connect may only be used in accordance with the applicable policies, terms and conditions, and for approved use cases as set forth in this policy. This means you may only request access to permissions when your application or service meets one of the approved use cases.
Approved use cases for access to Health Connect Permissions are:
- Applications or services with one or more features to benefit users' health and fitness via a user interface allowing users to directly journal, report, monitor, and/or analyze their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or fitness-related descriptions and measurements.
- Applications or services with one or more features to benefit users' health and fitness via a user interface allowing users to store their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or fitness-related descriptions and measurements on their phone and/or wearable, and share their data with other on-device apps that satisfy these use cases.
Health Connect is a general purpose data storage and sharing platform that allows users to aggregate health and fitness data from various sources on their Android device and share it with third parties at their election. The data may originate from various sources as determined by the users. Developers must assess whether Health Connect is appropriate for their intended use and to investigate and vet the source and quality of any data from Health Connect in connection with any purpose, and, in particular, for research, health, or medical uses.
- Apps conducting health-related human subject research using data obtained through Health Connect must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process. Apps conducting health-related human subject research using data obtained through Health Connect must receive approval from an independent board whose aim is 1) to protect the rights, safety, and well-being of participants and 2) with the authority to scrutinize, modify, and approve human subjects research. Proof of such approval must be provided upon request.
- It is also your responsibility for ensuring compliance with any regulatory or legal requirements that may apply based on your intended use of Health Connect and any data from Health Connect. Except as explicitly noted in the labeling or information provided by Google for specific Google products or services, Google does not endorse the use of or warrant the accuracy of any data contained in Health Connect for any use or purpose, and, in particular, for research, health, or medical uses. Google disclaims all liability associated with use of data obtained through Health Connect.
Upon using Health Connect for an appropriate use, your use of the data accessed through Health Connect must also comply with the below requirements. These requirements apply to the raw data obtained from Health Connect, and data aggregated, de-identified, or derived from the raw data.
- Limit your use of Health Connect data to providing or improving your appropriate use case or features that are visible and prominent in the requesting application's user interface.
- Only transfer user data to third parties:
- To provide or improve your appropriate use case or features that are clear from the requesting application's user interface and only with the user’s consent;
- If necessary for security purposes (for example, investigating abuse);
- To comply with applicable laws and/or regulations; or,
- As part of a merger, acquisition or sale of assets of the developer after obtaining explicit prior consent from the user.
- Do not allow humans to read user data, unless:
- The user's explicit consent to read specific data is obtained;
- It’s necessary for security purposes (for example, investigating abuse);
- To comply with applicable laws; or,
- The data (including derivations) is aggregated and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements.
All other transfers, uses, or sale of Health Connect data is prohibited, including:
- Transferring or selling user data to third parties like advertising platforms, data brokers, or any information resellers.
- Transferring, selling, or using user data for serving ads, including personalized or interest-based advertising.
- Transferring, selling, or using user data to determine credit-worthiness or for lending purposes.
- Transferring, selling, or using the user data with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic Act if the user data will be used by the medical device to perform its regulated function.
- Transferring, selling, or using user data for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) unless you receive prior written approval to such use from Google.
Access to Health Connect may not be used in violation of this policy or other applicable Health Connect terms and conditions or policies, including for the following purposes:
- Do not use Health Connect in developing, or for incorporation into, applications, environments or activities where the use or failure of Health Connect could reasonably be expected to lead to death, personal injury, or environmental or property damage (such as the creation or operation of nuclear facilities, air traffic control, life support systems, or weaponry).
- Do not access data obtained through Health Connect using headless apps. Apps must display a clearly identifiable icon in the app tray, device app settings, notification icons, etc.
- Do not use Health Connect with apps that sync data between incompatible devices or platforms.
- Health Connect cannot connect to applications, services or features that solely target children. Health Connect is not approved for use in primarily child-directed services.
You may only request access to permissions that are critical to implementing your application or service's functionality.
- Don't request access to information that you don't need. Only request access to the permissions necessary to implement your product's features or services. If your product does not require access to specific permissions, then you must not request access to these permissions.
Transparent and Accurate Notice and Control
In addition to the requirements under applicable law, you must also adhere to the following requirements:
- You must provide a disclosure of your data access, collection, use, and sharing. The disclosure:
- Must accurately represent the identity of the application or service that seeks access to user data;
- Must provide clear and accurate information explaining the types of data being accessed, requested, and/or collected;
- Must explain how the data will be used and/or shared: if you request data for one reason, but the data will also be utilized for a secondary purpose, you must notify users of both use cases.
- You must provide user help documentation that explains how users can manage and delete their data from your app.
Secure Data Handling
You must handle all user data securely. Take reasonable and appropriate steps to protect all applications or systems that make use of Health Connect against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.
Recommended security practices include implementing and maintaining an Information Security Management System such as outlined in ISO/IEC 27001 and ensuring your application or web service is robust and free from common security issues as set out by the OWASP Top 10.
Depending on the API being accessed and number of user grants or users, we will require that your application or service undergo a periodic security assessment and obtain a Letter of Assessment from a designated third party if your product transfers data off the user's own device.For more information on requirements for apps connecting to Health Connect, please see this help article.