Developer Program Policy: November 16, 2022 announcement

We're updating the following policies. All new and existing apps will receive a grace period of at least 30 days from November 16, 2022 (unless otherwise stated) to comply with the following changes.

 

Effective January 31, 2023

Financial Services

High APR personal loans

In the United States, we do not allow apps for personal loans where the Annual Percentage Rate (APR) is 36% or higher. Apps for personal loans in the United States must display their maximum APR, calculated consistently with the Truth in Lending Act (TILA).

This policy applies to apps which offer loans directly, lead generators, and those who connect consumers with third-party lenders.

Additional requirements for personal loan apps in India, Indonesia, the Philippines, Nigeria, and Kenya.

Personal loan apps in India, Indonesia, the Philippines, Nigeria, and Kenya must complete the additional proof of eligibility requirements below. 

  1. India
    • Complete the Personal Loan App Declaration for India, and provide necessary documentation to support your declaration. For example:
      • If you are licensed by the Reserve Bank of India (RBI) to provide personal loans, you must submit a copy of your license for our review.
      • If you are not directly engaged in money lending activities and are only providing a platform to facilitate money lending by registered Non-Banking Financial Companies (NBFCs) or banks to users, you will need to accurately reflect this in the declaration.
        • In addition, the names of all registered NBFCs and banks must be prominently disclosed in your app’s description.
    • Ensure that the developer account name matches the name of the associated registered business name provided through your declaration.
  2. Indonesia
    • Complete the Personal Loan App Declaration for Indonesia, and provide necessary documentation to support your declaration. For example:
      • If your app is engaged in the activity of Information Technology-Based Money Lending Services in accordance with OJK Regulation No. 77/POJK.01/2016 (as may be amended from time to time), you must submit a copy of your valid license for our review.
    • Ensure that the developer account name matches the name of the associated registered business name provided through your declaration.
  3. Philippines
    • Complete the Personal Loan App Declaration for the Philippines, and provide necessary documentation to support your declaration.
      • All financing and lending companies offering loans via Online Lending Platforms (OLP) must obtain a SEC Registration Number and the Certificate of Authority (CA) Number from the Philippines Securities and Exchanges Commission (PSEC).
        • In addition, you must disclose your Corporate Name, Business Name, PSEC Registration Number, and Certificate of Authority to Operate a Financing/Lending Company (CA) in your app’s description.
      • Apps engaged in lending-based crowdfunding activities, such as peer-to-peer (P2P) lending, or as defined under the Rules and Regulations Governing Crowdfunding (CF Rules), must process transactions through PSEC-Registered CF Intermediaries.
  4. Nigeria
    • Complete the Personal Loan App Declaration for Nigeria, and provide necessary documentation to support your declaration.
      • Digital Money Lenders (DML) must adhere to and complete the LIMITED INTERIM REGULATORY/ REGISTRATION FRAMEWORK AND GUIDELINES FOR DIGITAL LENDING, 2022 (as may be amended from time to time) by the Federal Competition and Consumer Protection Commission (FCCPC) of Nigeria and obtain a verifiable approval letter from the FCCPC.
      • Loan Aggregators must provide documentation and/or certification for digital lending services and contact details for every partnered DML.
      • You must, upon Google Play's request, provide additional information or documents relating to your compliance with the applicable regulatory and licensing requirements.
  5. Kenya
    • Complete the Personal Loan App Declaration for Kenya, and provide the necessary documentation to support your declaration.
      • Digital Credit Providers (DCP) should complete the DCP registration process and obtain a license from the Central Bank of Kenya (CBK). You must provide a copy of your license from the CBK as part of your declaration.
      • If you are not directly engaged in money lending activities and are only providing a platform to facilitate money lending by registered DCP(s) to users, you will need to accurately reflect this in the declaration and provide a copy of the DCP license of your respective partner(s).
      • Currently, we only accept declarations and licenses from entities published under the Directory of Digital Credit Providers on the official website of the CBK.

 

Effective May 31, 2023

Google Play Families Policies

The use of technology as a tool for enriching families' lives continues to grow, and parents are looking for safe, high-quality content to share with their children. You may be designing your apps specifically for children or your app may just attract their attention. Google Play wants to help you make sure your app is safe for all users, including families.

The word "children" can mean different things in different locales and in different contexts. It is important that you consult with your legal counsel to help determine what obligations and/or age-based restrictions may apply to your app. You know best how your app works so we are relying on you to help us make sure apps on Google Play are safe for families.

All apps that comply with Google Play Families policies can opt in to be rated for the Teacher Approved program, but we cannot guarantee that your app will be included in the Teacher Approved program. 

Families Policy Requirements

If one of the target audiences for your app is children, you must comply with the following requirements. Failure to satisfy these requirements may result in app removal or suspension.

  1. App content: Your app's content that is accessible to children must be appropriate for children. If your app contains content that is not globally appropriate, but that content is deemed appropriate for child users in a particular region, the app may be available in that region (limited regions) but will remain unavailable in other regions.
  2. App functionality: Your app must not merely provide a webview of a website or have a primary purpose of driving affiliate traffic to a website, regardless of ownership of the website. 
    • We are constantly exploring ways to enable new experiences for kids app developers. If you are interested in joining our Trusted Web App pilot for education apps, please submit your interest here.
  3. Play Console answers: You must accurately answer the questions in the Play Console regarding your app and update those answers to accurately reflect any changes to your app. This includes but is not limited to, providing accurate responses about your app in the Target Audience and Content section, Data safety section, and IARC Content Rating Questionnaire.
  4. Data practices: You must disclose the collection of any personal and sensitive information from children in your app, including through APIs and SDKs called or used in your app. Sensitive information from children includes, but is not limited to, authentication information, microphone and camera sensor data, device data, Android ID, and ad usage data. You must also ensure that your app follows the data practices below:
    • Apps that solely target children must not transmit Android advertising identifier (AAID), SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, and/or IMSI.
      • Apps solely targeted to children should not request AD_ID permission when targeting Android API 33 or higher.
    • Apps that target both children and older audiences must not transmit AAID, SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, and/or IMSI from children or users of unknown age.
    • Device phone number must not be requested from TelephonyManager of the Android API.
    • Apps that solely target children may not request location permission, or collect, use, and transmit precise location.
    • Apps must use the Companion Device Manager (CDM) when requesting Bluetooth, unless your app is only targeting device Operating System (OS) versions that are not compatible with CDM.
  5. APIs and SDKs: You must ensure that your app properly implements any APIs and SDKs.
    • Apps that solely target children must not contain any APIs or SDKs that are not approved for use in primarily child-directed services. This includes, Google Sign-In (or any other Google API Service that accesses data associated with a Google Account), Google Play Games Services, and any other API Service using OAuth technology for authentication and authorization.
    • Apps that target both children and older audiences must not implement APIs or SDKs that are not approved for use in child-directed services unless they are used behind a neutral age screen or implemented in a way that does not result in the collection of data from children. Apps that target both children and older audiences must not require users to sign-in or access app content through an API or SDK that is not approved for use in child-directed services. 
  6. Augmented Reality (AR): If your app uses Augmented Reality, you must include a safety warning immediately upon launch of the AR section. The warning should contain the following:
    • An appropriate message about the importance of parental supervision.
    • A reminder to be aware of physical hazards in the real world (for example, be aware of your surroundings).
    • Your app must not require the usage of a device that is advised not to be used by children (for example, Daydream, Oculus).
  7. Social Apps & Features: If your apps allows users to share or exchange information, you must accurately disclose these features in the content rating questionnaire on the Play Console. 
    • Social Apps: A social app is  an app where the main focus is to enable users to share freeform content or communicate with large groups of people. All social apps that include children in their target audience must provide an in-app reminder to be safe online and to be aware of the real world risk of online interaction before allowing child users to exchange freeform media or information. You must also require adult action before allowing child users to exchange personal information. 
    • Social Features: A social feature is any additional app functionality that enables users to share freeform content or communicate with large groups of people. Any app that includes children in their target audience and has social features, must provide an in-app reminder to be safe online and to be aware of the real world risk of online interaction before allowing child users to exchange freeform media or information. You must also provide a method for adults to manage social features for child users, including, but not limited to, enabling/disabling the social feature or selecting different levels of functionality. Finally, you must require adult action before enabling features that allow children to exchange personal information. 
    • Adult action means a mechanism to verify that the  user is not a child and does not encourage children to falsify their age to gain access to areas of your app that are designed for adults (i.e., an adult PIN, password, birthdate, email verification, photo ID, credit card, or SSN).
    • Social apps where the main focus of the app is to chat with people they do not know must not target children. Examples include: chat roulette style apps, dating apps, kids-focused open chat rooms, etc.
  8. Legal compliance: You must ensure that your app, including any APIs or SDKs that your app calls or uses, is compliant with the U.S. Children's Online Privacy and Protection Act (COPPA)E.U. General Data Protection Regulation (GDPR), and any other applicable laws or regulations.

Here are some examples of common violations:

  • Apps that promote play for children in their store-listing but the app content is only appropriate for adults.
  • Apps that implement APIs with terms of service that prohibit their use in child-directed apps.
  • Apps that glamorize the use of alcohol, tobacco or controlled substances.
  • Apps that include real or simulated gambling.
  • Apps that include violence, gore, or shocking content not appropriate for children.
  • Apps that provide dating services or offer sexual or marital advice.
  • Apps that contain links to websites that present content that violates Google Play’s Developer Program policies.
  • Apps that show mature ads (for example, violent content, sexual content, gambling content) to children. 

Ads and Monetization

If you’re monetizing an app that targets children on Google Play, it’s important that your app follows the following Families Ads and Monetization Policy Requirements.

The policies below apply to all monetization and advertising in your app, including ads, cross-promotions (for your apps and third party apps), offers for in-app purchases, or any other commercial content (such as paid product placement). All monetization and advertising in these apps must comply with all applicable laws and regulations (including any relevant self-regulatory or industry guidelines).

Google Play reserves the right to reject, remove or suspend apps for overly aggressive commercial tactics.

Ads requirements

 If your app displays ads to children or to users of unknown age, you must:

  • Only use Google Play Families Self-Certified Ads SDKs to display ads to those users;
  • Ensure ads displayed to those users do not involve interest-based advertising (advertising targeted at individual users who have certain characteristics based on their online browsing behavior) or remarketing (advertising targeted at individual users based on previous interaction with an app or website); 
  • Ensure ads displayed to those users present content that is appropriate for children;
  • Ensure ads displayed to those users follow the Families ad format requirements; and
  • Ensure compliance with all applicable legal regulations and industry standards relating to advertising to children.

Ads Format requirements

Monetization and advertising in your app must not have deceptive content or be designed in a way that will result in inadvertent clicks from child users.  

If the sole target audience for your app is children, the following are prohibited. If the target audiences of your app is children and older audiences, the following are prohibited when serving ads to children or users of unknown age:

  • Disruptive monetization and advertising, including monetization and advertising that take up the entire screen or interfere with normal use and do not provide a clear means to dismiss the ad (for example, Ad walls).
  • Monetization and advertising that interfere with normal app use or game play, including rewarded or opt-in ads, that are not closeable after 5 seconds.
  • Monetization and advertising that do not interfere with normal app use or game play may persist for more than 5 seconds (for example, video content with integrated ads).  
  • Interstitial monetization and advertising displayed immediately upon app launch.
  • Multiple ad placements on a page (for example, banner ads that show multiple offers in one placement or displaying more than one banner or video ad is not allowed).
  • Monetization and advertising that are not clearly distinguishable from your app content.
  • Use of shocking or emotionally manipulative tactics to encourage ads viewing or in-app purchases.
  • Not providing a distinction between the use of virtual game coins versus real-life money to make in-app purchases.

In-app purchases

Google Play will re-authenticate all users prior to any in-app purchases in apps solely targeted to children. This measure is to help ensure that the financially responsible party, and not children, are approving purchases.

Ads SDKs

If you serve ads in your app and your target audience only includes children, then you must use only Families self-certified ads SDK versions. If the target audience for your app includes both children and older users, you must implement age screening measures, such as a neutral age screen, and make sure that ads shown to children come exclusively from Google Play self-certified ads SDK versions. 

Please refer to the Families Self-Certified Ads SDK Program policy page for more details on these requirements and refer here to see the current list of Families Self-Certified ads SDK versions.

If you use AdMob, refer to the AdMob Help Center for more details on their products.

It is your responsibility to ensure your app satisfies all requirements concerning advertisements, in-app purchases, and commercial content. Contact your ads SDK provider(s) to learn more about their content policies and advertising practices.

Families Self-Certified Ads SDK Policy

Google Play is committed to building a safe experience for children and families. A key part of this is to help ensure children only see ads that are appropriate for their age and that their data is handled appropriately. To achieve this goal, we require ads SDKs and mediation platforms to self-certify that they are appropriate for children and compliant with Google Play Developer Program Policies and Google Play Families Policies, including Families Self-Certified Ads SDK Program Requirements.

The Google Play Families Self-Certified Ads SDK Program is an important way for developers to identify which ads SDKs or mediation platforms have self-certified that they are appropriate for use in apps designed specifically for children. 

Misrepresentation of any information about your SDK, including in your interest form application, may result in removal or suspension of your SDK from the Families Self-Certified Ads SDK Program, so it is important to provide accurate information.

Policy requirements

If your SDK or mediation platform serves apps that are part of the Google Play Families Program, you must comply with all Google Play Developer Policies, including the following requirements. Failure to satisfy any policy requirements may result in removal or suspension from the Families Self-Certified Ads SDK Program. 

It is your responsibility to ensure that your SDK or mediation platform is compliant, so please be sure to review Google Play Developer Program Policies, Google Play Families Policies, and Families Self-Certified Ads SDK Program Requirements.

  1. Ad content: Your ad content that is accessible to children must be appropriate for children.
    • You must (i) define objectionable ad content and behaviors and (ii) prohibit them in your terms or policies. The definitions should comply with Google Play Developer Program Policies
    • You must also create a method to rate your ad creatives according to age appropriate groups. Age appropriate groups must at least include groups for Everyone and Mature. The rating methodology must align with the methodology that Google supplies to SDKs once they have filled out the interest form.
    • You must ensure that when real-time bidding is used to serve ads to children, the creatives have been reviewed and comply with the above requirements. 
    • In addition, you must have a mechanism to visually identify creatives coming from your inventory (for example, watermarking the ad creative with a visual logo of your company or similar functionality). 
  2. Ad format: You must ensure that all ads displayed to child users follow the Families ad format requirements, and you must allow developers to select ad formats that are compliant with Google Play Families Policy.
    • Advertising must not have deceptive content or be designed in a way that will result in inadvertent clicks from child users. 
    • Disruptive advertising, including advertising that takes up the entire screen or interferes with normal use and does not provide a clear means to dismiss the ad (for example, Ad walls), is not allowed.
    • Advertising that interferes with normal app use or game play, including rewarded or opt-in ads, must be closeable after 5 seconds.
    • Multiple ad placements on a page are not allowed. For example, banner ads that show multiple offers in one placement or displaying more than one banner or video ad is not allowed.
    • Advertising must be clearly distinguishable from app content.
    • Advertising must not use shocking or emotionally manipulative tactics to encourage ads viewing.
  3. IBA/Remarketing: You must ensure that ads displayed to child users do not involve interest-based advertising (advertising targeted at individual users who have certain characteristics based on their online browsing behavior) or remarketing (advertising targeted at individual users based on previous interaction with an app or website). 
  4. Data practices: You, the SDK provider, must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing your SDK’s access, collection, use, and sharing of the data, and limiting the use of the data to the purposes disclosed. These Google Play requirements are in addition to any requirements prescribed by applicable privacy and data protection laws. You must disclose the collection of any personal and sensitive information from children including, but not limited to, authentication information, microphone and camera sensor data, device data, Android ID, and ad usage data. 
    • You must allow developers, on a per-request or per-app basis, to request child-directed treatment for ad serving. Such treatment must be in compliance with applicable laws and regulations, such as the US Children's Online Privacy and Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR)
      • Google Play requires ads SDKs to disable personalized ads, interest based advertising, and remarketing as part of the child-directed treatment.
    • You must ensure that when real-time bidding is used to serve ads to children, the privacy indicators are propagated to the bidders.
    • You must not transmit AAID, SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, and/or IMSI from children or users of unknown age.
  5. Mediation Platforms: When serving ads to children, you must: 
    • Only use Families Self-Certified Ads SDKs or implement safeguards necessary to ensure that all ads served from mediation comply with these requirements; and
    • Pass information necessary to mediation platforms to indicate the ad content rating and any applicable child-directed treatment.
  6. Self-Certification and Compliance: You must provide Google with sufficient information, such as information indicated in the interest form, to verify the ads SDK's policy compliance with all self-certification requirements including, but not limited to:  
    • Providing an English language version of your SDK or Mediation Platform’s Terms of Service, Privacy Policy, and Publisher Integration Guide
    • Submitting a sample test appwhich uses the latest compliant version of the ads SDK. The sample test app should be a fully built and executable Android APK that utilizes all the features of the SDK. Test app requirements:   
      • Must be submitted as a fully-built and executable Android APK meant to run on a phone form factor. 
      • Must use the latest released, or soon to be released version of the ads SDK that adheres to Google Play policies.
      • Must use all of the features of your ads SDK including calling your ads SDK to retrieve and display ads. 
      • Must have full access to all live/serving ad inventories on the network via creatives requested through the test app.
      • Must not be restricted by geolocation.
      • If your inventory is for a mixed audience, your test app must be capable of differentiating between requests for ad creatives from full inventory and the inventory suitable for kids or all age groups.  
      • Must not be restricted to specific ads within the inventory unless it is controlled by the neutral age screen.           
  7. You must respond in a timely manner to any subsequent requests for information and self-certify that all new version releases are compliant with the latest Google Play Developer Program Policies, including Families Policy Requirements. 
  8. Legal compliance: Families Self-Certified Ads SDKs must support ad serving that complies with all relevant statutes and regulations concerning children that may apply to their publishers.
    • You must ensure that your SDK or mediation platform is compliant with the U.S. Children's Online Privacy and Protection Act (COPPA), E.U. General Data Protection Regulation (GDPR), and any other applicable laws or regulations. 

      Note: The word "children" can mean different things in different locales and in different contexts. It is important that you consult with your legal counsel to help determine what obligations and/or age-based restrictions may apply to your app. You know best how your app works so we are relying on you to help us make sure apps on Google Play are safe for families.

Please refer to the Families Self-Certified Ads SDK Program page for more details on Program requirements. 

Families Self-Certified Ads SDK Program

If you serve ads in your app, and the target audience for your app only includes children as described in the Families Policy, then you must only use ads SDK versions that have self-certified compliance with Google Play policies, including the Families Self-Certified Ads SDK requirements below.

If the target audience for your app includes both children and older users, you must make sure that ads shown to children come exclusively from one of these self-certified ads SDK versions (for example, through use of neutral age screening measures).

Note that it is your responsibility to ensure that all SDK versions you implement in your app, including Self-Certified Ads SDK versions, are compliant with all applicable policies, local laws, and regulations. Google does not provide any representations or guarantees as to the accuracy of the information the ads SDKs provide during the self-certification process.

The use of Families self-certified ads SDKs is only required if you are using ads SDKs to serve ads to children. The following are permitted without an ads SDK's self-certification with Google Play, however, you are still responsible for ensuring your ad content and data collection practices are compliant with Google Play's User Data Policy and Families Policy:

  • In-House Advertising whereby you use SDKs to manage cross promotion of your apps or other owned media and merchandising.
  • Entering into direct deals with advertisers whereby you use SDKs for inventory management.

Families Self-Certified Ads SDK Requirements

  • Define what are objectionable ad content and behaviors and prohibit them in the ads SDK's terms or policies. The definitions should comply with Google Play Developer Program Policies.
  • Create a method to rate your ad creatives according to age appropriate groups. Age appropriate groups must at least include groups for Everyone and Mature. The rating methodology must align with the methodology that Google supplies to SDKs once they have filled out the interest form below.
  • Allow publishers, on a per-request or per-app basis, to request child-directed treatment for ad serving. Such treatment must be in compliance with applicable laws and regulations, such as the US Children's Online Privacy and Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR). Google Play requires ads SDKs to disable personalized ads, interest based advertising, and remarketing as part of the child-directed treatment.
  • Allow publishers to select ad formats that are compliant with Google Play's Families Ads and Monetization policy, and meet the requirement of the Teacher Approved program
  • Ensure that when real-time bidding is used to serve ads to children, the creatives have been reviewed and privacy indicators are propagated to the bidders.
  • Provide Google with sufficient information, such as submitting a test app and the information indicated in the interest form below, to verify the ads SDK's policy compliance with all self-certification requirements, respond in a timely manner to any subsequent requests for information, such as submitting new version releases to verify the ads SDK version’s compliance with all self-certification requirements.
  • Self-certify that all new version releases are compliant with the latest Google Play Developer Program Policies, including Families Policy Requirements.

Note: Families Self-Certified Ads SDKs must support ad serving that complies with all relevant statutes and regulations concerning children that may apply to their publishers.

More information on watermarking ad creatives and providing a test app can be found here.

Here are mediation requirements for serving platforms when serving ads to children:

  • Only use Families Self-Certified Ads SDKs or implement safeguards necessary to ensure that all ads served from mediation comply with these requirements; and
  • Pass information necessary to mediation platforms to indicate the ad content rating and any applicable child-directed treatment.

Developers can find a list of Families Self-Certified Ads SDKs and can check which specific versions of those ads SDKs are self-certified for use in Families apps here.

Also, developers can share this interest form with ads SDKs who wish to self-certify.

 

Effective January 31, 2023

Ads

Deceptive Ads

Ads must not simulate or impersonate the user interface of any app feature, such as notifications or warning elements of an operating system. It must be clear to the user which app is serving each ad.

  • Ads that mimic an app's UI:

    ① The question mark icon in this app is an ad that takes the user to an external landing page.

  • Ads that mimic a system notification:

    ① ② The examples above illustrate ads mimicking various system notifications.


    ① The example above illustrates a feature section that mimics other features but only leads the user to an ad or ads.

 

In addition to the above changes, we’re making the following clarifications that are effective immediately:

User Data

You must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing the access, collection, use, handling, and sharing of user data from your app, and limiting the use of the data to the policy compliant purposes disclosed. Please be aware that any handling of personal and sensitive user data is also subject to additional requirements in the "Personal and Sensitive User Data" section below. These Google Play requirements are in addition to any requirements prescribed by applicable privacy and data protection laws.

If you include third party code (for example, an SDK) in your app, you must ensure that the third party code used in your app, and that third party’s practices with respect to user data from your app, are compliant with Google Play Developer Program policies, which include use and disclosure requirements. For example, you must ensure that your SDK providers do not sell personal and sensitive user data from your app. This requirement applies regardless of whether user data is transferred after being sent to a server, or by embedding third-party code in your app.

Personal and Sensitive User Data

Personal and sensitive user data includes, but isn't limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, health dataHealth Connect data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data. If your app handles personal and sensitive user data, then you must:

  • Limit the access, collection, use, and sharing of personal and sensitive user data acquired through the app to app and service functionality and policy conforming purposes reasonably expected by the user:
    • Apps that extend usage of personal and sensitive user data for serving advertising must comply with Google Play’s Ads Policy.
    • You may also transfer data as necessary to service providers or for legal reasons such as to comply with a valid governmental request, applicable law, or as part of a merger or acquisition with legally adequate notice to users.
  • Handle all personal and sensitive user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
  • Use a runtime permissions request whenever available, prior to accessing data gated by Android permissions.
  • Not sell personal and sensitive user data.
    • "Sale" means the exchange or transfer of personal and sensitive user data to a third party for monetary consideration.
      • User-initiated transfer of personal and sensitive user data (for example, when the user is using a feature of the app to transfer a file to a third party, or when the user chooses to use a dedicated purpose research study app), is not regarded as sale.

Prominent Disclosure & Consent Requirement

In cases where your app’s access, collection, use, or sharing of personal and sensitive user data may not be within the reasonable expectation of the user of the product or feature in question (for example, if data collection occurs in the background when the user is not engaging with your app), you must meet the following requirements:

Prominent disclosure: You must provide an in-app disclosure of your data access, collection, use, and sharing. The in-app disclosure:

  • Must be within the app itself, not only in the app description or on a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
  • Must describe the data being accessed or collected;
  • Must explain how the data will be used and/or shared;
  • Cannot only be placed in a privacy policy or terms of service; and
  • Cannot be included with other disclosures unrelated to personal and sensitive user data collection.

Consent and runtime permissions: Requests for in-app user consent and runtime permission requests must be immediately preceded by an in-app disclosure that meets the requirement of this policy. The app's request for consent:

  • Must present the consent dialog clearly and unambiguously;
  • Must require affirmative user action (for example, tap to accept, tick a check-box);
  • Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent;
  • Must not use auto-dismissing or expiring messages as a means of obtaining user consent; and
  • Must be granted by the user before your app can begin to collect or access the personal and sensitive user data.

Apps that rely on other legal bases to process personal and sensitive user data without consent, such as a legitimate interest under the EU GDPR, must comply with all applicable legal requirements and provide appropriate disclosures to the users, including in-app disclosures as required under this policy.

To meet policy requirements, it’s recommended that you reference the following example format for Prominent Disclosure when it’s required:

  • “[This app] collects/transmits/syncs/stores [type of data] to enable  ["feature"], [in what scenario]."
  • Example: “Fitness Funds collects location data to enable fitness tracking even when the app is closed or not in use and is also used to support advertising.” 
  • Example: “Call buddy collects read and write call log data to enable contact organization even when the app is not in use.”

If your app integrates third party code (for example, an SDK) that is designed to collect personal and sensitive user data by default, you must, within 2 weeks of receipt of a request from Google Play (or, if Google Play’s request provides for a longer time period, within that time period), provide sufficient evidence demonstrating that your app meets the Prominent Disclosure and Consent requirements of this policy, including with regard to the data access, collection, use, or sharing via the third party code.

Here are some examples of common violations:

  • An app collects device location but does not have a prominent disclosure explaining which feature uses this data and/or indicates the app’s usage in the background.
  • An app has a runtime permission requesting access to data before the prominent disclosure which specifies what the data is used for.
  • An app that accesses a user's inventory of installed apps and doesn't treat this data as personal or sensitive data subject to the above Privacy Policy, data handling, and Prominent Disclosure and Consent requirements.
  • An app that accesses a user's phone or contact book data and doesn't treat this data as personal or sensitive data subject to the above Privacy Policy, data handling, and Prominent Disclosure and Consent requirements.
  • An app that records a user’s screen and doesn't treat this data as personal or sensitive data subject to this policy.
  • An app that collects device location and does not comprehensively disclose its use and obtain consent in accordance with the above requirements.
  • An app that uses restricted permissions in the background of the app including for tracking, research, or marketing purposes and does not comprehensively disclose its use and obtain consent in accordance with the above requirements. 
  • An app with an SDK that collects personal and sensitive user data and doesn’t treat this data as subject to this User Data Policy, access, data handling (including disallowed sale), and prominent disclosure and consent requirements.

Refer to this article for more information on the Prominent Disclosure and Consent requirement.

Permissions and APIs that Access Sensitive Information

Requests for permission and APIs that access sensitive information should make sense to users. You may only request permissions and APIs that access sensitive information that are necessary to implement current features or services in your app that are promoted in your Google Play listing. You may not use permissions or APIs that access sensitive information that give access to user or device data for undisclosed, unimplemented, or disallowed features or purposes. Personal or sensitive data accessed through permissions or APIs that access sensitive information may never be sold nor shared for a purpose facilitating sale.

Request permissions and APIs that access sensitive information to access data in context (via incremental requests), so that users understand why your app is requesting the permission. Use the data only for purposes that the user has consented to. If you later wish to use the data for other purposes, you must ask users and make sure they affirmatively agree to the additional uses.

Restricted Permissions

In addition to the above, restricted permissions are permissions that are designated as Dangerous, Special,  Signature, or as documented below. These permissions are subject to the following additional requirements and restrictions:

  • User or device data accessed through Restricted Permissions is considered as personal and sensitive user data. The requirements of the User Data policy apply.
  • Respect users’ decisions if they decline a request for a Restricted Permission, and users may not be manipulated or forced into consenting to any non-critical permission. You must make a reasonable effort to accommodate users who do not grant access to sensitive permissions (for example, allowing a user to manually enter a phone number if they’ve restricted access to Call Logs).
  • Use of permissions in violation of Google Play malware policies (including Elevated Privilege Abuse) is expressly prohibited.

Certain Restricted Permissions may be subject to additional requirements as detailed below. The objective of these restrictions is to safeguard user privacy. We may make limited exceptions to the requirements below in very rare cases where apps provide a highly compelling or critical feature and where there is no alternative method available to provide the feature. We evaluate proposed exceptions against the potential privacy or security impacts on users.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
false
true
true
92637