Google's Prominent Disclosure Requirement

Google's Prominent Disclosure Requirement became effective as of March 15, 2017. If you do not comply with this requirement, Google may remove your app from the Google Play store.

The Prominent Disclosure Requirement requires that users be informed of any data collected by your app that is not essential to the basic functions of your app. You must also give users the opportunity to refuse that collection.

Here's what you need to know about the Prominent Disclosure Requirement and how to comply with it.

What is the Prominent Disclosure Requirement?

The Prominent Disclosure Requirement is located in the Google Play Policy Center under Personal and Sensitive Information. It applies to any app that collects and transmits sensitive user data for tracking or research purposes rather than app functions.

Requirements of the Prominent Disclosure Requirement

If your app does this, you're required to have an in-app disclosure that meets the following requirements:

• Is displayed during the normal usage of the app, and doesn't require a user to navigate to a separate menu or settings section
• Describes the type of data being collected and how the data is used
• Cannot only be placed within a Privacy Policy or Terms of Service
• Cannot be combined with other disclosures unrelated to user data collection

Additionally, the disclosure must:

• Be clear and unambiguous
• Require affirmative consent, meaning an "I agree" button or checkbox rather than passive acceptance through use alone
• Be presented and have consent secured before data is collected
• Not consider navigating away from the disclosure as consent
• Not use auto-dismiss or expiring messages

Common Violations

Google offers two examples of common violations of this requirement.

First, apps that don't treat the user's personal inventory of installed apps as personal user data and don't comply with the Privacy Policy, Secure Transmission and Prominent Disclosure requirements will be in violation.

Secondly, apps that don't treat a user's phonebook or contact book data as personal user data and don't comply with the Privacy Policy, Secure Transmission and Prominent Disclosure requirements will also be in violation.

Compliance

There are two main elements you'll need to be in compliance with this policy: An in-app disclosure, and affirmative consent.

In-App Disclosure

As soon as a user chooses to install your app, Google Play presents the user with a list of data that the app needs access to. This lets users know that data is being collected.

SnapChat requests a large amount of personal data from users in order to function. When users download this app from Google Play, they are presented with the list of data the app will access.

Apps that request less data can still use this list approach.

Once inside the app, there may be additional permission dialogues. An Android app called Power Clean addresses virus infections and removes excess data so devices become more efficient.

Disclosure of its data requirements starts at installation--just like the apps listed above:

As the app is used, it may request additional permissions. For example, Power Clean notifies users that cleaning up excess notifications requires access to personal data.

If a user refuses during this dialogue but attempts the function again at a later time, the app presents a more detailed notice. Behind the pop-up is a promise not to misuse personal data:

There are other examples when data collection is more evasive. Pollfish does not produce a specific app but it compiles surveys that may be presented through third party apps. These surveys may offer rewards to users who wish to share their opinions.

In this blog example, Pollfish shows how it complies with the Prominent Disclosure requirement. It places the disclosure right within the third party app so users can see it before they agree to take the survey.

The disclosure is difficult to read but it states as follows:

"By accepting to take this survey a specific set of user's device data, including information about the apps the user has installed, is automatically sent to Pollfish servers and associated with answers to the questionnaires, in order for Pollfish to discern whether the user is eligible for a survey and improve targeting of future surveys."

Pollfish makes it clear that users have two options: They can take the survey after reading the prominent disclosure, or click "No Thanks" and avoid data collection.

Affirmative consent

Always obtain affirmative consent. Passive acceptance through merely using an app will not work with these requirements. A user has to read the notice and actively click "Accept" or "OK."

Once again, this begins at installation with Google Play's standard dialog. Notice the big green "Accept" button when installing Bumble, a dating app.

Looking at the dialogue boxes from Power Clean, you'll notice the same approach. Rather than "Accept" the user clicks "OK" which is informal but still indicates affirmative consent.

The takeaway here is that you should give users the active option to consent to or decline your data collection.

Place two separate buttons for each function as you request permission to collect data. This makes it clear whether a user accepts the risks of your data collection.

Best Practices

When the policy regarding prominent disclosure was first implemented, Google sent out emails to developers whose apps likely violated the policy.

Now, Google will most likely just pull your app until you fix the violations.

Sometimes fixing a violation will involve adding code so the correct disclosures alert users.

Most times, it is a matter of adding text at the beginning, such as with Pollfish. If you receive a notice, it will indicate where you violated the policy so you can fix the errors.

If you're in violation of Google's Prominent Disclosure requirement, take the following steps:

• Check your Privacy Policy - Your Privacy Policy should contain provisions regarding the data you collect, how you collect it, why you do so, various uses for it, and any third parties who receive it. This includes information about cookies and other tracking software that analyzes users' habits and patterns.
• Determine whether your data collection is necessary - Sometimes the easiest way to address these issues is to remove the problematic data collection processes if they're not necessary. If you do not need to track the data for either functional or research purposes, stop doing it.
• Present installation dialogue box - If you need to collect this data, see what happens when you decide to install your own app. You may have skipped essential steps when loading your app to the store that prevented the initial notices from engaging. Double-check your app so that users know what data you collect before they install your app.
• Post disclosures - Design a disclosure similar to the examples above and post it in the most obvious places. Have it pop up as the user opens your app and produce dialogues that engage when the user activates functions of your app that collect additional data. If you inform users at every step, Google is less likely to have an issue with your app.

Following the Prominent Disclosure Requirement will keep your app available on Google Play and help you comply better with your own Privacy Policy and any laws affecting it. Since consumers are more savvy about privacy and the use of their personal data, it is likely these types of policies will increase.

Stay informed when Google Play sends you policy updates so you can remain on its platform.