Starting in 2024, Android apps that want to be listed on the Google Play Store will need to provide users with greater control over the data they collect. A policy change by Google will now require these apps to allow users to delete their account data whenever they choose, and to entirely remove their account from the app.
Users will be given flexibility under this system: the ability to delete only certain types of data, and web access that allows those that have already deleted an app to exercise their rights without having to reinstall it. Developers will only be able to retain data under certain legitimate security or compliance exceptions, and will have to begin providing users with information on their data deletion practices near the start of December of this year.
Improved access to stored data helps Android apps keep pace with Apple
The new rules apply to Android apps that allow for account creation. If a user creates an account, and then deletes the app, they will have to be granted access to the old account data via a web-based interface that the developer will have to link in their mandatory data safety form.
When a user requests account deletion, all stored account data associated with it must also be removed. Users are not limited to simply wiping out their accounts, however; they will also be able to select data types (such as activity history or specific file types) to be individually removed from their Android apps. The new rules do not appear to apply to apps that collect user data for targeted advertising without requiring the user to create an account or profile, however.
The new changes are nearly a year off, however, as Google is attempting to provide developers with an ample time buffer in which to add functionality that numerous apps do not currently have. App developers will need to have information about account data deletion added to their data safety forms as of December 7 this year, but the actual changes do not need to roll out until early 2024, and developers are able to request an extension for implementation to May 31 2024 if they require it. Developers may be allowed to retain account data after a deletion request if they can demonstrate a legitimate legal need for it, such as fraud prevention or to comply with government regulations.
Increasing demand for account data privacy prompts changes to mobile ecosystem
Google has not put the same emphasis on privacy that Apple has in recent years, but has clearly felt pressure to keep pace with some of Cupertino’s moves as mobile users become increasingly aware of how their data is being used and the security risks they face. Apple implemented a similar policy for its App Store developers in June 2022, but the current terms do not require that users be able to access account data via a web interface or be able to delete the account from outside of the app.
And while Android apps may be losing the marketing war in terms of privacy messaging, ground has opened up for Google as Apple has had ongoing struggles with actual enforcement of the terms it sets for its developers. Apple faced immediate criticism for excepting its own first-party apps from some of its terms, but independent reviews have also found that it has not always kept pace with third-party developers that illegally use device fingerprinting to get around user consent restrictions (and even with those that simply collect more personal information than they are disclosing).
While some of the pressure is competitive, some also likely comes from the changing winds of the regulatory landscape. A recent Federal Trade Commission (FTC) “Click to Cancel” proposal would require all subscription and membership services to make it easier for users to terminate arrangements, and the agency has made clear that this applies to digital services (and Android apps) as well. The new rules would require ending a membership or subscription to be at least as easy as signing up for it, with the same number of steps for each end of the process. The FTC is currently proposing fines of up to $50,000 per day for violations should the rule go through.
Google is offering an assortment of assistance for developers of Android apps over the rest of the year. It has created a “Data Deletion Help Center” page, set up a series of both local and web-based seminars, and made assistance available in the Google Play Developer Help Community. Though Apple has already established something of a shaky track record while following this path, Ted Miracco (CEO of Approov) notes that this should be regarded as a positive development that will likely prompt a general improvement in mobile privacy and security.
“It is important for companies like Google and Apple to prioritize user privacy and security, and this new policy is a step in the right direction. The new Play Store data deletion policy is a positive development from a mobile security perspective and can help reduce the risk of data breaches by giving users more control over their personal data. In the event of a data breach, the ability to delete specific data and account information can be critical in preventing further damage and protecting sensitive information. With this new policy, users will have more control over their data and will be able to delete it in a more efficient and effective way, which can help reduce the risks associated with a data breach. App developers still need to do more to secure their apps and make sure they cannot be tampered with, and consumers should only install apps from legitimate app marketplaces,” noted Miracco.