Following Apple’s recent rollout of privacy labels, Google has announced a similar initiative that will appear on the Play Store sometime before mid-2022. As with Apple’s program, the privacy labels are meant to give end users a quick reference to the range of data that Android apps are asking for.
In addition to informing users about what apps are requesting from the device, Google says the privacy labels will also give users insight into how their data is being used once it reaches the app developer’s server.
Android apps make an initial move toward parity with Apple privacy policies
Apple has rolled out a series of major privacy changes with iOS 14, renewing its focus on being the user-focused “premium” brand in the mobile market. Google is poorly positioned to keep up with these changes, particularly those that impact targeted advertising, but privacy labels are at least one area where it will be meeting Apple in the field.
Similar to the ones now seen on the Apple App Store, Google’s proposed privacy labels for Android apps will have something of a “nutrition facts” format meant to provide useful information about personal data at a glance. A blog post from Google did not provide an example of the expected layout, but did list items that would be included on the privacy labels: types of data collected and stored, how the app uses data, whether or not the data it is requesting is necessary for its function, what security measures it has (such as encryption), and whether or not the app’s security has been tested and verified by a third party. Google will also indicate whether or not the app is following its various policies for developers, for example the “Families policy” that creates special rules for apps aimed at children.
While Google is not indicating that Android apps will have to provide users with the ability to opt out of ad tracking upon installation, it does say that if an app collects data not necessary for its function then users should be able to opt out of sharing it. Google will also require Android app developers to give users the ability to delete stored data when they uninstall an app.
Google says that developers will be expected to provide accurate information voluntarily. If they are found to have misrepresented this information they will be subject to “policy enforcement,” though the initial blog post does not go into detail as to what this enforcement will look like.
The privacy labels will not be mandatory for Android apps until Q2 2002, but Google has laid out a timeline leading up to the launch that will allow developers to start voluntarily declaring information for the labels as early as Q4 of this year. End users may be able to see voluntarily declared labels as early as Q1 2022, in a new “Safety” section of the Play Store. A more detailed policy, presumably including enforcement terms, is scheduled to be available to developers in Q3 of this year.
Privacy labels provide some significant benefits to end users
The details that are currently available about Google’s new system indicate that the privacy labels for Android apps will not be quite as thorough and informative as the ones now required of Apple app developers, but they will bring some level of improvement to the Android ecosystem’s end users.
The privacy labels fall short of Apple’s current standard for app developers in that it does not get quite as specific as to what data is being collected, focusing more on assuring the end user that the source collecting the data is secure and trustworthy. Google seems to be relying on third-party verification of security practices and its various policies for app developers to provide that assurance.
The difference in approach no doubt has much to do with Google’s different business model, but also may have been informed by the search giant’s experience applying the mandatory Apple privacy labels to its own apps available on iOS. In the months following Apple’s new requirements for app developers, Google let updates for certain apps lapse for months rather than provide a privacy label. The eventual labels that emerged for certain apps, such as the one for Chrome, presented users with a worrying long list of data and permissions.
Google’s timeline gives it some months yet to refine its approach before app developers are presented with the new policy. Given that its business model centers on data collection, it seems unlikely that the final form will include comprehensive lists of permissions requested. More generalized categories of data accessed would also be a reasonable expectation. There are positive changes in store for users of Android apps should Google keep its word, however, most notably the ability to require app developers to delete stored data when apps are removed. Of course, it also remains to be seen to what degree Google will hold itself to its own policies for Android apps; this is an area in which Apple has been criticized by app developers as well.
Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, also questions exactly how effective Google’s detection and enforcement measures will be: “Running an app store is incredibly difficult. At its root, the problem is to make sure apps do what they claim to do, and don’t do anything bad. But defining “bad” is hard, and figuring out what apps really do is very hard indeed. Google’s upcoming addition of privacy information to the Play Store is a step in the right direction, but the challenge will be enforcement. If an app saves more user data than claimed, such a violation will be difficult to detect without manual inspection.”