Less than 30 days remain before app and game developers must comply with the new Google Play user privacy guidelines.

How is this related to GDPR?

When May 2018 hits, the EU’s General Data Protection Regulation (GDPR) will come into effect.

Companies worldwide will have to institute tighter and more considerate personal data policies – or face hefty fines.

The goal of the GDPR is to return personal data control to European nationals. The regulations also aim to simplify how international businesses collect and utilize user information. These new rules significantly impact mobile app and web developers, who have already started preparing for the GDPR by learning about the necessary changes they will have to implement within their practices and processes.

Google leads the way

Google, has decided that May is just too far off. Starting this coming February, the Google Play Developer Policy restrictions will be officially amended to include new user privacy requirements. App companies now have less than 30 days to complete and enroll all relevant changes and comply with the tighter security regulations.

As part of Google’s war on unwanted and potentially harmful mobile behavior on Android, its new security enforcement program will have warnings appear on apps or websites that collect users’ private data without first obtaining the users’ explicit consent.

But what constitutes personal data? Any information, such as user phone numbers, emails, location, installed apps and more that can be used to identify or target an individual user. But not all information use is taboo – Google can aptly distinguish apps that need personal user data to keep their app up and running, from apps that collect the data for unrelated purposes.

Under the new regulations and in line with  Google’s October guidelines, apps using data for functional purposes must prompt users with a copy of the app’s privacy policy.

Apps seeking to use data for other purposes need to give users an explanation of how the data will be used and obtain informed consent.

Not only do these data collection requirements apply to all functions of the app, they also apply to any 3rd party SDKs (Software Development Kits) that may be integrated within it. This is because, under the new regulations, app owners and publishers are liable for any personal data misconduct related to their product, even if they do not really own the code responsible for it.


But what about the SDKs?  

Spoiler: You hold full responsibility..

Ensuring that every SDK linked to your app is Google Developer Policy or GDPR  compliant can be daunting.

Yet, according to a recent SafeDK study, 67% of apps have at least one SDK accessing users’ personal data. Over 50% of apps use a minimum of one SDK that accesses users’ locations. And 40% of apps have SDKs that tap into the list of installed apps on users’ mobile devices.

With these statistics in mind, making sure that app users are advised regarding any information the SDKs are trying to access becomes increasingly more critical, regardless of how the information is obtained. App publishers need to learn what information their SDKs are collecting and how they can modify current practices to comply with the new requirements in a very short period of time.

The following shows the percentage of apps that have at least one SDK accessing one of the following user information:

Source: SafeDK Mobile SDK Market Trend Report

Crime and punishment

So, what will become of the mobile app world in 30 days’ time? How will Google’s new requirements coming into effect affect app development, publishing and use? Google is expected to present warnings on user devices and on webpages that lead to mobile apps. This will ensure that users are protected from installing potentially harmful or breached apps.

As an app publisher, you do not want your users to be warned against downloading or using your app because your privacy practices are not up to par.

That’s why you’ll take the necessary measures to ensure your app is GDPR AND Google Policy ready.

While the GDPR will only be binding come May, Google’s new Developer Policy restrictions are coming into effect much sooner – in less than 30 days. App owners and developers must quickly make all the necessary adjustments to their technology and practices, to ensure that their apps comply with these new regulations.

 What needs to be done?

My advice is to tackle this by taking 3 important steps:

  1. Adapt your app EULA and UX ASAP, to comply with the new Google Play requirements.
  2. Run a quick investigation as of the SDKs that are implemented in your app.
  3. Implement a real time SDK management solution to help you get real time alerts, and shut off SDKs instantly with no version update, in case of a need.