EU-U.S. Privacy Shield

User Data Device and Network Abuse Malicious Behavior

User Data

You must be transparent in how you handle user data (e.g., information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law.

Personal and Sensitive Information

Privacy Policy & Secure Transmission

If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data) then your app must:

Post a privacy policy in both the designated field in the Play Console and from within the Play distributed app itself.
Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS).

The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared.

Prominent Disclosure Requirement

If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Here are some examples of common violations:

An app that doesn’t treat a user’s inventory of installed apps as personal or sensitive user data and doesn’t comply with the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements.
An app that doesn’t treat a user’s phone or contact book data as personal or sensitive user data and doesn’t comply with the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements.

Privacy Shield

If you access, use, or process personal information made available by Google that directly or indirectly identifies an individual and that originated in the European Union or Switzerland (“EU Personal Information”), then you must:

comply with all applicable privacy, data security, and data protection laws, directives, regulations, and rules;
access, use or process EU Personal Information only for purposes that are consistent with the consent obtained from the individual to whom the EU Personal Information relates;
implement appropriate organizational and technical measures to protect EU Personal Information against loss, misuse, and unauthorized or unlawful access, disclosure, alteration and destruction; and
provide the same level of protection as is required by the Privacy Shield Principles.

You must monitor your compliance with these conditions on a regular basis. If, at any time, you cannot meet these conditions (or if there is a significant risk that you will not be able to meet them), you must immediately notify us by email to data-protection-office@google.com and immediately either stop processing EU Personal Information or take reasonable and appropriate steps to restore an adequate level of protection.

Additional Requirements

In addition to the requirements above, the table below describes requirements for specific activities.

Activity	Requirement
If your app handles financial or payment information or government identification numbers	Then it must never publicly disclose any personal or sensitive user data related to financial or payment activities or any government identification numbers.
If your app handles non-public phonebook or contact information	We don't allow unauthorized publishing or disclosure of people's non-public contacts.
If your app contains anti-virus or security functionality, such as anti-virus, anti-malware, or security-related features	Then it must post a privacy policy that, together with any in-app disclosures, explain what user data your app collects and transmits, how it’s used, and the types of parties with whom it’s shared.

Was this article helpful?

Thank you for your answer!

Device and Network Abuse

We don’t allow apps that interfere with, disrupt, damage, or access in an unauthorized manner the user’s device, other devices or computers, servers, networks, application programming interfaces (APIs), or services, including but not limited to other apps on the device, any Google service, or an authorized carrier’s network.

Apps on Google Play must comply with the default Android system optimization requirements documented in the Core App Quality guidelines for Google Play.

Here are some examples of common violations:

Apps that block or interfere with another app displaying ads.
Game cheating apps that affect the gameplay of other apps.
Apps that facilitate or provide instructions on how to hack services, software or hardware, or circumvent security protections.
Apps that access or use a service or API in a manner that violates its terms of service.
Apps that attempt to bypass system power management that are not eligible for whitelisting.

Was this article helpful?

Thank you for your answer!

User Data

Malicious Behavior

We don’t allow apps that steal data, secretly monitor or harm users, or are otherwise malicious.

An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play’s update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).

The following are explicitly prohibited:

Viruses, trojan horses, malware, spyware or any other malicious software.
Apps that link to or facilitate the distribution or installation of malicious software.
Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.
Apps that introduce or exploit security vulnerabilities.
Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
Apps that install other apps on a device without the user’s prior consent.
Apps designed to secretly collect device usage, such as commercial spyware apps.

Apps that monitor or track a user’s behavior on a device must comply with these requirements:

Apps must not present themselves as a spying or secret surveillance solution.
Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality.
Present users with a persistent notification and unique icon that clearly identifies the app.
Apps and app listings on Google Play must not provide any means to activate or access functionality that violate these terms, such as linking to a non-compliant APK hosted outside Google Play.
You are solely responsible for determining the legality of your app in its targeted locale. Apps determined to be unlawful in locations where they are published will be removed.

Check out our App Security Improvement Program to find out about the most recent security issues flagged to developers on Google Play. Vulnerability and remediation details are available in each campaign's support page link.

Was this article helpful?

Thank you for your answer!