Personal and sensitive user data includes, but isn't limited to, personally identifiable information, financial and payment information, authentication information, phone book contacts, SMS and call-related data, microphone and camera sensor data, and sensitive device or usage data. If your app handles sensitive user data, then you must:
- Limit your collection and use of this data to purposes directly related to providing and improving the features of the app (e.g. user-anticipated functionality that is documented and promoted in the app's description).
- Handle all personal or sensitive user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
Prominent Disclosure Requirement
In cases where users may not expect that their personal or sensitive user data will be required to provide or improve the features of your app, you must meet the following requirements:
Your app must provide an in-app disclosure of your data collection and use. The in-app disclosure:
- Must be within the app itself, not only in the Play listing or a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the data being collected;
- Must explain how the data will be used;
Cannot be included with other disclosures unrelated to personal or sensitive data collection.
Your app's in-app disclosure must include a request for user consent. The app's request for consent:
- Must present the consent dialogue in a clear and unambiguous way;
- Must require affirmative user action (e.g. tap to accept, tick a tick-box, a verbal command, etc.) in order to accept;
Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
Must not utilise auto-dismissing or expiring messages.
Specific Restrictions for Sensitive Data Access
In addition to the requirements above, the table below describes requirements for specific activities.
Your app handles financial or payment information or government identification numbers
Your app must never publicly disclose any personal or sensitive user data related to financial or payment activities or any government identification numbers.
Your app handles non-public phone book or contact information
We don't allow unauthorised publishing or disclosure of people's non-public contacts.
Your app contains anti-virus or security functionality, such as anti-virus, anti-malware or security-related features