Skip to main content

Google/Android Announces Privacy Requirements

By and May 12, 2021Insights

Google announced that it will follow industry standards with respect to privacy obligations.  All developers with apps on Google Play will be required to disclose the type of data collected and stored and how such data is used by Q2 of 2022. These are in addition to other elements, such as security practices, data deletion upon uninstallation of app, etc.

Violators, according to Google, will be required to fix identified violations; failure to do so could result in policy enforcement.

What does this mean?

Google appears to be taking a similar approach as Apple, meaning that organizations must be prepared to comply with a new set of privacy requirements (in addition to Virginia’s privacy law and CCPA 2.0/CPRA). Failure to accurately disclose privacy requirements, outside of being subject to Android’s policy enforcement, can also potentially bring about some legal implications for organizations as well.

For example, organizations will now have three methods of privacy disclosures:

  1. privacy policies,
  2. iOS nutrition label disclosures; and
  3. Android privacy disclosures.

Discrepancies between any of these can result in legal and/or PR scrutiny. As a result, it is important that organizations keep track of all disclosures made to ensure consistency throughout.

What to do?

Meeting legal and industry privacy requirements requires a technical solution. With a network traffic analysis done by NT Analyzer, you can be confident that Google will not turn up any data leakage or tracking that you do not know about, including any that is used by third party SDKs.

NT Analyzer’s downloadable report and designated module for Android, similar to the iOS module, will give organizations the information they need to meet their Android privacy requirements. The report includes, but is not limited to:

  • Identifying all parties collecting data (as well as which SDKs are integrated into the app);
  • Identifying all data types, including personal information/data (at both a technical – e.g., hashed, encoded, fingerprinting, IDFA, etc. – and traditional level); and
  • Determining how each data type is used (e.g., app functionality and/or personalization).

Since the vast majority of this data comes from the consumer’s device, and not an organization’s own data center, organizations are largely blind to the collection and sharing of this data. With new laws such as CCPA/CPRA and industry standards like iOS and Android, companies are now responsible for all data.

In other words, the traditional cybersecurity model only protects the castle, but with NT Analyzer you also have a clear view of the entire kingdom and can monitor all roads leading in.


Steven Roosa

Author Wenda Tang

Wenda Tang is a lawyer in the Washington, DC office, where she is part of the Data Protection, Privacy and Cybersecurity practice group. Wenda focuses on drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, DPAs, advertising agreements, and non-disclosure agreements. She also assists clients in complying with data protection and privacy laws, such as the CCPA, GDPR, HIPAA, GLBA, COPPA, CAN-SPAM Act, and TCPA.

More posts by Wenda Tang
Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa