Update: 07/21/22: Google’s Android Developers Twitter account announced Thursday they decided to reinstate the app permissions section in Google Play.
In a separate tweet, Google said the data safety section provides users with a “simplified view” of what user data apps collect. They added they will continue to accept feedback on these features.
Google’s throwing up its hands when it comes to app store data privacy. Apparently thinking that only app developers themselves really know the totality of the info they’re siphoning from their users, the platform is now relying solely on those same developers not to lie about how they use all that data. Good luck with that.
Google Play Store will now require all apps to include a data safety list on their app page to show what kinds of data is collected from their users by July 20. At the same time, the app store has disabled previous features that let users look at the app permissions.
While often vague, these permissions did give users a sense from Google itself which parts of the phone apps had access to.
This means Google is effectively leaving it up to app developers themselves to decide what they include in their safety lists, also leaving it open for app developers to potentially lie to its users. The app permissions feature was often convoluted, but at least the information came from Google itself, rather than the app developers.
We reached out to Google, and a representative said they’d have more info later today. We’ll update when we hear back from them.
Apple has long had a similar feature for its App Store, which makes Google’s move to nix publicly disclosed permissions strange, considering how long they were touting this update. In 2021, Google announced that developers would need to detail an app’s security practices as well as whether the app’s security section was verified by an independent third party, and whether users could delete info after they uninstall.
But only a few months later, Google amended its original announcement. They removed the requirement for apps to be verified, and also set up a deadline for Q1 of this year. The company said that app developers who don’t provide a security section by the deadline “may” have additional apps or updates rejected. Just what bar that sets for app developers is unclear. Of course, developers have until Wednesday to add these details, but if the apps that have listed their data are anything to go by, developers really don’t have to include much in the way of details.
The Telegram app’s data safety page is very non-specific. Why does it collect your personal info? Oh, just “app functionality.” TikTok, which has been raked over the coals by lawmakers over allegations that it was letting the Chinese government access U.S. user data, claims on its data safety page that it does not share any data with third parties. But it does automatically capture User IDs for “analytics, advertising or marketing, security,” etc. which is all still vague and nonsensical for the average user.
Google’s own page for describing what these new requirements are says apps must not only reveal what data they collect directly, but also any data handled through third party libraries or SDKs on their apps. Google says it looks at app data collection as part of its app review process, adding “you [app developers] are responsible for making complete and accurate declarations in your app’s store listing on Google Play… only you possess all the information required to complete the data safety form.” Despite that last statement, Google said it would take enforcement action against apps where there’s a discrepancy between app behavior and what’s listed on the safety form.
The question remains why any developer would put more care into this feature if it won’t see much blowback? Coffee company Tim Hortons was recently cited by Canada’s privacy agency for collecting “vast’’ amounts of data on users for years. Still, it doesn’t seem like the fast food chain is too stressed about Google’s new mandate. The company’s app listing on the Play Store still does not include its data safety listing, even though it has only a few days before Google’s supposed deadline.