From 20 July onwards, the Google Play Store will require Android developers to describe what data their app collects, who receives the data and how the data is secured. The new policy seems privacy-friendly, but looks are deceiving.

The AVG/GDPR requires app providers to inform users on how their data is processed. The Google Play Store and Apple App Store reach billions of users with millions of apps. Google and Apple offer apps on behalf of developers, and are therefore responsible for AVG/GDPR compliance.

Google has been using an automatic system to inform users about data processing over the past few years. If you wanted to publish an app on the Play Store, the system reviewed the locations accessed by your app. The results were described on the app’s page, as shown below. Users could see how their data was processed at a glance. This overview is slowly disappearing from the Play Store.

Back in April, Google announced that developers would be personally responsible for informing users on data processing by 20 July 2022. If you want to publish an app on the Play Store at this time, you’ll have to describe the privacy policy yourself.

Privacy problem

At the time of the announcement, Google did not specify that the new system would overwrite the old. This now appears to be the case. Discord’s page on the app store is an example. In April 2022, the page described the locations accessed by the app (‘Permissions’). The description disappeared somewhere between April and May. The current page does not show any information about the app’s data access.

Discord’s developers have yet to add the information. As of July 20, that is mandatory. The problem is that developers can keep certain information to themselves. Google announced that apps with incomplete information can be removed from the app store, but the transparency of the automatic system is lost.

Tip: Popular apps for tracking children are extremely vulnerable