Google has announced new standards for apps and websites that gather or transmit personal details about their users.

The move from Google comes on the heels of rampant Play Store malware, making this new requirement likely an attempt to curb data theft, hidden trackers, and other malevolent software.

Enforcement of the new policy will begin on January 30, 2018, at which time users will see warnings on apps and websites leading to apps that are known to collect user data without consent.

The changes will probably affect legitimate app developers as well–the 60-day mark will be a hard start for warnings to begin appearing, which could drive traffic away from apps and websites that haven’t complied with the new policy.

Google’s new plan to protect Android users

When Google’s Safe Browsing changes take effect, any app that handles personal or device data will be required to let users know that it’s doing so.

SEE: 15 books every programmer should read (free PDF) (TechRepublic)

Affected apps will also have to provide a privacy policy inside the app, and the requirements for in-app policy notifications are extensive. Apps will have to:

  • Describe what’s being collected and why
  • Display the information in an easy-to-access area
  • Provide the information in an area separate from the terms of service
  • Describe everything in a “clear and unambiguous way”
  • Wait to transmit any information until after the user has verified their acceptance of privacy terms
  • Only accept positive affirmation as agreement to transmit data (backing out of a screen or ignoring the notification cannot count as accepting it)
  • Dsplay privacy information in a non-expiring window

Any time data is transmitted–even crash reports to developers–the user has to be made aware of what is being sent and why. It’s reasonable to expect nearly every single app developer to have to make at least some changes to their app design in light of these new requirements.

What developers have to do to comply

Anyone who publishes apps for Android–even those released through third-party channels–will feel the effects of this new policy.

It’s unclear how Google plans to enforce its new requirements, but developers who don’t make required changes may see download rates and website traffic drop if users are being given privacy warnings.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

Google provided several steps for web and application developers to become, and remain, compliant:

  • Everyone should review Google’s Unwanted Software Policy to see if they’re violating any rules.
  • Web developers who notice warnings on their sites should “refer to the Search Console for guidance on remediation and resolution of the warnings.”
  • App developers whose apps are flagged “should refer to guidance in the Unwanted Software Help Center.”
  • If an app is being flagged with a warning, its developers can also file a request to have it removed through the App Verification and Appeals process.

That 60-day clock is ticking–don’t be caught with an unprepared app or website that costs you or your company money.

The top three takeaways for TechRepublic readers:

  1. Google has updated its standards for the collection and use of user data by apps and websites. The changes, which go into effect on 30 January 2018, will require apps and the websites hosting them to clearly notify users what is being gathered and why.
  2. Any part of an app that transmits user or device data (even something as simple as a crash report) has to be explained to, and accepted by, the user.
  3. Google has provided a number of steps and documents for developers to use in remediating potential problems with apps and sites.

Also see: