Author

William Newmark

Read time

12 mins

Published

Jun 26, 2025

Share

Android privacy policy: What to include, where to publish, and how to create one for your Android app

There are more than 2 million Android apps available on the Google Play Store, and around 1,500 new ones are added every day. If you add an app to that growing list, you need to be aware of a few important terms and agreements regarding personal data collected from users:

• Google Play Developer Distribution Agreement (DDA): This agreement defines your obligations as a developer and provides information on how Google may use personal data it obtains through your app.
• Google Privacy Policy: The DDA specifies that any personal data collected or used under the agreement is handled in accordance with Google’s Privacy Policy.
• Firebase Data Processing and Security Terms: These terms apply if you use Google’s Firebase platform for app development.

Developers must also provide a privacy policy that complies with both Google’s requirements and the data protection laws that apply where users are located.

This article outlines how Google handles personal data, what responsibilities fall on developers, and what to include in your Android app’s privacy policy to meet both Google’s terms and broader data privacy laws.

Key takeaways

• Android privacy policy is required: An Android privacy policy is essential for app developers to comply with Google Play Store requirements and global data privacy laws.
• Google’s data practices: Google collects various usage data from Android devices and Google Play, which may be shared under specific circumstances, including with user consent or for legal compliance.
• Developer responsibilities: Developers must provide an easily accessible and clear privacy policy that is kept updated, and that details data collection, usage, sharing, security measures, and retention policies. It must follow specific requirements for location, format, etc.
• Consequences of noncompliance: Failure to comply with Android’s privacy requirements can lead to app suspension, account termination, legal repercussions (including fines), and a loss of user trust.
• Legal and platform alignment: Compliance requires aligning data practices with both Google’s terms and relevant data privacy laws.
• Policy creation and provision: Privacy policies should be created in conjunction with a data audit, drafted clearly, prominently displayed on the Google Play Store listing, within the app, and on any associated website, and kept up to date.
• Minors’ data and consent: Stricter requirements apply when handling data from minors, including specific parental consent obligations and clear disclosures.
• Data safety section: Developers must accurately complete Google Play’s Data safety section, ensuring it aligns with their app’s privacy policy, even if no user data is collected.

What data does Google collect from Android app users

The Google DDA states that Google collects usage data from Google Play and Android devices to support its services and improve both the developer and user experience. This data provides insight into how your app, the Google Play ecosystem, and the devices themselves are being used. 

According to Google’s Privacy Policy, this information may include, among other things:

• Device and network information, such as unique identifiers, browser and device types and settings, operating systems, application version numbers, app version in use, and mobile network details like the operator’s name and phone number
• Details about the interactions among a user’s apps, browsers, and devices, and Google’s services. These can include the user’s IP address, crash reports, system activity, and the date, time, and referrer URL of their request
• Information about which apps are installed on a user’s device when the user is signed into Google apps

Who does Google share personal data with?

According to Google’s Privacy Policy, personal data may be shared in the following circumstances:

• When the user has explicitly agreed to the sharing. Google states that it will obtain explicit consent before sharing any sensitive personal information.
• With domain administrators if the user’s Google Account is managed by an organization like a school or workplace.
• For external processing, with Google’s affiliates or other trusted businesses or individuals who process data on Google’s behalf, under instructions and with confidentiality and security requirements.
• When necessary to comply with laws; enforce Google’s terms; detect or prevent fraud, security, or technical issues; or protect rights, property, or safety.

What is an Android privacy policy for developers?

Google’s Policy Center shares information on what Google requires from an Android app’s privacy policy, which must be published in the Google Play Console.

This requirement applies even if your app does not access any personal or sensitive user data.

This document, along with any in-app disclosures, must give a complete account of how your app collects, uses, and shares personal data. At a minimum, your privacy policy must cover:

• Developer and contact details: Information that identifies the developer and provides a point of contact or a way for users to submit privacy-related inquiries.
• Description of data practices: What categories of personal and sensitive data your app collects, how that data is used, and with whom it is shared.
• Data handling measures: A description of the procedures your app follows to keep personal and sensitive data secure.
• Retention and deletion policies: For how long you store user data and under what conditions it is deleted.

The policy document must be clearly labeled as a privacy policy. The name of the entity listed in your app store listing, whether that is a developer or a company, must also be named in the privacy policy itself.

Google also requires that the privacy policy be accessible at a live, publicly available URL. It cannot be geofenced, cannot be a PDF, and must be in a format that users cannot edit.

Why developers must comply with Android’s privacy requirements

Failing to comply with Android’s privacy rules can lead to serious consequences. Legal risks, platform penalties, and reputational harm can threaten the viability of your app and business.

Noncompliance can result in:

• App suspension or removal: If your app violates Google Play’s privacy requirements, it may be rejected during review or removed from the store entirely. Repeat violations may lead to the app’s suspension.
• Loss of developer account: Google may suspend or permanently ban developer accounts for repeated or serious policy violations. Account termination means losing access to Google Play entirely, along with all existing apps and the ability to publish new ones. That means you no longer have the ability to distribute Android apps.
• Legal consequences: Some of Google’s privacy requirements reflect legal obligations under laws such as the GDPR and the CCPA/CPRA. Failure to meet these obligations may result in regulatory investigations or fines.
• Loss of user trust: Research shows that 40 percent of players will uninstall a mobile game if they have concerns about data privacy. Losing user trust leads to long-term business damage even when legal and platform penalties are avoided.

To stay in good standing, developers must not only follow Google’s privacy requirements but also keep all disclosures accurate and up to date.

How to align your app data practices with privacy laws and Google’s privacy requirements

Developers that publish Android apps on the Google Play Store must handle personal data in compliance with both global privacy regulations and Google’s contractual requirements. 

Here are some steps you can take to achieve and maintain compliance with both.

Update your Android privacy policy to meet Google’s disclosure requirements

Your Android privacy policy must meet Google’s specific disclosure requirements and also comply with applicable data privacy laws based on where your users are located. This means your policy must account for various regulations, which may include:

• The General Data Protection Regulation (GDPR) for users in the European Union (EU) and European Economic Area (EEA)
• The United Kingdom General Data Protection Regulation (UK-GDPR) for users in the UK
• Multiple US state-level data privacy laws, including the California Consumer Privacy Act (CCPA) and Children’s Online Privacy Protection Act (COPPA)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
• Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)
• South Africa’s Protection of Personal Information Act (POPIA)
• Laws relevant in other jurisdictions where your app is available

Below is a non-exhaustive checklist of what must be disclosed in your Android privacy policy to meet Google’s requirements and most global regulations.

• Your business’s contact information and a method for users to submit privacy-related questions. If a Data Protection Officer (DPO) or other designated privacy contact is appointed, include their information.
• Details about what personal and sensitive data your app collects, how it is used, and with whom it is shared.
• A disclosure stating that personal data sent to Google may be shared with third parties, such as its affiliate companies.
• A description of the steps your business takes to protect personal and sensitive data against misuse or unauthorized access.
•  The amount of time user data is kept and an outline of the process for deletion, including how users can request their data to be removed.
• An explanation of user rights under applicable laws, such as the right to object under the GDPR or the right to opt out of data sales under the CCPA/CPRA.
• If you process data for targeted advertising, include a “Do Not Sell Or Share My Personal Information” link for California users, as required by law.
• A description of how the personal data of minors is collected and used, including the processes for obtaining valid parental or guardian consent where it is required.

If your app accesses, collects, uses, or shares personal and sensitive data in a way a user might not reasonably expect — for example, if it collects data in the background — you must adhere to stricter disclosure rules. 

That means providing a clear disclosure within the app explaining what data is being accessed, collected, used, or shared. This disclosure must be presented immediately before any request for in-app user consent or runtime permissions.

For apps covered by Google Play Families Policies, you must disclose the collection of children’s data, including information gathered through application programming interfaces (APIs) and software development kits (SDKs). This includes information like authentication details, microphone and camera data, device identifiers, Android IDs, and advertising usage data.

Apps that provide anti-virus, anti-malware, or similar security features must publish a privacy policy that describes what data the app collects and transmits, the purposes for which it is used, and which parties may receive that data.

You must write your privacy policy in simple, clear language that is easy for a general user to understand. The privacy policy must be regularly updated to reflect any changes in your data handling practices, Google’s terms, or relevant privacy laws.

Take additional precautions when handling minors’ data

If your app is directed at children or is likely to be used by anyone under 18, you’re responsible for meeting stricter legal requirements, even if minors aren’t your primary audience. Specific requirements depend on the geographic location of your users and the type of data your app processes.

Data protection laws may impose specific parental consent requirements when collecting information from minors.

In the US, COPPA requires businesses to obtain verifiable parental consent before collecting data from minors. You must obtain separate consent for data collection and data sharing activities.

In the EU, the GDPR requires explicit consent from a parent or legal guardian in order to collect data from minors under 16, though individual EU member states can lower this age threshold to 13.

Google also requires developers to disclose when their app collects personal or sensitive data from children, regardless of jurisdiction. Your privacy policy must transparently explain how you collect and use data from minors.

You must also implement age verification mechanisms when age determines data collection practices or service eligibility.

If there’s a chance your Android app collects personal data from anyone under 18, you must be prepared to meet these requirements.

Meet consent requirements

Data protection laws in certain jurisdictions, like the EU and Brazil, require you to have a legal basis for processing personal data through your app. Explicit consent is one accepted legal basis. 

These same laws often require explicit consent when you process sensitive personal data such as health information.

Most US state-level data privacy laws work on an opt-out model, but they do require prior opt-in consent when data is classified as sensitive or when it belongs to a known minor. COPPA, which is a federal regulation, also imposes consent obligations for personal data belonging to minors.

Some laws like the CCPA/CPRA require you to provide all users with a clear method to opt out of the sale or sharing of their personal data. When sensitive data is involved, your app must also provide users with a way to limit how that data is used or disclosed.

You are legally responsible for complying with all consent obligations in the regions where your app is available. A consent management platform (CMP) like the Usercentrics App CMP can help you obtain, store, and signal the required consent.

If your app uses a CMP, the consent banner it displays must clearly state how personal data will be used and provide appropriate controls for users to opt in or out, depending on the legal requirements in their location.

Prominently display your Android privacy policy

Your Android app’s privacy policy must be easy to find. You are required to display it in all of the following locations:

• On your app’s Google Play Store listing
• Within the app itself, usually in the app’s menu
• On your app’s website, if one exists

On the website, the privacy policy must be linked from a persistent, easy to find location, like the footer, and clearly labeled using the term “privacy policy.” 

Apps that require users to sign in or create an account should also include a link to the privacy policy from the login or sign-up page.

Google’s app review guidance includes specific placement requirements for your Android privacy policy.

Apps that request access to sensitive permissions or data must include a privacy policy link both on the app store listing page and within the app itself. 

Apps designed for children must link to a privacy policy on both the app store listing page and within the app, even if they do not collect any personal or sensitive user data.

In all cases, your privacy policy must be hosted on an active URL, apply specifically to your app, and address user privacy practices.

Complete Google Play’s Data safety section

Google requires every app listed on the Play Store to include a completed Data safety section. This section must accurately describe what user data your app collects, how that data is used, and whether it is shared with third parties. 

It is your responsibility as the developer to provide correct, complete information and to keep the section updated as your data practices change. The details you provide must align with your app’s privacy policy disclosures.

Even if your app does not collect any user data, you must still submit the form for this section and link to your privacy policy. In this case, you may state that your app does not collect or share user data.

Practice purpose limitation

If your app handles personal and sensitive user data, you must limit its access, collection, use, and sharing. Data processing must be confined to purposes that directly support your app’s functionality and services, align with your stated purposes, and that the user might reasonably expect.

Your use of data must also reflect the scope of the user’s consent. If you wish to use the data for a new purpose not covered by the original consent, you must first obtain additional consent as required by applicable data privacy laws.

How to create a privacy policy for your Android app

Before you draft your privacy policy, start with a data audit. Review your app’s features to identify what personal data you collect, how you process it, where it’s stored, and how you keep it secure. This includes data collected directly from users, through third-party SDKs, or via background permissions. 

Once you understand your app’s data flows, you can create a privacy policy that accurately reflects your practices.

There are several ways to create your privacy policy. You can:

• Write it yourself if you have a strong grasp of data protection requirements and your app’s technical architecture.
• Work with a legal professional who can help you draft a policy tailored to your app’s features and your legal obligations.
• Use a privacy policy generator to create a customized policy that reflects your app’s data collection and usage. 

Do not copy a privacy policy from another website or app, as it will not reflect your own data practices and could expose you to legal risks.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.