Data Safety in Google Play

Google
2020-2023

Users are increasingly worried about what their apps are doing with their data, so Google Play launched the Data Safety initiative to improve transparency amongst developers and keep users informed. I was the lead content designer for this launch and was assigned to an ever expanding team of security and legal experts.

The problem

Users know they should be worried about privacy and security, but they seldom know the difference between the two, and they wouldn't know what to do about it if they did.

Developers are also incentivized to downplay and obscure the types of data they collect because data is valuable and sometimes even the relatively innocuous types of data can sound scary to users.

Mobile data security icon
Summary of the Data Safety section in Google Play

The solution

I worked with a PM, a UX designer, and a rotating cast of lawyers and security experts to add a prominent new section to the details page for every app in Google Play (all 3+ million of them). All developers are now required to display information about what kind of data they collect and how they use it.

There's too much information to dump it all on the user at once, so we start with a summary to highlight the important bits.

Landing page for Data Safety in Google Play

When the user taps through, they can see a much more detailed breakdown. After many rounds of discussion and debate, we narrowed the scope to the two main actions that developers take: collecting data and sharing data with other companies or organizations.

Showing the data collected and shared for an app in Google Play

Within those two categories there are still dozens of types of data, and I worked closely with privacy lawyers to identify terms that were industry-standard but also understandable to the average user. Well, mostly understandable. You know how complicated this privacy stuff can get.

The terms had to be broad enough to cover multiple scenarios that vary from app to app, such as "app functionality." It was a careful balance, and I consistently advocated to get specific wherever it was feasible.

One of our most useful strategies for getting specific was to categorize the ways that developers use the data. "Personal information" sounds scary until it's revealed that the developer only needs it for account creation. And "Location" might sound much less critical to share if the developer is using it for targeted advertising.

Information about data deletion for an app in Google Play

To help users feel more empowered, we highlighted ways for them to delete or otherwise manage the data that developers collect. This was one of the most sensitive areas, from a content design perspective, because it would be easy to accidentally mislead the user about their options. For example, sometimes the user could only delete data by deleting their entire account. And Google couldn't guarantee that the developer would follow through on a request, so I couldn't even state something as simple as "You can delete your data."

That sort of tension drove most of the content design decisions that I made in this project. How do I help users feel informed about their data without overpromising or causing confusion because Google doesn't actually control any of this?

It's a fine line, and I tread lightly as we walked it.

Highlights

Broad praise throughout the industry, especially with privacy and security experts

Examples of press coverage:

The Verge
TechCrunch
Ars Technica
CNET
PCMag
Gizmodo
SlashGear

I received two spot bonuses for my work