Sophie Blake
Google has introduced a set of updates to its Play policies, focusing on user privacy controls and new safeguards for developers, alongside structural changes to how app ownership is transferred on its platform.
The changes include revised requirements for accessing sensitive user data, such as contacts and location, as well as new tools aimed at reducing fraud risks in developer account management. The updates are expected to roll out progressively through 2026, with several enforcement deadlines tied to upcoming versions of Android 17.
A central element of the update is a shift in how apps access user contacts. Google is positioning the Android Contact Picker as the default method, allowing users to share selected contacts rather than granting broad access to their address book. Under the revised policy, developers will be required to adopt this approach or similar privacy-focused alternatives, while broader permissions such as READ_CONTACTS will be restricted to apps that demonstrate a clear functional necessity.
Location data access is also being streamlined through a new system-level “location button,” designed for one-time use cases. Instead of navigating multiple permission prompts, users will be able to grant temporary access to precise location data with a single interaction. Apps that rely on continuous or background location tracking will need to formally justify that requirement through a developer declaration process.
To support compliance, Google is introducing additional tooling within its developer ecosystem. Policy insights integrated into Android Studio will flag potential issues earlier in the development cycle, while new pre-review checks in the Play Console will identify violations related to contact and location permissions before apps are submitted for approval.
Beyond privacy measures, Google is formalizing how developer account ownership changes are handled. A new account transfer feature in the Play Console will become the only permitted method for transferring ownership starting May 27. The system includes a mandatory seven-day security delay intended to detect and prevent unauthorized transfers, replacing informal practices such as credential sharing or third-party account sales.
Comments
Loading…