How to fill correctly Data safety form in Play console

[Max Nadolny]

Hi.

Could you please help us to fill correctly Data safety form in Play console.

There are lots of developers use Admob and nobody knows how to fill Data safety.

According to google guide:
Not in scope for data collection

• The following use cases do not need to be disclosed as collected:

• End-to-end encryption: User data that is sent off device, but that is unreadable by you or anyone other than the sender and recipient as a result of end-to-end encryption does not need to be disclosed. 

And from Admob page:

All of the user data collected by Google Mobile Ads SDK is encrypted in transit using the Transport Layer Security (TLS) protocol.

So, after the text above, do we (developers) still need to provide info about all the users data types Admob share?

Or just enough to specify that app doesn't collect or share any user data with third-parties, because it's encrypted?

In case we still need to disclose every data type Admob share, could you please provide us with the correct example, how Data safety should be filled.

Regards,

Max.

[Mobile Ads SDK Forum Advisor]

Hello Max,

Thank you for reaching out to us.
 

I can refer you to Google Play's data disclosure requirements for more information on the subject. Feel free to reach out back to us if you have any further inquiries.
 

Regards,

Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2k2ayj:ref

[Max Nadolny]

Hi.

Thanks for the response.

I've red the document you provided many times. But it's still not clear how to fill Data safety form!

According to your document all collected users data is encrypted with TLS.

And according to this document Provide information for Google Play's Data safety section

developers should not disclose collected users data, because it's encrypted.

1. What should we do, disclose or not all collected users data with Admob?

2. There are so many options in Data safety form, so it's confusing. Only our team knows how correctly fill this form.

3. Also it's confusing this form question - Do you provide a way for users to request that their data is deleted?

    If we, developers, will answer NO on this question, nobody in EU will download and use our applications. So we have somehow to have possibility to delete users data upon request.

Regards,

Max.

[Mobile Ads SDK Forum Advisor]

Hello Max,

We will have to share this to the wider team to provide assistance on this. Rest assured that one of our team will reach out to you.

[Mobile Ads SDK Forum Advisor]

Hey Max,

Thank you for your question.

For your first question: for what to disclose, I recommend to follow the documentation listed here

For your second question: each application is different so we do not have an example answer sheet to provide at this time.

To answer your data deletion question: while there is no end-to-end way to delete all of a user's data, Google does provide you with the tools to delete all Google-controlled data. In other words, Google provides the tools to deal with the data it has, but to deal with data from other networks (i.e. end-to-end) you would need to deal with each network individually.

With that being said, in order to delete user data as it pertains to Google in compliance with European law, you would need to use your Consent Management Platform to have the user revoke consent (i.e. user revokes consent using the UMP SDK that we provide). When this is done, any user data becomes disassociated from the user and deleted. This will fulfill your requirements as stated by European law as it pertains to Google. If a user emails you asking to delete their data, you would need to revoke consent on their behalf or provide them with instructions to revoke consent. It is important to note in this case that as far as Google data is concerned, revoking consent == deleting data.

This article may also be helpful. In addition to that, you may reach out to the Product Support Team to assist you better on this. 

Thanks,
Justin

ref:_00D1U1174p._5004Q2k2ayj:ref

[Max Nadolny]

Hi Justin!

Thank you for the response.

I'd like to summarize what we've told about.

1. As far as I understood we (android developers which use Admob for showing Ads) should disclose all the collected users data by Admob, even if it's encrypted using TLS.

    Am I right?

2. I mean typical scenario, when an android app uses Admob only for showing Ads. It would be nice to provide us with a good and correct example how to fill Data safety for that typical scenario.

    If it's not possible - not a problem, I will try to fill it myself. But in this case I can do mistakes and form could be incorrect.

3. Deletion question became more or less clear for me now. We should answer yes on this question. And if an end user emails us with a data deletion request, follow your recommendations above.

Have a nice day.

Regards,

Max.

[Mobile Ads SDK Forum Advisor]

Hey Max,

Thank you for questions. 

1. Because AdMob encrypts its data that is sent off device, that would be considered "out of scope" for what to disclose, per this help center article and data disclosure documentation. Please let us know if the Google Play Store conflicts with this assessment. 

2. Thank you for your feedback, I have shared that to the broader team. 

3. That is correct.