Invalid Privacy Policy URL Rejection for Google Play Store

App developers who want to list their apps in the Google Play Store need to make sure they have a Privacy Policy that complies with Google Play's requirements. Otherwise, they may receive a Invalid "Privacy Policy link invalid or missing" rejection message.

This article will explain what the Google Play Store rejection message is and why you might receive it, what a Privacy Policy is and why you need one, Google Play Store's requirements for app developers, and how to fix Google Play Store rejection message issues.

Why the Privacy Policy Link Invalid Google Play Store Rejection Message Appears

The Google Play Store "Privacy Policy link invalid or missing" rejection message informs app developers about eligibility issues that need to be fixed in order to list their app.

App developers run the risk of receiving the Google Play Store rejection message if they don't meet Google Play's requirements, including having a properly linked, compliant Privacy Policy, and only requesting necessary permissions (what information your app is allowed to access and what it is allowed to do with that data).

Here's a screenshot of the rejection message:

It reads:

Privacy policy link invalid or missing

We were unable to verify your privacy policy because the link you provided either does not work or does not link to a valid privacy policy page. Please add or update your privacy policy, and make sure it is available on an active URL (no PDFs), is non-editable, applies to your app, and specifically covers user privacy including your app's usage of location data. You must link to a privacy policy on your app's store listing page and within your app.

Learn more about privacy policy requirements in the Developer Policy Center.

A post in Google Play's Community forum demonstrates the message users may receive if they have an invalid Privacy Policy URL:

To keep Google Play from rejecting your app due to a Privacy Policy (either invalid or missing), you will need to have a Privacy Policy that complies with its requirements.

Your Privacy Policy needs to be public, not editable, and should exist in a permanent format, preferably on its own webpage (don't use PDF or DOCX). Your Privacy Policy should include, at a minimum, the following clauses:

• The developer's name and contact information
• The types of personal and sensitive user data your app collects, uses, or shares
• Third parties you share personal or sensitive user data with
• How you keep personal and sensitive user data safe
• How long you keep personal data
• How users can request to delete their personal data

What Steps to Take to Fix Google Play's Privacy Policy Link Invalid Rejection Message

The Google Play Store has certain requirements listed in its User Data Policy that you must follow to avoid having your app rejected, especially for the "Privacy Policy link invalid or missing" message. These requirements include:

• Having a Privacy Policy
• Limiting the data you collect
• Keeping data secure
• Explaining permissions
• Maintaining and getting consent to in-app disclosures
• Keeping the Data Safety section of your app listing up-to-date
• Providing links to your Privacy Policy
• Explaining how users can delete their data
• Explaining how long you retain data
• Displaying your contact information

Have a Compliant Privacy Policy

A Privacy Policy is a legal document that describes users' privacy rights and how you collect and handle their personal information. It's legally required by privacy laws around the world whenever personal information is collected. And, even when personal information is not collected, you should still have one to show transparency.

Here's an excerpt of the 90 Degree by Reflex Privacy Policy, showing how this agreement describes the types of information the business collects and how it uses that information:

Many global and state data protection laws require app developers that handle consumers' personal information to maintain a Privacy Policy that:

• Explains consumers' privacy rights
• Outlines how they use consumers' data
• Gives consumers a way to make requests or opt-out of the use of their personal information

Let's take a look at a couple privacy laws that may apply to you if you collect or use personal data from consumers in the European Union (EU) or California.

GDPR

The General Data Protection Regulation (GDPR) is the EU's primary privacy legislation. It requires organizations that provide goods or services to or process (use) personal data belonging to EU residents to:

• Only process personal data necessary for their functions
• Give EU consumers a way to exercise their privacy rights
• Maintain a Privacy Policy that describes the types of data they collect, their reasons for using it, and who they share data with

Article 13 of the GDPR explains that data controllers (those who decide how to process personal data) must provide consumers with their contact information and reasons for processing personal data, among other requirements. This can be done by providing a Privacy Policy:

CCPA (CPRA)

The California Consumer Privacy Act (CCPA/CPRA) applies to organizations that do business in the state of California and meet the law's criteria. It requires applicable businesses to maintain a Privacy Policy that:

• Explains consumers' rights under the law
• Gives consumers a way to opt-out of the sale or sharing of their personal information
• Describes the types of personal information their organization collects and uses

Section 1798.100 of the CCPA explains that businesses must inform consumers of the following before collecting their personal data:

• What kinds of information they are collecting and why
• Whether the information they are collecting includes sensitive personal information (a special category of protected personal information)
• How long they plan to keep the personal information

  

Explain App Permissions Through Data Safety Form

The Google Play Store requires all app developers that collect, use, or share personal information to maintain a clear, accurate, and up-to-date Data Safety section that is reflective of the app's Privacy Policy.

You must update your Data Safety Form in the Play Console. Your Data Safety Form should include the data practices you employ to keep users' personal data secure, information about any data that you share with third parties, the types of data your app may collect, your security practices, and a link to your Privacy Policy.

TikTok's Data Safety page contains a menu of the types of data it collects, including approximate location, personal information, financial information, in-app messages, and photos and videos:

You should use your app description to explain the permissions that your app uses, especially if you use any sensitive permissions like READ_EXTERNAL_STORAGE (a permission used to access storage outside of your app). You should explain why your app requires those permissions.

Dropbox explains its permissions and includes instructions for how users can disable permissions in their device settings and a Learn More link as part of its Google Play Store app description:

Maintain and Get Consent to In-App Disclosures When Necessary

If you collect or use personal or sensitive personal data for purposes that a user wouldn't reasonably expect, you will need to maintain in-app disclosures explaining why you are collecting or using the data.

These disclosures, known as Prominent Disclosures, must stand alone and not be a part of your Privacy Policy or located within other disclosures, and they must be prominently displayed within the app itself. They can't be in the app's description or within the menu or settings of the app:

Google Play's User Data Policy provides a sample format that developers can use to create a compliant disclosure:

You must obtain consent to your in-app disclosures. Users must give active consent (such as by tapping an "I Agree" button or checkbox, or clicking a button affirming a consent statement):

If a user navigates away from the consent box that does not count as granting consent. You must get consent from users before accessing their personal data.

Post Privacy Policy Links

You will need to post an active link to your app's Privacy Policy within the required field in the Play Console and a link to (or the text of) the Privacy Policy within your app. You should also include a link to your Privacy Policy on your website.

App Listing

Google Play requires you to put a link to your Privacy Policy within your app store listing. You can add your Privacy Policy link to your app's Google Play Store listing by following these instructions.

Adobe Acrobat Reader includes a link to its Privacy Policy at the bottom of the Data Safety section of its listing on the Google Play Store:

In-App Menu

You will also need to ensure that your Privacy Policy is accessible from your app screens. App developers typically link their Privacy Policy within their app menus.

When users open the AccuWeather app, they can find a link to its Privacy Policy at the bottom of its in-app menu:

Tapping on the link takes users to an external page that hosts AccuWeather's Privacy Policy.

Limit the Data You Collect, Use and Share

You must limit the access, collection, use, or sharing of personal or sensitive user data to that which is necessary for the purposes you disclose to users. That means that you need to determine what kinds of data your apps are collecting, storing, and transmitting to your servers, and how it is being used.

Google Play defines personal and sensitive user data as information that can be used to identify an individual, including: financial, health, and authentication information, text and phone call related-data, and data from users' microphones and cameras.

Google Play's User Data Policy informs developers that they must clearly explain how they handle users' personal data and limit the use of data to "policy compliant purposes:"

If you use personal or sensitive user data for advertising purposes, then you must also comply with Google Play's Ad Policy.

Google Play's Ads Policy requires app developers to include information about the collection or use of permission based device location data for advertising purposes in their Privacy Policies. Developers may not request location data permissions solely for advertising purposes:

Let users know what types of information you collect in a way that's easy to understand. Use lists and short sentences to keep things clear, like seen here:

Always disclose if you share any types of data with third parties. You can name them specifically, but most businesses will use categories of third parties, such as "hosting services" and "service providers." Disclose what types of information will be shared, and what it will be used for, such as "data analysis" and "email delivery:"

Keep Collected Data Secure

You will also need to make sure you keep the data you collect safe by:

• Using modern cryptography (secure digital communications practice) to transmit user data
• Using runtime permissions requests (permissions that help prevent apps from accessing private information without a user's consent) whenever they are available
• Not selling users' personal and sensitive data

Mention security in your Privacy Policy and let users know you do take steps to keep data secure. You don't need to get specific here, but can simply note that you do take measures to protect the data, as seen here:

Explain How Users Can Delete Their Data

If your app allows users to create an account, then you must also establish a way for users to request that their account be deleted. You should make the deletion request process accessible from both the app and from a web resource (such as a website or email address).

Let users know that they have the right to have their data deleted, and instruct them on how to go about exercising this right.

Here's an example of such a clause:

Temu's Google Play Store Data Safety page explains that users can request their data be deleted and includes a link to its Privacy Policy:

When users click on the link they are taken to Temu's Privacy Policy page, which explains that users can delete their account through the settings section of its app:

Explain How Long You Retain Data

Note how long you will keep data. This can be anything from "indefinitely" to only using it to complete one action then deleting it immediately. As with all clauses in your Privacy Policy, be transparent and accurate:

Display Your Contact Information

Make it easy for users to contact you at any time by including your contact information within your Privacy Policy.

Add a contact clause like this to share your name and contact information:

How to Add a Privacy Policy URL for Google Play Console

You can download these instructions as PDF file.

1. Log in to your Google Play Console.

2. In the left menu, click on All apps and then choose the app you wish to work with:

   

3. Click on the app you wish to work with:

   

4. Click on the Start button under the Privacy Policy section:

   

5. On this page, you'll see the field for adding the Privacy Policy URL for your app:

   

   If you do not have a Privacy Policy, you can use our Privacy Policy Generator and create it within minutes. TermsFeed will host your Privacy Policy URLfor free.

   Once you have the Privacy Policy created by TermsFeed, click Copy from the Link to your Privacy Policy section to copy the URL:



6. Paste the Privacy Policy URL in the field box:

   

7. Click Save:

   

8. To see a summary and to manage your Privacy Policy, go back to the App content section in the left menu and scroll up to the Completed section:

   

9. You're done.

Summary

Users may receive a Google Play rejection message if their Privacy Policy doesn't meet its requirements or isn't linked properly.

A Privacy Policy is a legal document that describes consumers' rights concerning their personal information and how you collect and use their personal data.

You need a Privacy Policy for apps in order to comply with state and global privacy and data protection laws, such as the GDPR and the CCPA, as well as with Google Play Store's requirements.

The Google Play Store requires app developers to maintain a clearly labeled, non-editable, easily accessible Privacy Policy that identifies the app developer and contains clauses that explain how you access, collect, use, and share users' personal data.

In order to fix the Google Play Store rejection message, you will need to follow these steps:

1. Know what data you are collecting and limit your use of data to only that which is strictly necessary for the purposes disclosed to your users.
2. Explain the permissions your app uses.
3. Maintain prominent disclosures as needed and get consent to disclosures before collecting or using personal data.
4. Keep your Data Safety Section up to date.
5. Post links to your Privacy Policy within your app listing and in your app.
6. Explain how users can delete their personal data.
7. Maintain a Privacy Policy that contains the clauses required by applicable laws and the Google Play Store.

The clauses you should put in your Google Play Privacy Policy include, at a minimum:

• A list of the data you collect and use, including personally identifiable information
• Why you are collecting and using consumers' data
• A list of any third parties you share personal and sensitive user data with
• How users can request to have their data deleted, if applicable
• The permissions your app uses
• Your data retention policy
• How you keep users' personal data safe
• Your contact information