What Is the Data Safety Form?

The Data Safety Form is a mandatory declaration in Google Play Console that tells users what data your app collects, shares, and how it handles data security. Google introduced it in 2022 as a transparency measure, replacing the older permissions-based approach.

When users view your app on the Play Store, they see a "Data safety" section that summarizes your declarations. This section directly impacts user trust and download decisions — apps with incomplete or suspicious data safety information see lower conversion rates.

Key Point

The Data Safety Form is about what your app actually does with data, not what permissions it requests. You must declare data collection even if it happens through third-party SDKs like Firebase, Facebook SDK, or ad networks.

When Is It Required?

The Data Safety Form is required for every app on Google Play, including:

New app submissions
App updates (Google may require you to complete or update the form)
Apps in closed testing, open testing, and internal testing tracks
Apps that do not collect any data (you must explicitly declare "no data collected")

Google reviews the Data Safety Form as part of the app review process. Inaccurate declarations can lead to app rejection or removal.

Data Types You May Need to Declare

Google categorizes data into these types:

Location — Approximate or precise location data
Personal info — Name, email, user IDs, address, phone number
Financial info — Payment info, purchase history, credit score
Health and fitness — Health data, exercise data, sleep data
Messages — Emails, SMS/MMS, other in-app messages
Photos and videos — Photos, videos taken or stored
Audio files — Voice recordings, music files, other audio
Files and docs — Files stored or created
Calendar — Calendar events
Contacts — Contact list data
App activity — Page views, taps, search history, installed apps
Web browsing — URLs visited within the app
App info and performance — Crash logs, diagnostics, performance data
Device or other IDs — Device ID, advertising ID, Android ID

SDK Data Collection

Most third-party SDKs collect data that YOU must declare. Firebase Analytics collects device IDs and app activity. Ad SDKs collect advertising IDs and browsing data. Review each SDK's documentation carefully.

Step-by-Step Guide

Step 1: Audit Your App's Data Collection

Before filling out the form, create a complete inventory of all data your app collects. Include data collected by your own code and by all third-party SDKs. For each data type, note whether it is collected, shared with third parties, and whether users can request deletion.

Step 2: Open the Data Safety Form

In Google Play Console, navigate to your app, then go to App content > Data safety. Click "Start" or "Manage" to begin.

Step 3: Answer the Initial Questions

Google asks three foundational questions: Does your app collect or share any user data? Does your app collect any of the listed data types? Is all data encrypted in transit?

Step 4: Declare Each Data Type

For each data type you collect, specify: Is it collected? Is it shared? Is it processed ephemerally? Can users request deletion? What is the purpose (app functionality, analytics, advertising, etc.)?

Step 5: Security Practices

Declare whether data is encrypted in transit (HTTPS), whether users can request data deletion, and whether your app follows Google's Families Policy (if targeting children).

Step 6: Review and Submit

Google shows a preview of how your Data Safety section will appear on the Play Store. Review it carefully before submitting.

Pro Tip

Keep a spreadsheet of all SDKs in your app with their data collection details. Update this document with every SDK addition or update. This makes Data Safety Form updates much faster.

Common Third-Party SDKs and Their Data

Here are the most common SDKs and what data they typically collect:

Firebase Analytics — Device IDs, app activity, diagnostics
Firebase Crashlytics — Crash logs, device info, app performance data
Google AdMob — Advertising ID, approximate location, web browsing, app activity
Facebook SDK — Device IDs, app activity, personal info (if using Facebook Login)
Google Sign-In — Name, email, profile photo
Stripe SDK — Financial info (payment method details)
OneSignal/FCM — Device IDs, push notification tokens

Common Mistakes to Avoid

Forgetting SDK data — The most common mistake. You are responsible for data collected by all SDKs in your app
Saying "no data collected" — Almost every app collects some data (crash logs, device IDs at minimum)
Not updating after SDK changes — Adding or updating an SDK may change your data collection
Inconsistency with privacy policy — Your Data Safety declarations must align with your privacy policy
Ignoring encryption question — If your app uses HTTPS (it should), declare that data is encrypted in transit

Privacy Policy Requirements

Your app must have a privacy policy that is consistent with your Data Safety Form declarations. The privacy policy must:

Be hosted on a publicly accessible URL (not Google Docs or a PDF)
Cover all data types declared in the Data Safety Form
Explain how data is collected, used, and shared
Include information about data deletion requests
Be written in the same language as your app's primary listing

Consistency Is Key

Google cross-checks your Data Safety Form against your privacy policy. If your policy says you collect email addresses but your Data Safety Form says you do not, your app will be rejected.

Frequently Asked Questions

What happens if I fill it out incorrectly?

Google may reject your app update or, in serious cases, remove your app. You will receive a notification explaining what needs to be corrected.

Do I need to fill it out for internal testing?

Yes, the Data Safety Form is required for all tracks including internal testing.

Can I say my app collects no data?

Only if your app truly collects zero data — no analytics, no crash reporting, no advertising. This is extremely rare for modern apps.

Google Play Data Safety Form: Complete Step-by-Step Guide