Apple & Google Update Terms for COVID-19 Apps

|

While the legislative process for COVID-related data is advancing, the business and platform standards for apps are falling in place.

Rules for All COVID Apps

In response to the coronavirus pandemic, developers are rushing to create applications to support healthcare systems, spread awareness in the community, guide epidemiological research, and mitigate the spread. Apple and Google have reemphasized their existing policies in app development, data protection, and appropriate content, and have bolstered requirements with direct specifications regarding COVID-19 apps.

The new Bluetooth Exposure APIs created by Apple and Google have received a significant amount of attention. Due to the expanded access to Bluetooth scanning enabled by these APIs, both companies have limited use of these APIs to apps provided by health departments. Apple and Google require that the apps must be voluntary, cannot collect location information, and only gather very limited additional user information. For more information about the Apple/Google Exposure Notification API, read more about the details provided by Apple and Google.

However, new App Store and Google Play terms updated by the companies also set new rules for ALL COVID-related apps. 

Apple’s COVID-19 App Requirements

In a March 14 post, Apple explained that it would evaluate COVID-19 apps critically, ensuring that data sources are reputable. 

A COVID-19-specific app will only be considered if developers represent recognized entities such as “government organizations, health-focused NGOs, companies with clear credentials in health issues, and medical or educational institutions. Any entertainment or game apps with COVID-19 as their theme will be prohibited.” 

In addition to these new requirements, Apple’s updated policy also describes relevant limitations on certain types of apps. 

  1. According to a new section 5.1.1.ix., apps in “highly-regulated” fields, such as healthcare, financial services, and air travel, need to be submitted by a “legal entity that provides the services, and not by an individual developer.” 
  2. Safety consistently remains a top priority for Apple’s restrictions. Section 1.4.1 prohibits medical apps from providing inaccurate data or information. Apple’s team will utilize greater scrutiny when evaluating apps that could be used for diagnosing or treating patients. Developers must be reachable by users to respond effectively to questions and support issues.
  3. Privacy policies in the App Store call for transparency about all data collection, retention, and sharing. If the app collects health-related data, this personal data may not be used for advertising, nor can the app store this information in iCloud. However, this information may be used to improve health management or support relevant research if the user (or guardian of a minor) consents. Consent requirements are as follows:
    1. nature, purpose, and duration of the research
    2. procedures, risks, and benefits to the participant
    3. information about confidentiality and handling of data (including any sharing with third parties)
    4. a point of contact for participant questions
    5. the withdrawal process
  4. Apps conducting health research must obtain permission from an independent ethics review board. 

Just like any application available in the App Store, many preexisting relevant restrictions continue to apply to new apps related to COVID-19. 

Google’s COVID-19 App Requirements

Google also posted updated guidelines for COVID apps, which it defined as follows:

Apps that are subject to these requirements include, but may not be limited to:

  1. Apps that use, approximate or leverage coronavirus, COVID-19, pandemic, or related keywords in their Google Play Store listing metadata. 
  2. Apps that provide medical, treatment, vaccine, testing, or other related information specifically for COVID-19.
  3. Apps that support COVID-19-related response, containment, research, or education/training efforts.
  4. Apps that support services used to respond specifically to COVID-19, for example, apps that provide social support (food stamps, payment), healthcare, loans, etc., specifically in response to COVID-19.

The new Google Play rules state that only the following categories of apps are eligible to use COVID-19 or other related keywords and marketing in their Google Play Store app listing:

  1. Official governmental apps, which connect users to authoritative information and services. 
  2. Apps published by, or in direct affiliation with:
    1. a healthcare system or provider (e.g. CVS Health, UK National Health Service, UnitedHealth Group, Kaiser Permanente, French national healthcare system, Netcare (South Africa), One Medical, etc.); 
    2. a nationally recognized medical or epidemiological research organization deeply rooted in medical research (including nationally recognized medical schools). (The medical or epidemiological research organization or government research, should have approval from a registered governing body (for example, Institutional Review Board in the US, or the National Health Service (NHS) in the UK). In case of dispute, a local or national government, or verifiable healthcare non-governmental organization (NGO) endorsement will be required.) or; apps directly endorsed by an official. The app must be directly published by or in direct partnership with one of the entities (e.g. the authorizing institution or organization is referenced, with full permission, in the app’s title, logo, or Google Play Store description). Endorsement by a non-government entity alone does not meet the qualification (e.g., an app endorsed by staff at a medical school would not qualify if that app is not published by or in direct partnership with the medical school).

Apps specifically created in response to COVID-19 may not access personal and sensitive data that is not required to directly support pandemic response efforts and epidemiological research. The privacy policy must outline this data use.  COVID-19 apps that handle personal user data must also strictly comply with other existing Google Play Policy requirements

Google also reiterated its restrictions to content regarding sensitive events, misrepresentation, and deceptive behavior. COVID-19 apps cannot contain unverifiable information that counteract efforts of community education and relief.