Google Play Store’s privacy practices still confuse Android users

Privacy rules like GDPR and CCPA are meant to help app stores be clearer about how apps use your data. But in the Google Play Store, those privacy sections often leave people scratching their heads. A new study looks at how users read these parts of an app listing and how their reactions affect the risks they believe they are taking.

The study setup

The researchers built a controlled web environment that mimicked the Google Play experience. Participants first viewed short app descriptions, then moved through three parts of the listing one at a time: the data safety summary, the privacy policy, and the permission list.

Data safety gives a quick start

The data safety section came first in the walkthrough by design. It uses small pieces of text, icons, and short categories. Participants scanned it with almost no effort. The layout helped them sense that data moved through the app. After this first screen, more believed that the app collected personal information. This shift was important. It showed that the data safety section primes users to think about data use before they reach the longer material.

This happens because the design pushes people to decide fast. Short category names leave out purpose and timing, so readers fill in the gaps with their own expectations. When they do not see examples or detail, they assume more activity than the app may have.

In short, the data safety section gives users a basic sense of activity but not the entire picture. It raises awareness but does little to prevent misunderstanding.

Privacy policies hold the most depth

The privacy policy came second. It was the longest part of the listing, even after the researchers trimmed the content. Readers skimmed it and jumped between sections, which is common with long documents. A smaller group tried to understand each part. They gained better insight into why the app collected data, how data moved to partners, how long it stayed on servers, and which rights applied to users.

This section was the only place where participants could learn about rights and storage. It was the only place that explained purpose in a structured way. Even so, most missed the key points. A small share could identify what rights the policy described or how to use them. Few understood storage rules.

Long text filled with legal terms is hard to process. People who read on mobile screens often skim, skip, and rely on guesses. When policies adopt legal language, the content becomes too dense to hold a reader’s attention. The result is predictable. The policy holds the strongest information, but users cannot take advantage of it.

From a security standpoint, this shows where breakdowns occur. The policy covers the parts users must know, but the style and length block comprehension. The placement of the policy link at the end of a long page makes this worse since fewer users reach it.

Permission lists raise the most concern

The permission list came last. It showed the device features the app could reach, such as storage, location, or camera. This section triggered the highest rise in concern. When a permission looked out of place, participants felt uneasy. The surprise was most intense when the request did not match what users believed the app needed.

This reaction comes from how people interpret permissions. Most do not understand the Android runtime permission model. They often assume that all listed permissions must be granted for the app to run. They also assume that permission access is continuous, even when the system might limit it.

The permission list produced the strongest emotional response in the study. It did not offer much knowledge, but it shaped risk perception. It made people pause and question the purpose behind each request. That pause is important. It shows how technical detail without context can unsettle users.

Areas for improvement

Developers should take their time when they fill out an app’s data safety form. The details they provide need to match what appears in the privacy policy and the permission list. New tools can help with this task. For example, some IDE plugins can produce data safety labels on their own and lower the chance of mistakes.

Privacy policies need attention as well. People liked the amount of information they offer, yet they struggled to read them because the documents are long and filled with legal terms. Researchers have worked on ways to shorten and simplify these texts. Developers can use these ideas by placing key points at the top, using steady section headings, and reducing complex language