We're conscious that health and wellness data is particularly sensitive to users. Ensuring the security and privacy of that data is of utmost importance. Some reviews are already in place and we will be further enhancing the review system that apps using Google Fit need to go through later in 2021.
To enable the enhanced review, we have updated all Fitness API scopes for Write access to Sensitive, and we will update all scopes for Read access to Restricted. To understand the implications for your apps, learn more about requesting access to sensitive and restricted OAuth scopes.
What do you need to do now?
Read through the new Google Fit Developer and User Data Policy and address any gaps.
When you're going through the OAuth verification process in the Google Cloud Platform console, follow the appropriate verification steps depending on the classification of scopes your app needs.
When to apply for verification?
- If you're adding a new Google Fit scope to your app, follow the instructions to prepare for sensitive scope verification. If your app is reading data from the Google Fit API, then you will be required to go through enhanced verification once it is launched.
- For existing apps, wait until you’re contacted by the Trust and Safety team who will reach out at least a month before your verification is required to start to give you more information on the verification process and next steps. Your app will continue to have access to the data and scopes it currently does until then.
The following FAQs apply to future review system enhancements.
Which Google Fit APIs does the policy apply to?
The policy applies to both the REST and Android APIs.
What do the review enhancements mean in practice?
If you access Fit APIs and have more than 100 users, you will be contacted in due course to begin a verification process. If you request read access to any data that you did not write, then you will also be required to carry out a security assessment. This includes cases where you are reading sensor data such as steps using the Recording API and Sessions APIs on Android.
How can I check whether I’ve exceeded the 100 user cap?
You can look that up for your project in Cloud Console.
How will I be invited to go through verification?
You will be contacted via the contact email addresses that you have stored in Cloud Console, so please make sure these are kept up to date.
Which data types read from the Google Fit APIs will require my app to go through the upcoming enhanced verification or a security assessment?
If your app reads data other than data that it has written, and has exceeded the 100 user cap, then your app will be required to go through enhanced verification and security assessment.
Which data types written to the Google Fit APIs will require my app to go through the upcoming enhanced verification or a security assessment?
If your app writes any data to Google Fit, and has exceeded the 100 user cap, then your app is required to go through sensitive scope verification, but not the upcoming enhanced verification or security assessment.
How do I determine if my app needs a security assessment?
If your app uses a restricted scope such as any read scope, and has exceeded the 100 user cap then it will need a security assessment. You will be separately invited to go through verification and security assessment with ample notice to complete it.
How do I get a security assessment if my app needs one?
When you are invited to go through verification, you will be provided with details of how to get a security assessment with ample notice to complete it.
How much will a security assessment cost annually and when will I need to pay?
Full details of the security assessment will be provided in due course and well before any deadline to complete the assessment.