Last updated on 20 May 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
A number of Android app developers have received a strongly worded email from Google recently. This email warns the developer that their app could be removed from the Google Play store. Sometimes it states that their app has already been removed.
The developer is deemed guilty of the following:
"Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement"
Publishing an Android app in the Google Play store requires agreeing to Google's terms and policies. It's important to note that you are contractually obliged to stick to these agreements, and you should consider them legally binding.
But frankly, there are so many rules and obligations that it can be pretty easy to make an innocent slip-up.
Don't panic. You can turn this into an opportunity to improve your data protection practices.
Let's look at how you can comply with Google's requirements and get your app back on track.
The Advertising ID is a unique user identifier. Developers can use the Advertising ID to help them monetize their apps. Each ID is associated with a specific Android user and is used in the targeting of ads (among other things).
A user can exercise certain controls over their Advertising ID, allowing them to limit the amount of information that apps collect about them. For example, a user can reset their Advertising ID, or use it to opt out of receiving personalized ads (previously "interest-based ads").
It is not to be confused with the Android ID, which is created when a user sets up their Android device and will always be associated with that device.
Google's business model depends, in large part, on the use and analysis of people's personal data. For example, it tracks the behaviors of users of its search engine and serves them personalized ads on behalf of advertisers.
Google offers app developers the opportunity to engage in this sort of business model. Through products and services such as the Android SDK and Google Play, developers can monetize their users' personal data.
For example, you might collect your users' personal data if you have opted to serve personalized ads. The function of your app itself might also depend on access to a user's personal data.
This can be a powerful method of generating income. But with great power comes great responsibility. Such activity is governed by strict data protection and privacy laws, and Google's policies are designed to ensure that developers obey these laws when using its products.
The Usage of Android Advertising ID Policy is a section of Google's Ad policy, one of the agreements in Google's Developer Policy Center.
Whilst the Advertising ID might not allow you to identify individual users, it could be linked to other information to provide insights into identifiable individuals. This means it can be considered personal data under data protection laws, such as the EU General Data Protection Regulation (GDPR).
The obligations arising out of this agreement include:
You might recognize that you have broken one or more these rules. Or, like quite a few developers who received this email, you might still be be confused about what you've done wrong.
Google makes specific reference to Section 4.8 of its Developer Distribution Agreement. We're going to look at this first, because it includes a very broad and important obligation.
Here's the section, in full:
What's the big deal about this specific section of this specific agreement? Well, the key part is the first sentence:
"You agree that if You make Your Products available through Google Play, You will protect the privacy and legal rights of users."
Google's terms require that you obey privacy and data protection laws, which (depending on your market) might include the GDPR and the California Online Privacy Protection Act (CalOPPA). Compliance with these laws is no simple matter.
Here are some of the obligations, as specified in Section 4.8, that were imposed on you when you agreed to this:
These are some of the key features of data protection law. Compliance with these requirements also just good practice and doing so will benefit your operation in the long term.
We've looked at some of the reasons that you might have been accused of breaching Google's policies. You may have identified the problem. Or you may still believe that you have been wrongfully or mistakenly accused.
One (perhaps temporary) option is to prevent your app from collecting the Advertising ID altogether. Google does suggest that one potential fix for this policy violation is "removing any requests for sensitive permissions or user data."
Android defines user data and sensitive user data quite broadly, and so it may be difficult to completely scour your app for any user data requests. This will certainly not be possible if your app is to remain monetized, and (at a minimum) will mean turning off ads in your app.
However, it would be a shame to de-monetize your app when there are other simple fixes available. Let's take a look at some of them.
Even where apps are using non-personalized ads, they are collecting information that could be deemed "personal data." This could even be the case if you aren't serving ads at all. Your app might request access permissions of some kind, or ask a user to provide their name or email address.
You might have lost track of the ways in which your app uses device identifiers. A 2018 study from Oxford University revealed that, from a sample of over 950,000 apps, nearly 90 percent of the apps sent tracking data back to Google. This was often in the form of analytics or crash data.
Remember that personal data includes the obvious examples such as a user's name, email address, etc; and can also include other identifiers such as Advertising ID, IMEI, MAC address, etc.
Google is making developers aware of these specific problems:
Let's look at an example of how to do this right, from the Adobe Acrobat Android app.
Note that Adobe's company name is front and center. This would satisfy Google's requirement, referenced above.
If you have users in the EU, you may have circumvented the EU User Consent Policy.
The EU User Consent Policy is Google's way to try to ensure that developers are compliant with the GDPR and another EU law known as the ePrivacy Directive.
The Policy requires that you gain your users' consent to set cookies and collect their personal data. The policy only applies in respect to users in the EU.
You'll need to implement some sort of consent-gathering solution into your app's UI. How you do this is, to some extent, up to you. But you must be aware that the GDPR imposes a very high standard of consent.
To help users earn consent for ads, Google provides the Consent SDK, a library of utility functions including a pre-rendered consent form which allows users to choose whether they see personalized or non-personalized ads.
Here's an example of an app that uses the Consent SDK, PinstaPhoto. Here's what EU users see when they first open the app:
And here's what users see when they select "No, see ads that are less relevant":
PinstaPhoto appears to be using Google's pre-rendered consent form. This allows users a combination of up to three options:
PinstaPhoto has opted to only offer the first of these two options - users cannot pay to remove ads altogether.
Google cautions developers who are using its pre-rendered consent form:
"You should review the consent text carefully: what appears by default is a message that might be appropriate if you use Google to monetize your app; but we cannot provide legal advice on the consent text that is appropriate for you."
According to a strict reading of EU law, there may potentially be some issues with Google's implementation of the consent-request process.
This appears to run contrary to the GDPR's strict consent requirements. Ultimately, however, using the Consent SDK is very likely to help you satisfy Google's requirements around earning consent for ads.
Developers who aren't running ads might be especially confused by how they might have violated the Usage of Advertising ID Policy. Well, there are certain app dependencies that might be using the Advertising ID within your app without you even realizing it.
For example, Google Analytics for Firebase uses the Advertising ID. Instructions on disabling collection of the Advertising ID for this purpose can be found in a Google Firebase help page about disabling analytics:
Another dependency that uses the Advertising ID is Crashlytics.
A lot of Android developers were understandably worried when they received notification that their app was in breach of Google's policies. But you should treat this as a wake-up call, and an opportunity to ensure your app complies with the law.
These solutions should help ensure your app is acceptable to Google under its Usage of Android Advertising ID Policy: