Violation of Usage of Android Advertising ID Policy

A number of Android app developers have received a strongly worded email from Google recently. This email warns the developer that their app could be removed from the Google Play store. Sometimes it states that their app has already been removed.

The developer is deemed guilty of the following:

"Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement"

Publishing an Android app in the Google Play store requires agreeing to Google's terms and policies. It's important to note that you are contractually obliged to stick to these agreements, and you should consider them legally binding.

But frankly, there are so many rules and obligations that it can be pretty easy to make an innocent slip-up.

Don't panic. You can turn this into an opportunity to improve your data protection practices.

Let's look at how you can comply with Google's requirements and get your app back on track.

Advertising ID

The Advertising ID is a unique user identifier. Developers can use the Advertising ID to help them monetize their apps. Each ID is associated with a specific Android user and is used in the targeting of ads (among other things).

A user can exercise certain controls over their Advertising ID, allowing them to limit the amount of information that apps collect about them. For example, a user can reset their Advertising ID, or use it to opt out of receiving personalized ads (previously "interest-based ads").

It is not to be confused with the Android ID, which is created when a user sets up their Android device and will always be associated with that device.

Google's Policies

Google's business model depends, in large part, on the use and analysis of people's personal data. For example, it tracks the behaviors of users of its search engine and serves them personalized ads on behalf of advertisers.

Google offers app developers the opportunity to engage in this sort of business model. Through products and services such as the Android SDK and Google Play, developers can monetize their users' personal data.

For example, you might collect your users' personal data if you have opted to serve personalized ads. The function of your app itself might also depend on access to a user's personal data.

This can be a powerful method of generating income. But with great power comes great responsibility. Such activity is governed by strict data protection and privacy laws, and Google's policies are designed to ensure that developers obey these laws when using its products.

Usage of Android Advertising ID Policy

The Usage of Android Advertising ID Policy is a section of Google's Ad policy, one of the agreements in Google's Developer Policy Center.

Whilst the Advertising ID might not allow you to identify individual users, it could be linked to other information to provide insights into identifiable individuals. This means it can be considered personal data under data protection laws, such as the EU General Data Protection Regulation (GDPR).

The obligations arising out of this agreement include:

• Only using the Advertising ID for analytics and advertising purposes
• Not connecting or associating the Advertising ID with any other personal data, including device identifiers
• Offering your users a choice about whether to serve them personalized ads
• Respecting users' privacy choices
• Publishing a Privacy Policy and providing any other necessary privacy information where you use the Advertising ID
• Obeying Google's policies, and ensuring that any third parties with whom you share the Advertising ID do the same
• Not using any alternative device identifiers for advertising purposes (unless the Advertising ID is unavailable on a device)

You might recognize that you have broken one or more these rules. Or, like quite a few developers who received this email, you might still be be confused about what you've done wrong.

Developer Distribution Agreement

Google makes specific reference to Section 4.8 of its Developer Distribution Agreement. We're going to look at this first, because it includes a very broad and important obligation.

Here's the section, in full:

What's the big deal about this specific section of this specific agreement? Well, the key part is the first sentence:

"You agree that if You make Your Products available through Google Play, You will protect the privacy and legal rights of users."

Google's terms require that you obey privacy and data protection laws, which (depending on your market) might include the GDPR and the California Online Privacy Protection Act (CalOPPA). Compliance with these laws is no simple matter.

Here are some of the obligations, as specified in Section 4.8, that were imposed on you when you agreed to this:

• Ensuring that your users are aware of any personal data your app collects
• Providing a legally compliant Privacy Policy and providing any other necessary privacy information
• Only using personal data (including Google Account information) in connection with limited and specific purposes
• Storing personal data securely, and only for as long as you need it

These are some of the key features of data protection law. Compliance with these requirements also just good practice and doing so will benefit your operation in the long term.

How To Fix the Problem

We've looked at some of the reasons that you might have been accused of breaching Google's policies. You may have identified the problem. Or you may still believe that you have been wrongfully or mistakenly accused.

One (perhaps temporary) option is to prevent your app from collecting the Advertising ID altogether. Google does suggest that one potential fix for this policy violation is "removing any requests for sensitive permissions or user data."

Android defines user data and sensitive user data quite broadly, and so it may be difficult to completely scour your app for any user data requests. This will certainly not be possible if your app is to remain monetized, and (at a minimum) will mean turning off ads in your app.

However, it would be a shame to de-monetize your app when there are other simple fixes available. Let's take a look at some of them.

Create a Privacy Policy

One of the main reasons Google appears to be contacting developers about this issue is that they don't have a Privacy Policy.

You may be wondering if your app requires a Privacy Policy. Instead of spending any time or effort wondering about whether or not you need one, it's probably best just to accept that you do.

Even where apps are using non-personalized ads, they are collecting information that could be deemed "personal data." This could even be the case if you aren't serving ads at all. Your app might request access permissions of some kind, or ask a user to provide their name or email address.

You might have lost track of the ways in which your app uses device identifiers. A 2018 study from Oxford University revealed that, from a sample of over 950,000 apps, nearly 90 percent of the apps sent tracking data back to Google. This was often in the form of analytics or crash data.

Where your app does collect personal data, a Privacy Policy is a legal requirement in many jurisdictions, including:

• California (required under CalOPPA)
• The EU (required under the GDPR)
• Canada (required under the personal data and Electronic Documents Act - PIPEDA)
• Australia (required under the Privacy Act 1988)

If you have users in any of these places (and others), and your app collects any sort of personal data, you need a Privacy Policy.

Remember that personal data includes the obvious examples such as a user's name, email address, etc; and can also include other identifiers such as Advertising ID, IMEI, MAC address, etc.

Ensure Your Privacy Policy is Properly Displayed

Some developers are receiving this violation notification not because they don't have a Privacy Policy, but because they aren't making it properly accessible.

It's not enough to have a Privacy Policy. It's not even enough to ensure that it contains all the correct information. You must also make sure that it's clear and accessible to your users.

Google is making developers aware of these specific problems:

• URL does not load reliably or times out
• URL opens a home page or license agreement instead of a Privacy Policy, and does not provide the required privacy disclosure
• URL opens a page which does not clearly reference your app or company
• URL requires a special handler to read the file (.pdf, docx) - Privacy disclosure must be in text form (unless clearly accommodating for user accessibility purposes)

It's simple to fulfill these requirements. Just make sure your Privacy Policy is hosted somewhere accessible and reliable, in text form, with clear reference to your app and/or company.

You need to ensure that your Privacy Policy is accessible from several places:

• From within your app
• Via the Google Play store
• On your website (if you have one)

Let's look at an example of how to do this right, from the Adobe Acrobat Android app.

Here's the app's listing in the Google Play store with the Privacy Policy linked:

We've written some instructions on how to upload your Privacy Policy to the Google Play store.

Adobe also provides a link to its Privacy Policy within the app. First, the user must access the Settings menu:

Adobe's Privacy Policy is available via the app's About section:

Here's how Adobe's Privacy Policy looks on a mobile browser:

Note that Adobe's company name is front and center. This would satisfy Google's requirement, referenced above.

Request Consent

If you have users in the EU, you may have circumvented the EU User Consent Policy.

The EU User Consent Policy is Google's way to try to ensure that developers are compliant with the GDPR and another EU law known as the ePrivacy Directive.

The Policy requires that you gain your users' consent to set cookies and collect their personal data. The policy only applies in respect to users in the EU.

You'll need to implement some sort of consent-gathering solution into your app's UI. How you do this is, to some extent, up to you. But you must be aware that the GDPR imposes a very high standard of consent.

To help users earn consent for ads, Google provides the Consent SDK, a library of utility functions including a pre-rendered consent form which allows users to choose whether they see personalized or non-personalized ads.

Here's an example of an app that uses the Consent SDK, PinstaPhoto. Here's what EU users see when they first open the app:

And here's what users see when they select "No, see ads that are less relevant":

PinstaPhoto appears to be using Google's pre-rendered consent form. This allows users a combination of up to three options:

• Personalized ads
• Non-personalized ads
• Paying for removal of ads

PinstaPhoto has opted to only offer the first of these two options - users cannot pay to remove ads altogether.

Google cautions developers who are using its pre-rendered consent form:

"You should review the consent text carefully: what appears by default is a message that might be appropriate if you use Google to monetize your app; but we cannot provide legal advice on the consent text that is appropriate for you."

According to a strict reading of EU law, there may potentially be some issues with Google's implementation of the consent-request process.

In a help document, Google states that because of the way it uses cookies to deliver all types of ads, both personalized and non-personalized ads require consent, If presented with Google's pre-rendered consent form, it's not clear how a user could refuse consent for ads without paying a fee.

This appears to run contrary to the GDPR's strict consent requirements. Ultimately, however, using the Consent SDK is very likely to help you satisfy Google's requirements around earning consent for ads.

Not Running Ads? Check Your Dependencies

Developers who aren't running ads might be especially confused by how they might have violated the Usage of Advertising ID Policy. Well, there are certain app dependencies that might be using the Advertising ID within your app without you even realizing it.

For example, Google Analytics for Firebase uses the Advertising ID. Instructions on disabling collection of the Advertising ID for this purpose can be found in a Google Firebase help page about disabling analytics:

Another dependency that uses the Advertising ID is Crashlytics.

You don't necessarily have to disable these dependencies, or their use of the Advertising ID, in order to comply with the Usage of Android Advertising ID Policy. But you'll have to consider the above solutions, such as creating a Privacy Policy and requesting consent, if you wish to continue using the Advertising ID - even through an app dependency.

Summary

A lot of Android developers were understandably worried when they received notification that their app was in breach of Google's policies. But you should treat this as a wake-up call, and an opportunity to ensure your app complies with the law.

These solutions should help ensure your app is acceptable to Google under its Usage of Android Advertising ID Policy:

• Stop collecting any user data (perhaps temporarily)
• Create a Privacy Policy
• Make sure your Privacy Policy is reliable and accessible
• Request consent for ads from EU users
• Check your dependencies for use of the Advertising ID