Skip to content

Privacy Changes come to the Google Play Store

Following on the heels of iOS’s push into the land of privacy for Apps this past spring, Google has announced new privacy related changes for their own app store slated for this fall and next spring.

So what’s the timeline?

While Google has stopped short of requiring a consent prompt prior to collection of data, they have a number of new requirements Android App owners must be aware of.

September 1st

A new developer preview will be released of the app set ID, which will be used for essential use cases such as analytics and fraud prevention. However, this app set ID cannot be used for ads personalization or ad measurement.

Additionally, changes to the Family Policy Requirements on identifiers used in apps that target children are forthcoming. Developers will need to comply by September 1st for most of the policies, and by January 15th for the Ad ID changes.

October 4th

Changes will be coming to the Ads Policy, which will govern how the Android Advertising ID works.

October 15th

Changes are coming to the Device and Network abuse policy which will prohibit Apps and SDKs with interpreted languages, such as JavaScript from violating Google Play policies.

October 28th

The User Data Policy will be updated. You will no longer be able to link persistent device identifiers to persona and sensitive user data or any resettable device identifier (Such as the GAID) unless for pre-approved use cases.

April 1st, 2022

Developers will be required to provide accurate information related to personal or sensitive data the app collects, uses or shared within the App itself prior to the collection of that data

So what does this mean?

In short – apps using data collection need to be prioritized for development work regarding data collection changes ahead of their respective deadlines.

Longer term, I expect a negative impact on Android Advertising efforts. I am skeptical it will be as dramatic as the iOS App Tracking Transparency changes, but it will surely be noticeable. Let us look at each of the major areas…

Android Advertising ID

Several changes are coming to the Android Advertising ID. Going forward the identifier will work as follows:

The Android Advertising ID may only be used for advertising and user analytics upon verification of being allowed to do so by checking the status of the “Opt out of interest-based Advertising” or “Opt Out of Ads Personalization” setting. Each time the id is accessed, the setting must be reverified.

The advertising id has additional restrictions for Advertising and Analytics use cases.

  • Advertising: The advertising id may not be connected to persistent device identifiers for any advertising purpose. The advertising ID may only be connected to personally-identifiable information with explicit consent of the user.
  • Analytics: The advertising identifier may only be connected to the personally-identifiable information or persistent device identifier with the explicit consent of the user.

The app is required to respect the user selections. For example if they reset their user identifier, you may not attempt to link that to the existing profile without explicit consent of the user. If they’ve opt’d out of personalized advertising you can’t use the identifier for building a profile for advertising purposes or targeting said users with personalized advertising.

You may however: Prevent Contextual Advertising, take part in frequency capping, conversion tracking reporting and security and fraud detection.

Lastly, the advertising id can only be used as described above. All apps on the play store must use the advertising id when available in place of any other device identifiers for any advertising purposes.

Data Collection

Several changes are coming to the User Data Policy which will affect apps on the Play store which collect data.

Apps will be expected to disclose app’s access requirements, collection use and sharing of data collected. Apps are also required to limit the use of that data to the purposes disclosed. So no more “Find out what Gummy Bear are you…” quizzes to harvest email addresses for selling.

Should your app deal in personal or sensitive information there will be entire other set of requirements you’ll be subject to. Google defines this information as:

Personal and sensitive user data includes, but isn’t limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data. If your app handles sensitive user data, then you must:

https://support.google.com/googleplay/android-developer/answer/10144311

They go on to state that the requirements. I’ve bolded some of the more relevant parts. You are strongly encouraged to read all of it and decide of it applies to your app and use cases.

Limit your access, collection, use, and sharing of personal or sensitive data acquired through the app to purposes directly related to providing and improving the features of the app (e.g., user anticipated functionality that is documented and promoted in the app’s description in the Play Store). Apps that extend usage of this data for serving advertising must be in compliance with our Ads Policy.

Post a privacy policy in both the designated field in the Play Console and within the app itself. The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app accesses, collects, uses, and shares user data. Your privacy policy must disclose the types of personal and sensitive data your app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.

Handle all personal or sensitive user data securely, including transmitting it using modern cryptography (for example, over HTTPS).

Use a runtime permissions request whenever available, prior to accessing data gated by Android permissions.

Not sell personal or sensitive user data.

https://support.google.com/googleplay/android-developer/answer/10144311

However, as one can expect any time data collection disclosure comes up, there is a discussion about consent. This time notable important changes are coming to how Android handles consent for data collection.

Disclosure

In cases where it’s not reasonable that the user expects their personal user data will be required (such as when data collection happens in the background) you must undertake additional steps.

The app must provide an in app disclosure of the data access, collection, use and sharing. They are very clear on this. The disclosure must be in the app itself and not in the app description or on a related website. The notice must be displayed in the normal usage of the app and may not be hidden in a menu or setting.

The notice is required to contain the data being accessed and / or collected and how that data will be used and / or shared with external parties.

Further, and this next bit is critical. You cannot only place this notice in the privacy policy or terms of service. You also cannot include this disclosure with other disclosures unrelated to this data collection.

So to review: Can’t be hidden in a menu or setting, can’t be only in the privacy policy, terms of service, app description or on a website. Must be visible in the normal usage of the app and properly declare what data is used and for what purposes and with whom it’s shared.

Consent Prompting

But what about the display and consent mechanics? Glad you asked. Google has you covered here too.

The in-app disclosure must accompany and immediately precede a request for consent and where available, use a runtime permission. You may not collect any data until after consent has been granted.

However, there are some requirements regarding the consent mechanics specifically…

The consent dialog must be clear and unambiguous and require affirmative user action (app button, checkbox, etc.)

The following does not count as consent: Navigation away from the disclosure, such as pressing back button, home button etc. or can you use auto-dismissing or expiring message as a means of gaining user consent.

Recommendations

A lot of changes here, and while not quite as restrictive as the iOS framework (which requires leveraging the operating system methods as the consent mechanic) they come pretty close. Brands need to quickly evaluate their data needs and make the required changes before the end of October 2021 in order to be in compliance with the posted deadlines then immediately prepare for the larger data disclosure changes slated for next spring which may impact the marketing plan going into late spring / early summer.

This is sure to manifest in the effectiveness of targeted advertising on Android, and it will be interesting to see if the adoption rates for consent align with the very low consent numbers being seen on the App store following Apple’s release of App Tracking Transparency. Even with nearly 8 months to prepare for the change I expect a lot of Ad Networks and App owners to struggle to be ready in time.

If your company makes a lot of money on targeted advertising in the mobile space this means that the two major app distribution networks may heavily impact your revenue streams ahead of Black Friday with their respective app changes.

If you are the only leveraging targeting advertising to drive demand, be aware that the effectiveness of the ads will likely be dramatically lower on iOS ahead of holiday and Android will start to see a decline in the spring as the change is adopted by the apps in the Play store and those updates get adopted by users.

Given this new world – a review of your marketing and or revenue plan may be in order.

Published inMobilePrivacy