Way back in July of last year I wrote about the changes coming to Android in the name of privacy. The last and most major of these changes is nearly upon us, with Google slated to begin enforcement on April 1st, 2022. Since the enforcement date is nearing, I wanted to bring it to the forefront one more time before we reach April. Below you will find a high level summary of the changes. The article from last year has more detail, but I strongly encourage (and call out in places) reviewing the official Google Play Store policies to ensure your app matches Google’s expectations.
Advertising ID Changes
Starting late in 2021, Google changed how the Google Advertising ID works to allow a user to Opt-out of targeting, replacing the ID with a string of zeros. Google’s documentation has this to say about the change.
This Google Play services phased rollout will affect apps running on Android 12 starting late 2021 and will expand to affect apps running on all devices that support Google Play starting starting April 2022. For essential non ads use-cases such as analytics and fraud prevention, use App Set ID.
https://support.google.com/googleplay/android-developer/answer/6048248
Google also notes if your app target’ children, you can’t use the advertising id.
Some Google Play policies, such as the Families Policy, require that apps not use the Ad ID. If your app uses SDKs, like the Google Mobile Ads SDK, that declares the AD_ID permission in their library manifests, you must prevent the permission from getting merged into your app by including the following element in your manifest.
https://support.google.com/googleplay/android-developer/answer/6048248
So if your app reads the Google Advertising ID – you may need to make changes to accommodate the change in functionality. I recommend reviewing the requirements for the usage of the Advertising ID, which can be found under the updated Ads policy.
Usage of the App Set ID for analytics use cases can be found detailed under the User Data Policy updates.
User Policy Changes
You also may also need to make adjustments to how you prompt for consent prior to data collection due to changes to the User Data Policy. Pay special note to the requirements around the collection of personal and sensitive data, which involve seeking consent prior to collection.
Collection of Personal or Sensitive data may invoke the Prominent Disclosure & Consent Requirements as to exactly what consent means, and what you are allowed / not allowed to do.
Google is very clear on how this consent mechanic must work. The disclosure and consent can’t be on a website, buried in terms of service or privacy policy and must be part of the app, use cases for what constitutes consent and requirements for presentation and consent prior to data collection. If you think you are collecting personal or sensitive data I strongly recommend reviewing the requirements.
Measurement
It’s worth mentioning again that changes to these policies, once reflected in the App and rolled out to users may cause fluctuations in analytics or campaign performance measurement. Folks opting out of the Google Advertising ID via their settings will become harder to target. The extent this may be material will vary from app to app depending on the amount of data they collect, what kind of data they collect and what their respective business model looks like.
The Clock is Ticking
Brands with an Android app in the Play Store have roughly six weeks from the time of writing until enforcement of the changes to the Google Advertising ID begin. Apps found to be in violation after enforcement will be subject to the enforcement process, ranging from Play Store update rejection through developer account termination, dependent on the specific factors of the violation.
This does not leave much time to make changes, particularly if you need to toggle sprint planning to get the changes in ahead of the enforcement date. If you (or any of your app’s SDKs) make use of the Android Advertising ID you’ll want to give the policy changes a review. This is especially true if your app collects any personal or sensitive data which can have a more dramatic effect on development time needed for compliance.
While these change are not legal requirements (but note your app may also be subject to legal requirements regarding data collection), note that this also means Google is the final arbiter, and is not subject to the legal red tape in enforcement of the Play Store policies. You should strongly consider how critical it is your app remains available in the Play Store before deciding to delay compliance.