Google has recently started informing Google Play developers with emails about privacy related issues when their app doesn’t have a privacy policy in certain situations. It’s what appears to be increased scrutiny on implemented SDKs that collect personal data. Here’s what these emails read like (with the focus on an app using the OneSignal SDK, an SDK regarding notifications and messaging):
Hello Google Play Developer,
We detected that the app(s) listed at the end of this email contain a version of OneSignal, a messaging SDK, that collects personally identifiable information (PII) without disclosure. Apps like this may be considered in violation of our User Data policy.
Action required: Your app(s) may be removed from Google Play if the issue is not resolved within 10 days of receiving this message. If the affected version is inactive, future submissions will be rejected if you attempt to publish without first resolving the issue.
You can resolve this issue by:
adding a privacy policy URL to your app listing and within the app, notifying the user that their PII is collected; or
removing any such functionality from your app. You may need to contact your SDK provider for an updated, policy compliant version to include in your app.
After resolving the issue, you’ll need to sign in to your Developer Console and submit the updated version of your app.We’re here to help
If you feel we have sent this warning in error, you can contact our developer support team.
This is an interesting development and it hints at Google starting to take a closer look at data collection by third parties/SDKs and whether developers have properly pointed that data collection out in a privacy policy.
Let us dissect the email:
We detected that the app(s) listed at the end of this email contain a version of OneSignal, a messaging SDK, that collects personally identifiable information (PII) without disclosure. Apps like this may be considered in violation of our User Data policy.
Here Google is referring to its User Data policy as outlined in our post on how to write a privacy policy for the Play Store. In this User Data policy Google describes why/when you need to tackle privacy matters: “including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law“.
The further statements are very clear:
- “Your app(s) may be removed from Google Play if the issue is not resolved within 10 days of receiving this message“
- “(…) a privacy policy URL to your app listing and within the app, notifying the user that their PII is collected; or removing any such functionality from your app“
You have ten days to fix the problem with your privacy policy. If you do not know where to start, you might find our privacy policy generator for mobile apps useful.
Regarding OneSignal within the privacy policy
OneSignal is an SDK that allows to communicate with the user via the messaging/notification tool. The data that OneSignal processes includes some or all of the following according to its privacy policy:
- Your device’s Advertising Identifier
- Your email address.
- Some or all of the following information: IP address, device push token, precise location, network information, language, timezone, product preferences, and privacy preferences.
OneSignal also does the following “(…) we or a data partner we have engaged may collect and store a unique identifier matched to your mobile device, in order to deliver customized ads or content while you use applications or surf the internet, or to seek to identify you in a unique manner across other devices or browsers”. For this there is an opt-out possibility which you might think about implementing in your own privacy policy as well (copied below verbatim from the privacy policy by OneSignal:
End User Opt-Out
End-users may opt-out of OneSignal related data collection by modifying the ad tracking settings on their device (identified by “Limit Ad Tracking” on iOS and “Opt out of interest based ads” on Android), or by sending us a message through our contact form here https://onesignal.wufoo.com/forms/z16j8an40nfirat/.
Need a framework to base your privacy policy on? iubenda can help with that.