Is my app or its dependencies violating the Android Advertising Id policy?
Is my app or its dependencies violating the Android Advertising Id policy?
I've just received this message from Google Play but I'm not collecting the Advertising ID.
Reason for warning: Violation of Usage of Android Advertising ID
policy and section 4.8 of the Developer Distribution Agreement
Google Play requires developers to provide a valid privacy policy when
the app requests or handles sensitive user or device information.
We’ve identified that your app collects and transmits the Android
advertising ID, which is subject to a privacy policy requirement.
Is it possible any of my dependencies uses it? Here's the list of dependencies:
implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
implementation "org.jetbrains.anko:anko-common:$anko_version"
implementation ("com.android.support:appcompat-v7:$android_support_version")
exclude group: 'com.android.support', module: 'animated-vector-drawable'
exclude group: 'com.android.support', module: 'design'
implementation ("com.android.support:design:$android_support_version")
exclude group: 'com.android.support', module: 'animated-vector-drawable'
implementation ("com.android.support:cardview-v7:$android_support_version")
exclude group: 'com.android.support', module: 'animated-vector-drawable'
exclude group: 'com.android.support', module: 'design'
implementation 'com.github.PhilJay:MPAndroidChart:v3.0.2'
implementation 'com.github.apl-devs:appintro:v4.2.3'
implementation('com.crashlytics.sdk.android:crashlytics:2.6.8@aar')
transitive = true
implementation 'com.firebase:firebase-jobdispatcher:0.7.0'
implementation ("com.google.firebase:firebase-firestore:$firestore_version")
exclude group: 'com.google.firebase', module: 'firebase-auth'
implementation ("com.google.firebase:firebase-auth:$firebase_version")
exclude group: 'com.google.firebase', module: 'firebase-firestore'
implementation ("com.google.firebase:firebase-storage:$firebase_version")
exclude group: 'com.google.firebase', module: 'firebase-firestore'
implementation ('com.google.android.gms:play-services-auth:16.0.0')
exclude group: 'com.google.firebase', module: 'firebase-firestore'
implementation 'com.android.support.constraint:constraint-layout:1.1.3'
implementation 'com.android.support:multidex:1.0.3'
implementation ("com.android.support:exifinterface:$android_support_version")
exclude group: 'com.android.support', module: 'animated-vector-drawable'
exclude group: 'com.android.support', module: 'design'
implementation 'com.soundcloud.android:android-crop:1.0.1@aar'
implementation 'com.github.bumptech.glide:glide:4.7.1'
I've added a privacy policy using app-privacy-policy-generator.firebaseapp.com
– aloj
Sep 18 '18 at 8:30
how did you confirm that you successfully stopped the violation after putting generated url?
– Hemanth SP
Sep 18 '18 at 15:51
Idemdito here. I filed a complaint, hope it will work... my app are my core source of revenue
– Wouter Vandenputte
Sep 18 '18 at 18:05
Adding only privacy URL does not work they removed my app again on 2nd day after providing privacy URL we need to make code changes i believe still figuring out what code fix is needed
– Bhavesh
Sep 19 '18 at 4:42
19 Answers
19
Today many developers are getting this same issue.
I also got this issue. I didn't collect any sensitive data, I am not even showing ads to my users. In your case the Crashlytics lib could be an issue. It deals with advertising IDs.
In the mail they mention the required action:
Action required: Add a privacy policy to your store listing and app
So I think all of us should add a privacy policy on the store listing as well as on the app. Before taking the action we should go through the related privacy policy.
Here are some links from where you can get help:
Privacy policy to upload an app
Usage of Android Advertising ID
Developer Distribution Agreement
Developer Program Policies
...or don't use Crashlytics, or any other dependency that may be violating people's privacy. I believe this is now illegal in Europe anyway, and the fines are potentially huge. If you use services that may be siphoning away people's private data, to which the id belongs, you put them (and your company) at risk.
– Cerberus
Sep 19 '18 at 12:16
@Cerberus Using them is certainly not illegal, but you need to collect opt-in and fulfil additional requirements. Good on Google for enforcing this, actually (though they probably don’t do it out of the goodness of their heart).
– Konrad Rudolph
Sep 19 '18 at 13:11
@KonradRudolph Should "meeting the minimum legal requirements" be the standard against which we decide if privacy is violated?
– Juggerbot
Sep 19 '18 at 13:22
@Juggerbot It’s unclear whether Google has any legal requirement in this regard; they probably do it to cover their asses just in case but the infringing party in this case according to GDPR would be the app developer, not Google.
– Konrad Rudolph
Sep 19 '18 at 13:27
Apple announced that from 3rd October every app owner have to add privacy policy. But our android!!!??? OMG
– Mafujul
Sep 20 '18 at 10:22
According to the Firebase docs you can disable advertising id collection by setting:
<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />
in your AndroidManifest.xml under the <Application> tag.
AndroidManifest.xml
<Application>
EDIT: It seems like people are having mixed success with this approach. Try adding configurations all*.exclude group: 'com.google.firebase', module: 'firebase-core' all*.exclude group: 'com.google.firebase', module: 'firebase-iid' to the Gradle app dependencies area as per comment below.
configurations all*.exclude group: 'com.google.firebase', module: 'firebase-core' all*.exclude group: 'com.google.firebase', module: 'firebase-iid'
Out of morbid curiosity, how many ad libraries (and other fodder) did this crash because they assumed
AdvertisingIdClient.getAdvertisingIdInfo() would always succeed?– jww
Sep 19 '18 at 9:34
AdvertisingIdClient.getAdvertisingIdInfo()
This will not crash any other Ad libraries. It will only notify firebase to not collect the ad id. I am only using firebase messaging still firebase is collecting analytics and other stuff by default and I can see this on the console.
– Sahil Kapoor
Sep 19 '18 at 11:29
I used this technique and my app got reinstated without submitting any privacy policy.
– Rajat Saxena
Sep 22 '18 at 0:18
so nice of google to kick my app out of the store with no warning for using firebase, way to go google
– ninj4 n00b
Sep 27 '18 at 5:23
It's not the solution. In my case I added this line and republish. After some days, my app was kick out again from google play.
– Juan Pablo
Oct 11 '18 at 18:55
You are using crashlytics below 2.9.3. Apparently it's collecting and sending the google advertising id as a key in their header. That might be the or one of the issues.
You can check if it's sending the advertising id through a proxy like Charles.
Edit ***
It seems that version 2.9.3 and above are still getting the advertisingID from by calling AdvertisingIdClient.getAdvertisingIdInfo() from the com.google.android.gms.ads.identifier package. I checked it by setting a break point on the method. I am assuming it is somehow still being send to fabric. Which would mean updating to higher version will not solve it..
AdvertisingIdClient.getAdvertisingIdInfo()
com.google.android.gms.ads.identifier
How do you check?
– Questioner
Sep 18 '18 at 9:04
@RikvanVelzen You mention version 2.9.3. Can you point to the info saying that in newer versions it is is not an issue?
– Yossi
Sep 18 '18 at 9:17
@Yossi: no the only thing i can point to is the reddit post which link you can find in to comments of the question. And I checked myself through Charles that in 2.9.3 the X-CRASHLYTICS-ADVERTISING-TOKEN is not sent in the header anymore.
– Rik van Velzen
Sep 18 '18 at 9:21
Crashlytics does not send Advertising ID starting from 2.9.3. Mike from Fabric stated clearly: "From Crashlytics SDK version 2.9.3 and higher, we no longer submit the Android Ad Id to our servers. In prior versions of the Crashlytics SDK, this Id was primarily collected and submitted for Mobile App Conversion Tracking and Audience Insights (both of which are now deprecated features)." (reddit.com/r/androiddev/comments/9gqr6y/…)
– javaxian
Sep 19 '18 at 7:55
For Unity users, the problem is in Unity Analytics.
To resolve this problem, we need to do 2 tasks:
After resubmitted about some minutes, Google Play approved my app.
In Unity 2018, can we remove the package of Unity Analytics and Ads to fix this too?
– Gabriel Stafoca
Sep 19 '18 at 20:40
@GabrielStafoca I think that it is possible, you can try it
– Quang Tran
Sep 20 '18 at 22:54
Not if you're actually using the Analytics... ;)
– Almo
Sep 22 '18 at 21:15
@GabrielStafoca that worked for me. I also added unity's privacy policy URL on store listing. Btw I wasn't using Unity Ads or Analytics. unity3d.com/legal/privacy-policy
– Erdi
Sep 23 '18 at 8:59
@Erdi yes, I tried and has worked for me too!
– Gabriel Stafoca
Sep 23 '18 at 17:06
I also recieved the same message and got some of my apps suspended today.
So i just deleted those three firebase dependencies:
compile 'com.google.firebase:firebase-core:10.0.1'
compile 'com.google.firebase:firebase-ads:10.0.1'
compile 'com.google.firebase:firebase-appindexing:10.0.1'
Then, i re-submitted the apps, and they was accepted after review :)
resubmitted app now it is visible in play app store?
– Hemanth SP
Sep 19 '18 at 1:06
Yep, they are accepted en ligne again on Play Store.
– Gama
Sep 19 '18 at 1:10
This is the only answer so far that shows how to stop collecting the information!
– pipe
Sep 19 '18 at 1:45
What if my app is showing ads? Since you removed firebase-ads dependecy
– olajide
Sep 19 '18 at 10:03
Firebase is just for tracking users interactions and analytics
– Gama
Sep 19 '18 at 10:17
I am not using Crashlytics or any other thing. Just a simple offline app with Facebook Ads. Still my app was removed from the Play Store.
Issue: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement
Issue Description: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising identifier, which is subject to a privacy policy requirement. If your app collects the Android advertising ID, you must provide a valid privacy policy in both the designated field in the Play Console, and from within the app.
Solution:
I created a Privacy Policy for my app using this link and edited it according to my app.
I created a url for my privacy policy using this link.
Log in to Google Play Console and Go to the Store presence and then store listing and paste your url in Privacy Policy section.
Submit your update.
Note - In my case I did not have to submit any new build with privacy policy as mentioned in mail and my app was visible in play store within hours I did the steps I mentioned above. If in case your app is not visible in play store after following the above points then you should put one privacy policy section in your app too and submit a new build.
That's exactly the solution, I just had this problem last night, and I wrote a Privacy Policy and added the link to console, and now it's published again.
– Thiện Kopites
Sep 20 '18 at 10:23
Were downloads affected after the app was brought back?
– Sucho
Sep 28 '18 at 4:53
No. The downloads were same.
– Imran
Oct 1 '18 at 4:47
Was your android app removed or you were given a warning?
– Slick Slime
Oct 6 '18 at 8:51
The app was removed but it came back once I put the privacy policy as explained in the answer.
– Imran
Oct 8 '18 at 9:09
this is the cause
Google Play Services version 4.0 introduced new APIs and an ID for use by advertising and analytics providers.
We need to provide a privacy statement and make it available on the web.
For a sample go
https://digital.com/blog/best-privacy-policy-generators/
To change settings on your android app. Developer Console, Store Listing, scroll down to Privacy Policy. Add the url here.
How do you know it has to do with GPS 4.0+? How is that connected to the advertising ID violation?
– Rik van Velzen
Sep 18 '18 at 8:58
Read the information provided by Google.
– Theo
Sep 18 '18 at 9:06
app-privacy-policy-generator.firebaseapp.com
– Theo
Sep 18 '18 at 9:07
I did, but it's quite unclear if and how google play services uses the advertisingID and if there is a way to disable or opt-out of it. Are you 100% sure it's due to GPS 4.0+ and could you pinpoint to where the advertising ID is used/transmitted?
– Rik van Velzen
Sep 18 '18 at 9:26
as the text reads "Google Play Services version 4.0 introduced new APIs and an ID for use by advertising and analytics providers". I use crashlytics to collect crash details, admob (free version app) and Fabric to collect statistics so if any of these apply then you are apparantly transmitting an adversingId.
– Theo
Sep 18 '18 at 9:32
If your app uses Firebase SDKs like analytics and all, you can disable Advertising ID collection on SDK level by putting the following line in your AndroidManifest.xml file under the Application tag.
Advertising ID
AndroidManifest.xml
Application
<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />
<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />
You can read more about it here.
My app was not even an ad supported application but still it got hit by this section 4.8 clause. By employing the above technique I was able to get it back on Google Play without submitting any privacy policy.
section 4.8
I am not using firebase SDK but I am using Fabric so is it okay if i only add privacy policy section in my app and provide url in my console ?
– bhaskar
Oct 3 '18 at 17:26
copied from google mail
Please contact policy support team.
You can follow these steps to add a privacy policy to your Store Listing:
Sign in to your Play Console.
Select your app.
On the left side, select Store presence > Store listing.
Under "Privacy Policy," enter the URL where you have the privacy policy hosted online.
Save your changes to submit the update to your app.
Please visit our help center for more information about Google Play privacy policy requirements.
means no need update the apk?or just privacy url is enough?
– Hemanth SP
Sep 18 '18 at 15:58
no you need to update your app too.
– Theo
Sep 18 '18 at 18:57
@HemanthSP yes.....
– Java coder
Sep 19 '18 at 2:25
my app deleted from store today .. same issue
all i do that i add privacy policy to the app from(App console - Store presence - Store listing)
Like the image
you can create it from App Privacy Policy Generator
and uplaod it and write the link in Store listing and resubmit the app
That is work for me
and sorry for my bad language
how did you confirm that you successfully stopped the violation after putting generated url?
– Hemanth SP
Sep 18 '18 at 15:50
beware, you need to update your app as well, not just the link in Developer Console. From past experience, google do not notify that you are compliant. they will simply remove the app from the store again. I guess we just need to wait until the deadline has passed with crossed fingers.
– Theo
Sep 18 '18 at 18:55
Privacy policy webpage creation:
App update with consent:
Add link to your privacy policy:privacyUrl = new URL("https://www.your.com/privacyurl");
ConsentForm form = new ConsentForm.Builder(context, privacyUrl)
privacyUrl = new URL("https://www.your.com/privacyurl");
ConsentForm form = new ConsentForm.Builder(context, privacyUrl)
Add the privacy policy webpage by opening it in browser or in webview in your application
is this applicable for non admob user?
– Bhavesh
Sep 19 '18 at 5:04
you need adMob account to select ad technology providers: "Sign in to your AdMob account and select ad technology providers.", see: support.google.com/admob/answer/7666519#providers
– Witold Góralski
Sep 19 '18 at 12:46
step 1 : add privacy and policy url to play store console
step 2 : create a button example in side bar when button clicked just call this below method and add your url here
private void callThisMethodWhenPrivacyButtonClicked()
AlertDialog.Builder alert = new AlertDialog.Builder(this);
alert.setTitle("Title here");
WebView wv = new WebView(this);
wv.loadUrl("your privacy and policy uurl ");
wv.setWebViewClient(new WebViewClient()
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url)
view.loadUrl(url);
return true;
);
alert.setView(wv);
alert.setNegativeButton("Close", new DialogInterface.OnClickListener()
@Override
public void onClick(DialogInterface dialog, int id)
dialog.dismiss();
);
alert.show();
First, you have to create a privacy policy URL and then add this URL in GOOGLE PUBLISHER CONSOLE based on application.
You can easily create privacy policy using this website.
Privacy Policies
If you have a server/host try to upload privacy policy page on your own server otherwise you can use this website for storing.
Mentioned: you have to add this policy page on your application. Create a menu as privacy police and show all your policy content on a dialog. Easiest way.
I had one of my app removed and another got warning for reason given as
Issue: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement
I created the privacy policies for both the apps, updated the link in play console store listing, included privacy policy link in main menu of both apps and resubmitted apps.
Both the apps are now live and running .
If you need you can copy the policy, make sure to do edits according to your app permissions and name.
Privacy policy
I don't know if these play console removal and warning count as strike, or somebody can enlighten me.
Is not a strike, you get strike if you app is in "Suspended" status if you can upload again app, is not strike, is strike when you can´t upload again app.
– user2983041
Sep 19 '18 at 8:40
can you please tell me that Is it necessary that privacy policy URL should be a dedicated website? OR can we use some type of free blog for this purpose like blogger.com?
– Noaman Akram
Sep 19 '18 at 17:36
@NoamanAkram As you can see i have used word press blog site, so it can be any url a s long it is public and works. You check the mail they have mentioned the points for url.
– android2013
Sep 20 '18 at 1:01
thanks @user2983041 one of my app was removed ,obviously its not same as suspended so as i understood it is not counted as strike , right? What about update rejected for any policy violation, will it be counted or not ?
– android2013
Sep 20 '18 at 1:04
I am using Crashlytics and OneSignal. Relying on @RikvanVelzen tests with Crashlytics 2.9.3, it is not the reason for my getting the messasge from Google, but OneSignal.
Google requirement is "you must provide a valid privacy policy in both the designated field in the Play Console, and from within the app."
Therefore, I believe that I need to do only two things which are not too complicated:
The following seems to provide instructions on how to do it (just one of many):
https://www.iubenda.com/blog/warning-google-play-developer-policy-violation-action-required-policy-issue/
I received a warning from Google recently mentioning that I have violated the Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement.
I dont use ads on my app , but I am tracking users events / analytics using Amplitude and Fabric , which might be the cause of this warning.
Action required to solve the problem:
Include your generated privacy policy into your app , and make it accessible to users.
Update the app, and add privacy policy link (via Web page, or Google doc) to your store listing.
1 For the tip of Google doc...
– Husnain Qasim
Sep 27 '18 at 10:11
The issue states the violation is due to using user's Android Advertising ID. I had the same problem. I created a privacy policy and added the url to that in my app and to the Google Play page. Submitted an update and the App is live again. Make sure to mention that you are collecting a personally identifiable information, Android Advertising ID, in your app. I've given a link to my app's privacy policy, refer to that if you need to know how exactly it is mentioned.
This is my privacy policy:
https://nwsty.com/privacy-policy-and-terms-of-use-android/
You can easily create a privacy policy here:
https://app-privacy-policy-generator.firebaseapp.com/
Just for reference, this is the app in question:
https://play.google.com/store/apps/details?id=com.instancea.nwsty&hl=en_US
Disabling Advertising ID collection:
https://firebase.google.com/support/guides/disable-analytics#disable_advertising_id_collection
via those two lines in Manifest file:
<meta-data android:name="firebase_analytics_collection_deactivated" android:value="true" />
<meta-data android:name="google_analytics_adid_collection_enabled" android:value="false" />
I got 3 apps suspended today.
I had a busy day but managed to start working on the apps after lunch. I worked on and submitted 2 updates out of 3. Now I'm working on the third one.
A few minutes ago, one just got approved.
Most of my apps already have privacy policies. The ones that got suspended did not.
The suspect libraries in my case are Admob and Firebase Analytics.
What I did:
1. I created a privacy policy web-page and added a link in the Google Play Store listing.
2. I added the privacy policy as a string in the app and it pops up via a dialog the user can accept or decline one time.
After the updates, I held my breath for 2 hours and voila!
do google actually confirm acceptance ?
– Theo
Sep 18 '18 at 18:58
can you please share some code that will help us to make similar changes in everyone app how to add the privacy policy as a string in the app and it pops up via a dialog the user can accept or decline one time.
– Bhavesh
Sep 19 '18 at 5:21
That might be a silly question but what are you doing in case the user declines the privacy policy by clicking the "Decline" button?
– Borislav Borisov
Sep 20 '18 at 19:26
Same thing that happens when you decline an EULA
– zimspy
Sep 22 '18 at 11:59
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
reddit.com/r/androiddev/comments/9gqr6y/…
– Tim Castelijns
Sep 18 '18 at 7:00