If you’re an Android developer who publishes their apps to the Google Play Store, you might have been warned by Google with the following email subject: “Action required – Potential Google Play Policy Violation: 30-day warning” and asked to take steps to fix the violation.
More specifically, you would’ve been told, “We’re contacting you because the apps listed at the end of this email handle or request personal or sensitive user data. Apps like this must comply with the Prominent Disclosure requirements of our User Data policy“.
Google goes on to tell you what needs to be done, “Action required: Make sure your apps fulfill the Prominent Disclosure requirements of our User Data policy. If these requirements are not fulfilled within 30 days, your app may be removed from Google Play. Alternatively, you can remove any requests for sensitive permissions or user data within your app. You can also choose to unpublish your app.“
The good news up front: you’ve come to the right place. iubenda helps app and website owners with creating beautiful and professional privacy policies. These policies work even more beautifully for apps like built in the Android ecosystem.
Let’s look at what else is inside the email and how you ultimately fix your problem.
What are the steps to take?
The most important step to understand is the requirements under the Prominent Disclosure requirements in the User Data policy.
Prominent Disclosure requirements in the User Data policy
In Google’s User Data policy you can find the requirements set out for special disclosures:
If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
Your in-app disclosure:
- Must be within the app itself, not only in the Play listing or a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the type of data being collected;
- Must explain how the data will be used;
- Cannot be included with other disclosures unrelated to personal or sensitive data collection.
Your app’s request for consent:
- Must present the consent dialog in a clear and unambiguous way;
- Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
- Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
- Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
- Must not utilize auto-dismissing or expiring messages.
The point to understand is the following: Google apparently considers the collection of data that isn’t clear from your app page or from within your interface to be covered by this prominent disclosure policy.
You have two options:
- remove the offending data collection
- Use our generator for mobile apps;
- Add our service called “Device permissions for Personal Data access”
- Link to it from the Play Store page;
- Possibly link to it from your marketing website.
When you’re done with all of the above, resubmit your fixed app!