My app keeps getting rejected from Google Play, for more than 3 times now. Below is the message I keep getting from Google Play console.
APK HAS A PRIVACY POLICY BUT IT IS NOT ADEQUATE
Privacy Policy in Play Distributed App Your app is uploading users'
Contact list and Media information to without posting a privacy policy
in Play Distributed App.
Below is also a link to the privacy policy for the app. I don't know exactly what am missing.
Privacy Policy
I know it may be hard to find time to go through the whole privacy policy so below is a section that discuss what information is collected.
Information Collection and Use
For a better experience, while using our Service, we may require you
to provide us with certain personally identifiable information,
including but not limited to Name, email address, phone number, date
of birth, gender, device contacts list. The information that we
request will be retained by us and used as described in this privacy
policy.
For a better experience, while using our services, we collect
information about how you use our products and services. We use that
information to provide you with products and services, to help keep
WalaDigital – Blood Donation more relevant to you.
Personal Information: We collect personal information from you such
as;
First and last name Email address Phone number Date of birth Gender
Blood type and genotype Device Information. We collect information
from and about the devices you use to access WalaDigital – Blood
Donation, including:
Information about your device, operating system, language and device
uuid. Your device address book, if you’ve chosen to share it with us.
Data you provide us is transmitted off your device unto our servers
for the purposes of improving your user experience and also for how
the application works.
For instance, your profile photos or images you capture are
transmitted off the device unto our servers to best serve you via our
secure Wala Digital API Services.
This transmission process is highly secured to protect your data. All
data such as contact address list and photos are not shared with any
third party.
Although, the app does use third-party services that may collect
information used to identify you.
Link to the privacy policy of third-party service providers used by
the app.
NOTE: There is a privacy policy in the app as well during signup.
A more clear Privacy Policy that discloses the sensitive personal data you collect and how you handle that data might be required.
For example, Google Play considers contacts and media as sensitive data which are subject to sensitive permissions policies [1]:
Declare runtime sensitive permissions
Integrate consent screens before asking for contacts, media data (see Prominent Disclosure & Consent)
Comply with Personal and Sensitive User Data policy and Google Play requirements for a Privacy Policy [2]:
Disclosing the types of personal and sensitive user data your app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
Secure data handling procedures for personal and sensitive user data.
The developer’s data retention and deletion policy.
[1] https://developer.android.com/games/develop/permissions
[2] https://support.google.com/googleplay/android-developer/answer/10144311?hl=en
Related
Namastey!
I have completed my first android app. and i am about to upload it on play store.
But recently i came to know that google play store requires a privacy policy link while uploading application on the store.
I have so many doubts and questions regarding this
I don't know how to get or create new a privacy policy for my app?
I don't have a company of my own, so how can i write a privacy policy and is it legal to do so?
can anyone tell me how to deal with this situation. I really need some help right now.
Any help would be appreciated!
You don't need a Privacy Policy if you don't collect personal information from users through your Android app.
If you do collect personal information (directly or indirectly through a third party such as Google Analytics, AdMob, Mixpanel etc.), then Google Play Store requires you (and the law as well) to have a Privacy Policy in place.
Related to your questions:
Your Privacy Policy should be adapted based on what kind of personal information you collect from users. Do you collect email address, do you need camera access from users etc.?
WordPress.com open-sourced their legal agreements (Privacy Policy and Terms of Service) but keep in mind that legal agreements should be customized based on app, app functionality, and other factors.
This question is better answered by a lawyer but keep in mind that a Privacy Policy is the statement where you need to disclose what, how and why you collect personal information from users.
Depending on your country, it might be helpful to look into the following law acts on privacy of user data:
CalOPPA in the US
PIPEDA in Canada
DPA in the UK
IT Act 2000 in India
Privacy Act in Australia
I get the following email from google play team:
Hello Google Play Developer,
Our records show that your app, XXXX , with package
name com.XXX.XXX, currently violates our User Data policy
regarding Personal and Sensitive Information.
Policy issue: Google Play requires developers to provide a valid
privacy policy when the app requests or handles sensitive user or
device information. Your app requests sensitive permissions (e.g.
camera, microphone, accounts, contacts, or phone) or user data, but
does not include a valid privacy policy.
Action required: Include a link to a valid privacy policy on your
app's Store Listing page and within your app. You can find more
information in our help center.
Alternatively, you may opt-out of this requirement by removing any
requests for sensitive permissions or user data.
If you have additional apps in your catalog, please make sure they are
compliant with our Prominent Disclosure requirements.
Please resolve this issue by March 15, 2017, or administrative action
will be taken to limit the visibility of your app, up to and including
removal from the Play Store. Thanks for helping us provide a clear and
transparent experience for Google Play users.
Regards,
The Google Play Team
What is the meaning of Valid Privacy Policy, I get away to add URL privacy policy to Store Listing from
Warning of Google Play Developer policy violation: Action Required
, but Is enough to add a link for privacy policy page on Store Listing ? Is play store accept any privacy policy URL? and how I can add valid policy to my app? because on another email from google play team, They Said I need to add a privacy policy in two places not just Store Listing:
If your app requests user data or makes sensitive permissions requests
such as Phone, Accounts, Contacts, Camera, or Microphone, you'll need
to add a valid privacy policy in two places: your app's Store Listing
page (instructions below) and within your app.
I think I'm qualified to give you a more detailed answer. I have two apps on the App Store (iOS) and I've worked on a mobile privacy policy generator for years. I'v e also recently written quite a few words about the above issue.
1) You absolutely need your privacy policy on the Play Store page PLUS within the app
This is what Google says:
If your app requests user data or makes sensitive permissions requests
such as Phone, Accounts, Contacts, Camera, or Microphone, you'll need
to add a valid privacy policy in two places: your app's Store Listing
page (instructions below) and within your app.
I'd also like to add some more insight why that is the case. If you are into privacy law theory, then I suggest you read this pdf by a Pan-European privacy body, otherwise I just suggest to read the summary here:
The essential scope of information about data processing 1) must be
available to the users before app installation, via the app store.
Secondly, the relevant information about the data processing 2) must
also be accessible from within the app, after installation.
And here is some bonus information Google doesn't talk about.
The Working Party recommends that information about personal data
processing is also available, and easy to locate, such as within the
app store 3) and preferably on the regular websites of the app
developer responsible for the app. It is unacceptable that the users
be placed in a position where they would have to search the web for
information on the app data processing policies instead of being
informed directly by the app developer or other data controller.
2) Adding a VALID privacy policy (link)
Now for the question of the vailidity of your privacy policy. You need to outline which sensitive permissions/user data you process and for what purpose.
I'm seeing a lot of advice saying that you just need to say that you access the camera but that isn't enough.
Say you access the camera
Say what purpose that serves
Say whatever else user data you process (name, email address, etc. etc)
This should help :)
Adding Privacy Policy to Web Site
Find a policy from an app. There are lots of apps that have privacy
policy in them. I, here, clearly state how
and why i use users permission and personal info.
If you have a web site put it your web site. If you don't have one
create one free from Google Sites.
Adding Privacy Policy to Application
There are 3 ways i've sen so far how it's displayed to users
Menu button on NavigationView.
Inside an AlertDialog after user accepted Runtime Permissions
Inside a section of Settings activity or fragment
You must also add Privacy Policy Url to your app as Google states. They don't check it for now, but if they do in the future, you can be sorry if you didn't. I add it to Navigation View and open url when user touches it.
Do I have to put a copy of Privacy Policy inside the app itself, or should i only put the url to it inside google play without even mentioning it inside my app.
Both as much as possible.
A public URL would most likely be required for that Privacy Policy field by Google Play Store if your app requests sensitive permissions.
If you don't add the URL and your app needs sensitive permissions, you'll receive a violation warning email from Google. Your app may be unlisted if you don't fix the violation.
Keep in mind that your business "must conspicuously link to a Privacy Policy".
That's a requirement from CalOPPA in the US, but most privacy regulations around the world have a similar requirement: PIPEDA in Canada, Privacy Act in Australia etc.
You have multiple options how to link to your Privacy Policy from within your app: About or Settings screen, Sign-up or Login screens, separate item in the menu etc.
In most cases the privacy policy is associated with the company that is publishing the app rather than the app. After all, that is the entity that people are trusting to implement the policy. So I think it is enough to have it on a company website and refer to this in Google Play. A key thing is that people should be able to search the web for the company name, or app and find the privacy policy. While not specifically about Android apps, the following link gives some guidance on this
Note that there are particular circumstances where user's need to be made aware of your approach to their data at the time they would be entering it. See Google's website
If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
You NEED your privacy policy on the Play Store page PLUS within the app
Since February 2017 Google enforces a strict privacy policy requirement on apps requesting sensitive permissions and user data policies.
Please check the following provided by Google to determine if either needs to have a policy or not:
For apps that request access to sensitive permissions or data (as defined in the user data policies: You must link to a privacy policy on your app's store listing page and within your app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
For apps in the Designed for Families program: You must link to a privacy policy on your app's store listing page and within your app, regardless of your app's access to sensitive permissions or data. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
For other apps: You're not required to post a privacy policy.
Once you've identified what your app needs, your privacy policy will need the following:
The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it's shared. Outline which sensitive permissions/user data you process and for what purpose:
Say you will access their microphone
Say what purpose that serves
And other user data you process (name, email, address, etc)
If you need more information you can go to iubenda - Privacy Policy for Android
I am about to submit an app to the Apple AppStore built in Swift that uses Crashlytics to capture crash information. As users of Crashlytics know, some information about usage, duration, crashes, etc. is captured and stored on the Crashlytics servers. My application does not ask for, store or attempt to capture any user data.
My question is about the privacy policy for my application. Since I don't capture any user data, I want to state that in my privacy policy but I'm not sure that's factual since I am using Crashlytics. Any feedback on people that have used Crashlytics in their app and have an actual privacy policy?
Thanks
--Vinny
Quick answer: yes, you need that privacy policy. There are ways to get it done fast, too.
Longer answer:
Third parties (here Crashlytics)
When dealing with a third party service like this, often a quick look into their legal documents will help (for Crashlytics in this case as described in your question).
(...) At all times during the term of this Agreement, Developer shall
maintain a privacy policy (a) that is readily accessible to users from
its website or within its online service (as applicable), (b) that
fully and accurately discloses to its users what information is
collected about its users and (c) that states that such information is
disclosed to and processed by third party providers like Crashlytics
in the manner contemplated by the Services, including, without
limitation, disclosure of the use of technology to track users’
activity and otherwise collect information from users. (...)
And
Developer shall at all times comply with all applicable laws, rules
and regulations relating to data collection, privacy and security,
including, without limitation, the Children’s Online Privacy
Protection Act (“COPPA”). Crashlytics may, at its sole discretion from
time to time during the Term of this Agreement, audit Developer Data
to verify compliance.
Crashlytics is actually being unusually vocal about this topic.
The App Store
At the time of writing (and since iOS8) Apple requires privacy policies for 5 categories:
Kids Category, HomeKit, HealthKit, Apple Pay, and Keyboard Extentions. Also they require privacy policies for user registrations (more). I can't tell if any of the above for your app is true. Apple still says in their App Store Review Guidelines that you need to be compliant with all applicable laws. This brings us to the third and most important reason.
Privacy related regulations
All of the above is just there because of global privacy regulations, these companies would most likely not care otherwise. As soon as you work with User data you are mostly under an obligation to disclose these facts. It's personal data like names, addresses or the tracking of user behaviour. It's been written at length why analytics services need privacy policies. All of it is more important as soon as you share data and use third party services for it. Mostly the disclosure or some kind of consent is the condition for it's compliant usage.
If you are interested in reading more about the matter in the context of mobile apps I'd suggest any of these documents:
ICO UK
Ireland
USA/California
Canada
Australia
Hope this helps.
(For proper disclosure: I do some work for iubenda, a tool that helps creating privacy policies for apps and websites)
Vinny, I think it's not mandatory (I've seen apps using Crashlytics wihtout a privacy policy), but it's recommended to have transparency in the communications with your users.
Crashlytics already has a privacy policy so you can just use that policy and add a statement informing that you are not collecting any sensitive information from the user, such as email or phone number.
My recently uploaded version of an existing app on Google Play wasn't published since it didn't meet certain privacy policy criteria . Now, I've updated the privacy policy on my website; however how do I re-submit the app so that the new version goes live?
With millions of emails sent by Google warning developers you are definitely not alone. Before resubmitting, update your privacy policy correctly, you do want to make sure you submit it with the necessary changes.
You say you've updated your privacy policy on your site, however Google requires the privacy policy to be there compliant in the Google Play store as well. That's likely where you need to resubmit.
To add it to the Store Listing:
Log into your Google Play Developer Console
Next, select All Applications and select the application whose privacy policy you'd like to edit.
After that, select Store Listing.
Then, scroll to the section marked Privacy Policy and enter the URL where you have the privacy policy hosted online.
Lastly, be sure to click Save or update.
More information about how to write your privacy policy for the Play Store
The best way to comply is to have a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
who you are (identity and contact details),
what precise categories of personal data the app wants to collect and process,
why the data processing is necessary (for what precise purposes),
whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
what rights users have, in terms of withdrawal of consent and deletion of data.
With that said, if you do decide to create your own policy, here are some tips:
Outline which dangerous/sensitive permissions you request
Outline any other user data you collect, for instance advertisement services!
Describe what purpose they serve and use them only for that purpose
Information about the site/app owner.
The kind of data being collected and how it is collected.
The purpose of the data collection (i.e. analytics, email marketing).
Any third parties that have access to the information and through which means (widgets and integrations).
The rights of users regarding their data (i.e. the ability to request to see the data, to rectify, erase, or block).
The process for notifying users and visitors regarding material changes to the privacy policy.
Effective date of the privacy policy.
(p.s I work on a tool called iubenda that helps with the generation of a privacy policy - link)