"Your app violates our user data policy regarding Personal and Sensitive Information"

We recently got this note from Google:

Hello Google Play Developer,

Our records show that your app, […], with package name […], currently violates our User Data policy regarding Personal and Sensitive Information.

Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy.

Action required: Include a link to a valid privacy policy on your app’s Store Listing page and within your app. You can find more information in our help center.

Alternatively, you may opt-out of this requirement by removing any requests for sensitive permissions or user data.

If you have additional apps in your catalog, please make sure they are compliant with our Prominent Disclosure requirements.

Please resolve this issue by January 30, 2017, or administrative action will be taken to limit the visibility of your app, up to and including removal from the Play Store. Thanks for helping us provide a clear and transparent experience for Google Play users.

Regards,

The Google Play Team

These are the permissions we request:

android =

{

usesExpansionFile = false,

permissions = {

                       { name =  “.permission.C2D_MESSAGE”, protectionLevel = “signature” },

                },

usesPermissions =

{

“android.permission.INTERNET”,

“com.android.vending.CHECK_LICENSE”,

“android.permission.WRITE_EXTERNAL_STORAGE”,

“android.permission.GET_ACCOUNTS”,

“android.permission.RECEIVE_BOOT_COMPLETED”,

“com.google.android.c2dm.permission.RECEIVE”,

“.permission.C2D_MESSAGE”,

},

},

It looks like the obvious culprit might be GET_ACCOUNTS, but I’m not sure.

Most of these perms were added in order to get push messaging working, per the guide here: https://docs.coronalabs.com/guide/events/appNotification/index.html

Any advice on how we could avoid collecting personal information (we don’t want to) while still receiving notifications?  We really only send out notifications as regular news updates, not as personal messages of any kind.

Or if there’s no other way, any advice on how we could craft a privacy policy that reflects our complete lack of interest in collecting anybody’s actual personal info?

The permissions are ones required by Google to use that service that we said they needed included for.

You can look at:  https://coronalabs.com/privacy-policy/privacy-policy-for-app-users/

to see what we collect. You can then use this as a basis to craft your own. You can also browse both Google Play and the Apple App Store and find apps/games that have privacy policies and see what type of content they contain.

Rob

That’s extremely helpful; thank you!

I’m wondering if the GET_ACCOUNTS permission is what’s triggering the warning, and if so, whether it’s still necessary.  Places like this:

http://stackoverflow.com/questions/18444227/get-accounts-permission-while-using-gcm-why-is-this-needed#18444343

suggest that GET_ACCOUNTS is no longer needed for Google Cloud Messaging.  If we simply remove it can we expect notifications to still work (and maybe eliminate the warning about privacy)?  Or does the notification framework in Corona require it to work?

I got hit with this too for an older app.

On checking Google Play my app uses these permissions:

Phone

• read phone status and identity

Device ID & call information

• read phone status and identity

Other

• view network connections
• full network access

Hope that helps.

Interesting!  

It says that it uses:

Identity

• find accounts on the device

Contacts

• find accounts on the device

Photos/Media/Files

• read the contents of your USB storage

I assume Identity and Contacts arise from the GET_ACCOUNTS permission? 

RE: Reading USB storage, it looks like we had to add android.permission.WRITE_EXTERNAL_STORAGE in order to use an expansion file, and WRITE_EXTERNAL_STORAGE implicitly grants READ_EXTERNAL_STORAGE, so we now have the ability to read and write arbitrary data off an SD card!  Which is the last thing we would ever want to do.

I bet that’s why we’re getting this from one app and not the other – the expansion file.

So we discussed this with our client and they’re going to take responsibility for a privacy policy, and include in it information about Corona’s privacy policy.  So that should make Google happy.

Hopefully this thread will be helpful to anybody else who gets this notice.

The permissions are ones required by Google to use that service that we said they needed included for.

You can look at:  https://coronalabs.com/privacy-policy/privacy-policy-for-app-users/

to see what we collect. You can then use this as a basis to craft your own. You can also browse both Google Play and the Apple App Store and find apps/games that have privacy policies and see what type of content they contain.

Rob

That’s extremely helpful; thank you!

I’m wondering if the GET_ACCOUNTS permission is what’s triggering the warning, and if so, whether it’s still necessary.  Places like this:

http://stackoverflow.com/questions/18444227/get-accounts-permission-while-using-gcm-why-is-this-needed#18444343

suggest that GET_ACCOUNTS is no longer needed for Google Cloud Messaging.  If we simply remove it can we expect notifications to still work (and maybe eliminate the warning about privacy)?  Or does the notification framework in Corona require it to work?

I got hit with this too for an older app.

On checking Google Play my app uses these permissions:

Phone

• read phone status and identity

Device ID & call information

• read phone status and identity

Other

• view network connections
• full network access

Hope that helps.

Interesting!  

It says that it uses:

Identity

• find accounts on the device

Contacts

• find accounts on the device

Photos/Media/Files

• read the contents of your USB storage

I assume Identity and Contacts arise from the GET_ACCOUNTS permission? 

RE: Reading USB storage, it looks like we had to add android.permission.WRITE_EXTERNAL_STORAGE in order to use an expansion file, and WRITE_EXTERNAL_STORAGE implicitly grants READ_EXTERNAL_STORAGE, so we now have the ability to read and write arbitrary data off an SD card!  Which is the last thing we would ever want to do.

I bet that’s why we’re getting this from one app and not the other – the expansion file.

So we discussed this with our client and they’re going to take responsibility for a privacy policy, and include in it information about Corona’s privacy policy.  So that should make Google happy.

Hopefully this thread will be helpful to anybody else who gets this notice.