Why Our App Got Removed from the Google Play Store & How We Fixed It

What Happened?

Recently, much to our surprise, an app we had on the Google Play Store got flagged and removed from the store for violating the store policies. Here’s a portion of the email we were sent: 

Issue: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement

Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising identifier, which is subject to a privacy policy requirement. If your app collects the Android advertising ID, you must provide a valid privacy policy in both the designated field in the Play Console and from within the app.

Seeing the store listing get removed…

Okay, so easy enough. If you have an app that utilizes ads, you’re going to need to add a privacy policy to your app and store listing (instructions below). Piece of cake, right? However, the app that got flagged doesn’t have ads or transmit that data to our knowledge. If we wanted a slap-stick solution we would just add the privacy policy and be done with it. This doesn’t solve the underlying issue though. So what could be sending the advertising ID over the wire?

Finding the Cause

After a little digging in our codebase, I ruled out that we weren’t personally dealing with the ID. Next on my mind was to see if any of our Gradle dependencies could be sending this without our knowledge. Luckily this is a rather small application, so the list of dependencies is limited. We had the generic smattering of Android support libraries and the like. Additionally, like many others, we use Fabric Crashlytics for crash reporting. After a bit of googling, stack overflow posts, and reading release docs it turns out that versions of Crashlytics prior to 2.9.3 used this ID as a unique identifier. So be sure to update to the latest version if you’re on an older version than 2.9.3!

dependencies {
...
implementation 'com.crashlytics.sdk.android:crashlytics:2.9.9'
...
}

So that’s it, right? Not quite… Turns out many solutions use the advertising ID to ascertain device uniqueness. Firebase uses it too but can be set to default to the hardware identifier. Just simply add these lines to your manifest.xml:

<meta-data 
android:name="firebase_analytics_collection_enabled"
android:value="false"
/>

Last but not least, we were using OneSignal, which also transmits the advertising ID. Unfortunately, there is no way to stop it from doing so. In this case, while we were able to limit the use of the ID, a privacy policy will still be needed. In all honesty, we should’ve had one anyway and you should as well.

You may have other dependencies that use the advertising ID such as Facebook or others. Take some time to read through their documentation on your own to see if there are options to avoid using this ID or if an update is available that gets rid of the usage.

Making a Privacy Policy

First off, we are going to need to actually create a privacy policy. I recommend using this generator. Start off by entering in your app’s info as well as any personally identifiable information you are collecting, such as the advertising ID.

Filling out your app info.

Next, use the switches to the right to select services your app uses. This may not cover all cases but is a good sample. This list is a great indicator of services that could be why your app was taken off the store, to begin with.

Selecting the services you utilize.

To get access to the generated policy, click the “Privacy Policy” tab. Here you will be able to preview it. Keep this handy for the next steps. If you don’t see a service you use that needs to be included, such as OneSignal, be sure to add a link to that service’s privacy policy. This can easily be done by opening up the HTML in a text editor and making another link below the ones already in the document.

As I mentioned earlier, Google Play requires a policy on the store as well as in the app. We’ll take care of the store listing first. Enter the Google Play Console and find the tab “Store Presence” and select the sub-tab “Store-Listing”. Here you’ll find that a URL is required. We can’t simply plop in our privacy policy into the listing.

Entering the privacy policy URL

Google recommends three solutions: a Google Site, a public Google Doc, or a hosted PDF. We initially decided to go with option one as it looks a bit more professional than a Google Doc would and didn’t want to spend the time setting up the hosted PDF. However, it turns out when I entered a Google Site link for the privacy policy I got the error “You are not allowed that domain for a privacy policy URL.” Presumably, Google is flagging the URL given it starts with “sites.google” and thinks you are trying to link a domain you don’t own despite the fact it’s a google site. If this works in your case, great! If not, and you would rather have the look of a google site over the other options, I’ll walk you through those steps.

Option 1: Google Site

Creating a Google Site

Here are some instructions from Google with a few changes:

  • Go to Google Sites and create a new site.
  • Fill in your application’s name and the title of the page. You can also adjust the theme and colors by selecting the Themes tab in the upper right corner.
  • Add a Text box using the button under the Insert tab.
  • Go back to the privacy policy generator and at the bottom of the preview, click “Select all”. Copy the selection and paste the result into your newly created Text box.
  • Click Publish and give your site a name.
  • Copy and paste the site’s URL in the Privacy Policy field in the Google Play Console (You may get an error at this step, continue reading for a workaround.)

If the link worked, congratulations! Click Submit Update at the bottom of the page and you’re good to go! If not, there are some steps you can take to use this google site with a custom URL. Google has a wonderful guide dedicated to using custom URLs with Google Sites that you can visit here. When finished creating your own custom URL, it may take up to one hour to be able to reach your site from the new link. Once you confirm the new URL is working, add it as your privacy policy URL on the Google Play Console where we talked about earlier.

Option 2: Public Google Doc

For this option, simply create a new Google Doc. Name it whatever you deem appropriate, most likely something of the sort “{App Name}’s Privacy Policy”. Copy the text from the privacy policy generator and slap it in the doc. Under File select “Publish to Web” and follow the few instructions listed there. Easy as that. Then copy the generated link and put it in the Google Play Console where we talked about earlier. I have not personally tried this method, so there’s also the chance this could get flagged for not being an allowed domain. Unfortunately, if this is the case there is no way to set a custom URL.

Another option for this case could be something like WordPress.

Option 3: Hosting a file online / add to an existing website.

In this case, we will assume you already have an account through something like AWS, Azure, Google Cloud, Digital Ocean, or the like. Many of these options allow you to host static files like PDF’s and you’ll get a public link to those files. You’ll just have to create a file (type of your choosing) and upload it. Otherwise, you can use the policy generator, download the HTML, and add that to your existing website. In both these cases, put the final URL into the Google Play Console.

Next Steps:

Obviously, there are many other options, these are just a select few that could be rather quick and are from reliable companies. Explore your options!

Once you submit your updated store listing with your new privacy policy, your app should be available again in a short amount of time. It doesn’t end there though, we still need to add the policy to the app itself for users to accept on that end. If you skip this next step, in an undetermined amount of time your app will most likely get flagged and removed again.

We’re almost done!

Adding the Policy to Your Android App

Now that we have the policy created and added to the store listing, we have yet to add it to the app itself. The easiest way to add your link to your policy is to add a TextView to your XML and set an onClickListener. The TextView text should include the word “Privacy” to make it apparent to the user and easy to find. There are a few places that your privacy policy could or should live inside your app. If you have a login screen, somewhere near the bottom or below user input is a great place to add it. Also if you have a menu or settings page, adding a menu item for your policy is a great idea as well.

Case 1: Online apps

This is the easiest case, here we’ll simply add these lines inside the onClick listener of your TextView.

val intent = Intent(Intent.ACTION_VIEW)
val uri = Uri.parse("https://www.sites.google.privacy-policy/")
intent.data = uri
startActivity(intent)

This will open up the user’s default browser and load your hosted Google Site.

Case 2: Offline apps

In the case the app targets offline usage, you will want to store a copy of the HTML that you can download from the generator. You’ll want to store this in your assets folder. If you don’t have one yet, right click appNewFolderAssets Folder and most likely target main. Then go ahead and drag your HTML file into that folder. We’ll use this later on.

In the case your app is targeting offline capabilities, the best way to present your policy is through the WebView view. How you present this is up to you, but one easy way is to have an Activity that presents the WebView. Once your view is all set up, load your HTML into the WebView.

webView.loadUrl("file:///android_asset/privacy-policy.html")

Note: If you ever change your policy, you’ll have to re-download the HTML and update your assets in a new release.

Wrapping Up

Throughout this post, we figured out why your app(s) might have been flagged or removed from the Google Play Store for not having a Privacy Policy. We made a privacy policy using a generator, chose a place to host it on, added the link to the store, and added access to the policy from inside the affected app(s). Once you’ve made a new release to the store including your changes, everything should be good to go. Be sure to keep your policy up to date should you change the information you collect or other relevant issues.

Great job!


As ever, QuarkWorks is available to help with any software application project — web, mobile, and more! If you are interested in our services you can check out our website. We would love to answer any questions you have! Just reach out to us on our Twitter, Facebook, or LinkedIn.