Google Play review unreasonably requires declaration of personal data collection - email address for OSM Login #7000

New issue

Closed

opened 2023-12-28 07:29:28 +00:00 by rtsisyk · 0 comments

rtsisyk commented

2023-12-28 07:29:28 +00:00

Owner

Issue found: Invalid Data safety form

We reviewed your app’s Data safety form in Play Console and found discrepancies between it and how the app collects and shares user data. All apps are required to complete an accurate Data safety form that discloses their data collection and sharing practices - this is required even if your app does not collect any user data.

We detected user data transmitted off device that you have not disclosed in your app’s Data safety form as user data collected.

You must ensure that your app’s Data safety section accurately reflects your app’s data collection, sharing, and handling practices. This includes data collected and handled through any third-party libraries or SDKs used in your app. When available, we’ve included details on SDKs that contain code similar to the code in your APK that may be sending user data off device. You can check if your app uses any of these SDKs, but note that this list of SDKs may not be exhaustive. You must review and account for all data collected and shared by your app.
Your app may face additional enforcement actions, if you do not resolve this issue by January 10, 2024.

Issue details

We found an issue in the following area(s):

Version code 23122101: Policy Declaration - Data Safety Section: Personal Info Data Type - Email Address

About the Data safety section in Google Play User Data policy

Your app must be in compliance with this policy. If your app continues to be non-compliant, your app updates will be rejected and your app may face additional enforcement actions in the future.

Please make changes to align your app’s Data safety form with the app’s behavior. This can be done by either:

Updating your form in Play Console to declare collection of Data Types noted below; or
Removing unwanted functionality and attributable code that collects this user data from your app or libraries used in your app, and when applicable to deactivate all non-compliant APKs.
To deactivate non-compliant APKS, you can create a new release and upload a compliant APK to each track containing the non-compliant APKs.
Be sure to increment the APK version code. If using staged rollout, be sure to set the release to 100% rollout.

For helpful resources, you can:

Learn more about how to provide app privacy and security information for Google Play's Data safety section.
Watch the Google Play PolicyBytes - Data safety form walkthrough.
Check Google Play SDK Index to see if your SDK provider has shared a link to their data safety guidance. Review how any third-party code (such as third-party libraries or SDKs) in your app collects and shares user data.

They don't provide any other details. The app has only one relevant screen:

Quoting the rules:

This includes data collected and handled through any third-party libraries or SDKs used in your app

It looks like that Google Play is right in this case. I see no basis for filing an appeal. We will have to declare collection of Email addresses until OAuth 2.0 is implemented for OpenStreetMap.org authentication.

Update

Organic Maps does NOT use any third-party libraries or SDKs to communicate with OSM servers. HTTP requests are done using Java and C++ code that is completely transparent in our GitHub repository.
Organic Maps does NOT store, collect, or share user emails, user names, or passwords. They are used ephemerally only for OSM login, to get a token that will be used in all further OSM API calls.

Our ephemeral use case is explicitly mentioned in the Google Play Data Safety guidelines:

In some cases, developers do not need to disclose data as "collected" even if the data technically leaves your device (for example, when the data is only processed ephemerally)

Developers do not need to disclose data accessed by an app as "collected" in the Data safety section if:

Your data is sent off the device but only processed ephemerally. This means the developer accesses and uses your data only when it is stored in memory, and retains the data for no longer than necessary to service a specific request. For example, if a weather app sends your location off your device to get the current weather at your location, but the app only uses your location data in memory and does not store the data for longer than necessary to provide the weather.

What Google replied after an appeal:

Per Google Play's Data Safety Section under Data Collection, “Collect” means transmitting data from your app off a user’s device. Please note the following guidelines:

Libraries and SDKs: This includes user data transmitted off device from your app by libraries and/or SDKs used in your app, irrespective of whether data is transmitted to you or a third-party server.

Pseudonymous data: User data collected pseudonymously must be disclosed. For example, data that can reasonably be re-associated with a user must be disclosed.
We reviewed your Data safety section and found that the following data types sent off the device were not yet disclosed:

Personal Info Data Type - Email Address in App Bundle Version: 23122101, Track: Production.
Please make changes to align your app’s Data safety section with the app’s behavior. This can be done by either:

Updating your form in Play Console to declare collection of Email Address, or
Removing functionality and attributable code that collect this user data from your app or libraries used in your app.

As Organic Maps does NOT collect user data and does NOT violate Google's guidelines, it would be a lie to our users that their emails or logins are collected by Organic Maps. We do not want to lie to our users.

The temporary solution is to disable the OSM login window for Google Play to avoid the removal of Organic Maps from the Google Play Store, and then look for another appeal or another solution, like using web views (as StreetComplete does) or using a separate browser for the login (although using a browser may not work well on all devices).

Google Play requires Organic Maps to either mention that user emails are collected (that is not true), remove the OSM login window, or otherwise Organic Maps will be removed from the Google Play store. > > **Issue found: Invalid Data safety form** > > We reviewed your app’s Data safety form in Play Console and found discrepancies between it and how the app collects and shares user data. All apps are required to complete an accurate Data safety form that discloses their data collection and sharing practices - this is required even if your app does not collect any user data. > >We detected user data transmitted off device that you have not disclosed in your app’s Data safety form as user data collected. > >You must ensure that your app’s Data safety section accurately reflects your app’s data collection, sharing, and handling practices. This includes data collected and handled through any third-party libraries or SDKs used in your app. When available, we’ve included details on SDKs that contain code similar to the code in your APK that may be sending user data off device. You can check if your app uses any of these SDKs, but note that this list of SDKs may not be exhaustive. You must review and account for all data collected and shared by your app. Your app may face additional enforcement actions, **if you do not resolve this issue by January 10, 2024.** > >Issue details > >We found an issue in the following area(s): > > Version code 23122101: Policy Declaration - **Data Safety Section: Personal Info Data Type - Email Address** > > **About the Data safety section in Google Play User Data policy** > > Your app must be in compliance with this policy. If your app continues to be non-compliant, your app updates will be rejected and your app may face additional enforcement actions in the future. > > Please make changes to align your app’s Data safety form with the app’s behavior. This can be done by either: > > Updating your form in Play Console to declare collection of Data Types noted below; or > Removing unwanted functionality and attributable code that collects this user data from your app or libraries used in your app, and when applicable to deactivate all non-compliant APKs. > To deactivate non-compliant APKS, you can create a new release and upload a compliant APK to each track containing the non-compliant APKs. > Be sure to increment the APK version code. If using staged rollout, be sure to set the release to 100% rollout. > >For helpful resources, you can: > > Learn more about how to [provide app privacy and security information for Google Play's Data safety section](https://support.google.com/googleplay/android-developer/answer/10787469). > Watch the [Google Play PolicyBytes - Data safety form walkthrough](https://www.youtube.com/watch?v=4rfF3y4xchU). > Check [Google Play SDK Index](https://developer.android.com/distribute/sdk-index) to see if your SDK provider has shared a link to their data safety guidance. [Review](https://developer.android.com/guide/topics/data/collect-share) how any third-party code (such as third-party libraries or SDKs) in your app collects and shares user data. They don't provide any other details. The app has only one relevant screen: <img src="https://github.com/organicmaps/organicmaps/assets/1799054/57b1b8c2-0d7d-4744-9522-45670e839e79" width="350px"> Quoting the rules: > This includes data collected and handled **through any third-party libraries or SDKs used in your app** ~It looks like that Google Play is right in this case. I see no basis for filing an appeal. We will have to declare collection of Email addresses until [OAuth 2.0](https://git.omaps.dev/organicmaps/organicmaps/issues/6144) is implemented for OpenStreetMap.org authentication.~ --- ## Update 1. Organic Maps does NOT use any third-party libraries or SDKs to communicate with OSM servers. HTTP requests are done using Java and C++ code that is completely transparent in our GitHub repository. 2. Organic Maps does NOT store, collect, or share user emails, user names, or passwords. They are used ephemerally only for OSM login, to get a token that will be used in all further OSM API calls. Our ephemeral use case is explicitly mentioned in the [Google Play Data Safety guidelines](https://support.google.com/googleplay/answer/11416267): > In some cases, developers do not need to disclose data as "collected" even if the data technically leaves your device (for example, when the data is only processed ephemerally) > Developers do not need to disclose data accessed by an app as "collected" in the Data safety section if: > - Your data is sent off the device but only processed ephemerally. This means the developer accesses and uses your data only when it is stored in memory, and retains the data for no longer than necessary to service a specific request. For example, if a weather app sends your location off your device to get the current weather at your location, but the app only uses your location data in memory and does not store the data for longer than necessary to provide the weather. --- What Google replied after an appeal: > Per Google Play's Data Safety Section under [Data Collection](https://support.google.com/googleplay/android-developer/answer/10787469?hl=en#zippy=%2Cdata-collection:~:text=or%20collapse%20them.-,Data%20collection,-%E2%80%9CCollect%E2%80%9D%20means%20transmitting), “Collect” means transmitting data from your app off a user’s device. Please note the following guidelines: > - Libraries and SDKs: This includes user data transmitted off device from your app by libraries and/or SDKs used in your app, irrespective of whether data is transmitted to you or a third-party server. > - Pseudonymous data: User data collected pseudonymously must be disclosed. For example, data that can reasonably be re-associated with a user must be disclosed. We reviewed your Data safety section and found that the following data types sent off the device were not yet disclosed: > Personal Info Data Type - Email Address in App Bundle Version: 23122101, Track: Production. Please make changes to align your app’s Data safety section with the app’s behavior. This can be done by either: > Updating your form in Play Console to declare collection of Email Address, or Removing functionality and attributable code that collect this user data from your app or libraries used in your app. As Organic Maps does NOT collect user data and does NOT violate Google's guidelines, it would be a lie to our users that their emails or logins are collected by Organic Maps. We do not want to lie to our users. The temporary solution is to disable the OSM login window for Google Play to avoid the removal of Organic Maps from the Google Play Store, and then look for another appeal or another solution, like using web views (as StreetComplete does) or using a separate browser for the login (although using a browser may not work well on all devices).

😕 3 👀 2 ❤️ 5

This repo is archived. You cannot comment on issues.