Opt-In Privacy Changes Come to Android

Opt-In Privacy Changes Come to Android April 1

Cory Underwood
CIPT, CIPP/US, Analytics Engineer
Mar 25, 2022

Google privacy settings for Android are happening now! Advertising ID and User Policy changes set new restrictions for marketers and analysts. Learn how to navigate the opt-in privacy nuances coming to the Android App Store on April 1st.In my 2022 Data Privacy Sneak peek, I wrote about upcoming Android privacy changes. The last and most major of these changes are upon us! As of April 1, Google will begin to enforce opt-in privacy requirements along with Advertising ID and User Policy changes. This post addresses your burning Android privacy questions and goes a bit further. Learn

  • What’s changed?
  • What you can expect?
  • How can Further help you ensure you have strategies in place to meet these changes and optimize your business?

I strongly encourage you to review the official Google Play Store policies to ensure your app matches Google’s expectations.

Android Privacy: Advertising ID Changes

Starting late in 2021, Google began a phased rollout to change how the Google Advertising ID in Android Settings works. This is the change that will expand to affect apps running on all devices that support Google Play on April 1. (See API documentation for more details.)

What’s the change?

The change allows a user to 1.) reset their identifier or 2.) opt out of targeting. When a user resets their identifier, advertisers may not attempt to link that to the existing profile without explicit consent of the user, and the user again receives a prompt for reverification. When a user opts out, the advertising identifier is no longer available to advertisers, who instead receive a string of zeros. (Advertisers can receive notifications when users opt out by filling out this form.)Google also notes if your app targets children, you can’t use the advertising ID:

Some Google Play policies, such as the Families Policy, require that apps not use the Ad ID. If your app uses SDKs, like the Google Mobile Ads SDK, that declares the AD_ID permission in their library manifests, you must prevent the permission from getting merged into your app by including the following element in your manifest (source).

Further, the Google Advertising ID changes has additional restrictions for Advertising and Analytics use cases.

  • Advertising: The advertising ID may not be connected to persistent device identifiers for any advertising purpose. The advertising ID may only be connected to personally-identifiable information with explicit consent of the user.
  • Analytics: The advertising identifier may only be connected to the personally-identifiable information or persistent device identifier with the explicit consent of the user.

Advertisers and analysts are still allowed to present contextual advertising, take part in frequency capping, conversion tracking reporting, and security and fraud detection.The advertising ID can only be used as described above, and all apps on the Google Play Store must use the advertising ID when available in place of any other device identifiers for any advertising purposes.

What’s the change mean for advertisers and analysts?

Changes to these policies, once reflected in the App and rolled out to users, will affect measurement. Folks opting out of the Google Advertising ID via their settings will become harder to target. The extent this may be material will vary from app to app depending on the amount of data they collect, what kind of data they collect, and what their respective business model looks like.

These changes may cause fluctuations in analytics or campaign performance measurement.

What should I do about Android Advertising ID changes?

If your app reads the Google Advertising ID, you may need to make changes to accommodate the change in functionality (see the consent and disclosure requirements below). I recommend reviewing the requirements for the usage of the Advertising ID, which can be found under the updated Ads policy.Usage of the App Set ID for analytics use cases can be found detailed under the User Data Policy updates. Reach out to talk to our privacy experts about what to do next.

Android App Store User Policy Changes

What’s the change?

Any apps on the Google Play Store that collect data will be subject to changes in the User Data Policy. Apps will be expected to 1.) have prominent disclosure, i.e., prominently disclose the app’s access requirements, collection use, and sharing of data collected and 2.) limit the use of that data to the purposes disclosed (so no more “Find out what Gummy Bear are you…” quizzes to harvest email addresses for selling), and 3.) seek consent prior to data collection.Google additionally states that prominent disclosure:

  • Must be within the app itself, not only in the app description or on a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
  • Must describe the data being accessed or collected;
  • Must explain how the data will be used and/or shared;
  • Cannot only be placed in a privacy policy or terms of service; and
  • Cannot be included with other disclosures unrelated to personal and sensitive user data collection (source).

In-app disclosures must be immediately preceded by a request for user consent, without which advertisers may not collect any personal and sensitive data. There’s no official prompt like on the apple version, so it’s up to the brand to design a consent statement, but it must follow the following UX guidelines. Google states that apps:

  • Must present the consent dialog clearly and unambiguously;
  • Must require affirmative user action (e.g., tap to accept, tick a check-box);
  • Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
  • Must not use auto-dismissing or expiring messages as a means of obtaining user consent (source).

Should your app deal in personal or sensitive information, there are additional requirements. Google defines this information as:

Personal and sensitive user data includes, but isn’t limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data (source).

For personal and sensitive user data, Google states that app developers are required to:

  • Limit your access, collection, use, and sharing of personal or sensitive data acquired through the app to purposes directly related to providing and improving the features of the app (e.g., user anticipated functionality that is documented and promoted in the app’s description in the Play Store). Apps that extend usage of this data for serving advertising must be in compliance with our Ads Policy.
  • Post a privacy policy in both the designated field in the Play Console and within the app itself. The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app accesses, collects, uses, and shares user data. Your privacy policy must disclose the types of personal and sensitive data your app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
  • Handle all personal or sensitive user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
  • Use a runtime permissions request whenever available, prior to accessing data gated by Android permissions. Not sell personal or sensitive user data (source).

What’s the change mean for advertisers and analysts?

Advertisers and analysts may need to make adjustments to how you prompt for consent prior to data collection. Pay special note to the requirements around the collection of personal and sensitive data.

These Adroid privacy changes may make targeting and reporting less reliable.

What should I do about Google’s User Policy changes?

Google is very clear on how this consent mechanic must work. The disclosure and consent can’t be on a website buried in terms of service or privacy policy, and they must be part of the app use cases (for what constitutes consent) and requirements (for presentation and consent) prior to data collection. If you think you are collecting personal or sensitive data, I strongly recommend reviewing the requirements.

What will enforcement look like?

Brands with an Android app in the Play Store found to be in violation after enforcement will be subject to the enforcement process, ranging from Android app Store update rejection through developer account termination, dependent on the specific factors of the violation.If you (or any of your app’s SDKs) make use of the Android Advertising ID, you’ll want to give the policy changes a review. This is especially true if your app collects any personal or sensitive data, which can have a more dramatic effect on development time needed for compliance.While these changes are not legal requirements (but note your app may also be subject to legal requirements regarding data collection), Google is the final arbiter and is not subject to the legal red tape in enforcement of the Play Store policies. You should strongly consider how critical it is that your app remains available in the Play Store before deciding to delay compliance.

How Further can help

If your company advertises in the mobile space, this means that now the two major app distribution networks may impact your revenue streams with their respective app changes. The effectiveness of your ads to drive demand will likely be lower as more users opt out of our traditional tracking and personalization mechanisms. Further’s analytics team can proactively help by consulting on when consent is needed, on the UX requirements for the prompt, and on what the downstream impact to reporting may be as a result of these changes. After enforcement begins on April 1, we can help reactively for brands who are subject to the enforcement processes as they navigate the required changes.Our digital marketing team can also help you make the changes to your advertising strategy that these announcements compel.As a Google Premier Partner in the top 3% of all Google’s partners globally, we’re uniquely qualified to help see you through these changes, for which you may need to adjust both your analytics and media strategies.

Talk to a Google Certified expert today to find out how you are affected by Android privacy changes.

Cory Underwood
CIPT, CIPP/US, Analytics Engineer

Cory Underwood is a certified data, analytics, and security expert with more than a decade of experience leading strategies across website development, optimization, and data compliance. As Senior Lead Analytics Engineer at Further, he develops security and privacy strategies for both the internal team and our clients. Cory is dedicated to teaching others the value of data through his blog and numerous speaking engagements. In his free time, Cory can be found playing video games, cooking delicious BBQ meals, or practicing his woodworking.


Read More Insights From Our Team

View All

Take your company further. Unlock the power of data-driven decisions.

Go Further Today