Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDK automatically collects device location without verification of user consent #307

Open
BarboraGrigaliunaite opened this issue Feb 12, 2024 · 8 comments
Open

SDK automatically collects device location without verification of user consent #307

BarboraGrigaliunaite opened this issue Feb 12, 2024 · 8 comments

Comments

@BarboraGrigaliunaite
Copy link

BarboraGrigaliunaite commented Feb 12, 2024
edited
Loading

Hello, I am opening an issue that is related to this one #281
The solution helped, issue was closed. But we received another letter from Google.

Some context
Previously we used:

 implementation "com.paypal.checkout:android-sdk:1.1.0"

After we go a warning that was the same like in the mentioned issue we changed the dependencies to and released the changes on December 12, that fixed the issue:

    implementation 'com.paypal.checkout:android-sdk:1.2.0'
    implementation('com.paypal.android.sdk:data-collector') {
        version {
            strictly '3.21.0'
        }
    }

On February 8 we received another warning:

Date sent: Feb 8, 2024
Deadline: Feb 28, 2024
Violation: User Data policy: Violation of User Data, Permissions and APIs that Access Sensitive Information Policies
Details: We have observed that your app is using an SDK that is designed to collect device location by default. This SDK can result in your app violating the prominent disclosure and consent and/or approved purpose requirements of Google Play’s User Data and Permissions and APIs that Access Sensitive Information policies. You are hereby requested to provide evidence of your compliance with the Prominent Disclosure and Consent requirements. Your app submissions will be rejected pending your action.

Google suggested fix:

In the alternative, you may consider removing the SDK code designed to collect personal and sensitive user data by default, or moving to an alternative SDK or version which includes the appropriate technical mechanism to ensure that end user consent information collected by apps is honored. You may consider upgrading to a policy-compliant version of this SDK, if available from your SDK provider or removing the SDK. Google is unable to endorse or recommend any third party software.
Paypal Data Collector com.paypal.android.sdk:data-collector: Consider upgrading to version com.braintreepayments.api:data-collector:3.21.0 of the SDK.

Could you provide a possible solution?
@github-actions GitHub Actions
Copy link

Thank you for reaching out to the Native Checkout SDK team. This integration path is now inactive for new merchants.
If you are an existing merchant, please contact us here for further assistance.

New merchants can integrate the Native Checkout experience via the Braintree Android SDK or PayPal Android SDK.
For more information please see their respective developer documentation linked below.

@BarboraGrigaliunaite BarboraGrigaliunaite changed the title SDK collect SDK automatically collects device location without verification of user consent Feb 12, 2024
@chpypl
Copy link
Collaborator

chpypl commented Feb 12, 2024

Hello,

I am involving the team that owns this SDK to get their guidance.

@chpypl
Copy link
Collaborator

chpypl commented Feb 14, 2024

Hello,

If you are seeing the Play Store flag your APK after updating to this version, please try following these steps:

  1. Go to your Play Console
  2. Select the app
  3. Go to App bundle explorer
  4. Select the violating APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under
  5. Go to the track with the violation. It will be one of these 4 pages: Internal / Closed / Open testing or Production
  6. Near the top right of the page, click Create new release. (You may need to click Manage track first)
    If the release with the violating APK is in a draft state, discard the release
  7. Add the new version of app bundles or APKs
    Make sure the non-compliant version of app bundles or APKs is under the Not included section of this release
  8. To save any changes you make to your release, select Save
  9. When you've finished preparing your release, select Review release, and then proceed to roll out the release to 100%.
  10. If the violating APK is released to multiple tracks, repeat steps 5-9 in each track

After you have confirmed that you are using version 1.21.0, please double-check all tracks (even private and unpublished tracks) and then to submit an appeal to Play directly.

If the issue is not resolved after following all of those steps, please share details in this thread.

@ImVeryGood
Copy link

I encountered the same problem,How to solve it?

@ecorengia-joann
Copy link

@chpypl we just got the same rejection "Action Required: Your app is not compliant with Google Play Policies" after upgrading to com.paypal.checkout:android-sdk:1.2.1. Checked dependencies tree, we've com.paypal.android.sdk:data-collector:3.21.0.

SDK: Paypal Data Collector com.paypal.android.sdk:data-collector (consider upgrading to version com.braintreepayments.api:data-collector:3.21.0)

@BarboraGrigaliunaite
Copy link
Author

For anyone reading this, that are facing same issues. Update from our project - it got rejected by Google and we cannot make any new releases:

We have observed that your app is using an SDK that is designed to collect device location by default. This SDK can result in your app violating the prominent disclosure and consent and/or approved purpose requirements of Google Play’s User Data and Permissions and APIs that Access Sensitive Information policies. You are hereby requested to provide evidence of your compliance with the Prominent Disclosure and Consent requirements. Your app submissions will be rejected pending your action.

So we will be integrating another SDK.
I hope everyone facing this issue won't have too big of a headache and will successfully solve the problem. <3

@chpypl
Copy link
Collaborator

chpypl commented Mar 21, 2024

Hello all,

We're working with Google to find out what's causing the Google Play store compliance issue.

The SDK does not collect privacy data directly, however we do have 3rd-party dependencies that collect data when needed to protect our merchants and their customers from fraudulent transactions. Third-party data collection and infrequent Play Store policy changes make it difficult to get explicit guidance from Google to pinpoint the exact cause of compliance issues.

We were informed that filing an appeal should help unblock developers from making updates. When making an appeal in the Google Play store, make sure to mention the following:

  1. Indicate that you are aware of the compliance issue
  2. Indicate that you have updated to a compliant version of the SDK as requested
  3. Mention that you are working in earnest with the SDK provider to resolve compliance issues
  4. Request that you would like to be able to publish updates while working through compliance issues

Google has told us that the appeals team has often granted approvals for appeals in extreme scenarios like this.

Thank you for your patience as we work to resolve this matter.

This was referenced Mar 21, 2024
Closed
Closed
@chpypl
Copy link
Collaborator

chpypl commented Apr 3, 2024

Hello,

Version 1.3.0 is released and contains changes to resolve this issue. Please see the changelog for more information on integrating.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ImVeryGood @BarboraGrigaliunaite @chpypl @ecorengia-joann