Google Play keeps detecting collection of personal and sensitive information, rejecting my app

Never mind. Turns out that Google Play reviewers have no idea how their own system works. Developers have to submit a new build to all active test and production branches otherwise it gets rejected.
See post Google Play keeps detecting collection of personal and sensitive information, rejecting my app page-3#post-6103743

I was trying to make an internal test build before releasing an update. So Google was reviewing a 2 year old production version instead of the one I was uploading. I still can’t believe it, they’re literally worse than Apple.

1 Like

So as per the screenshot in https://discussions.unity.com/t/789616 page-2#post-6000224 “Android: Unity analytics does not get advertising ID anymore”, does it mean if I am using Unity Editor 2019.4.15f1 and later that Unity Ads, IAP and the included Analytics don’t collect “personal and sensitive information” mentioned in app details anymore and that I don’t need to use the settings below?

My Advertisement package version is 3.6.1 or later and In App Purchasing package version is 2.1.1 or later.

Also, should I answer Yes or No to the collecting “personal and sensitive information” question?

Edit: Thanks in advanced.

Edit2: According to https://docs.unity3d.com/Manual/UnityAnalyticsCOPPA.html , “In order to provide analytics for your games, Unity Analytics
generates an anonymized user ID for each user in your game. We do not use any of these IDs generated from Child Apps to track users across apps built by other developers or to map users between different services, devices, or browsers on the same computer. In addition to these IDs, Unity Analytics also collects the following personal information from Child App users: IP address, identifiers for advertisers (IDFA is only collected if Unity Ads is also enabled) and device identifiers (IDFV, Android device ID or IMEI if Android device ID is unavailable).”

Are IP address, identifiers for advertisers and device identifiers considered personal and sensitive information?

Yes! This was our issue as well. An older build in the Test Tracks kept flagging the new submission. We cleared everything and submitted a new update and it got approved :slight_smile:

I am sorry for resurrecting this but this post echoed so many of the troubles I have been encountering with Google Play.
It is by far the shittiest platform ever. You have to get ready to deal with bots with fake human names that do not provide any useful information, and be ready to possibly find yourself wasting ungodly amounts of time.

I couldn’t second this more. I have recently realized this too. Your tracks are NOT independent!
The Console is so messed up that it cannot even agree with itself depending on whether you’re looking at an internal/alpha/beta track or the App Bundle Explorer.
It’s a laughable joke.
The entire Google system is over-engineered, it’s a pain, it’s a maze, it’s messed up beyond belief.
The sheer, complete incompetence that is at play at Google is nothing short of totally insane!

Exact same story. It is that stupid. I have been delaying a full release, including translation, because of things like this.
I have spent months trying to get through the issue of them saying that my testing releases were not fit for the Designed for Families program (the bundles always got a “conditionally passed” tag), despite the fact that in App Content it’s literally written that my app DOES NOT belong to this flipping program!!
I kept returning into stupid and never ending cycle of bot-bot-bot sorry two business days etc. Imagine how much time you’re losing chasing their own failures!

They have also been telling me I had to deactivate bundles… which you cannot do. All you can do is make new releases and deactivate channels, assuming you use alpha or beta releases, otherwise in internal since it’s just one big track it’s all or nothing.
Picture this: the A.B.E. is able to tell me that some bundles are active despite the fact that:

  • they are used in deactivated channels!
  • never ever got the damned green checkmark!

How can it get more stupid than that really??

Yes, that’s the path to follow… when the Console doesn’t literally eat up own of your uploads and corrupts a release, making it impossible to be modified and not providing a way to add an already added bundle or upload a new one.

This is not all. Here’s something fun about the Internal track.
I have deactivated all alpha channels and have no beta open yet.
There’s that link in Testers, in the Internal track, to go grab your app from the Play Store.
If I copy and paste it, it opens a page that literally uses an old obsolete logo and points to an old version that is only referenced in an ALPHA channel, despite my Internal release being green check marked!
Yes, wrong bundle, wrong track.

There’s also that summary of each release in Internal that says that your app is available in a given number of countries, despite the fact that regional targeting is literally IMPOSSIBLE in the Internal track as per their documentation.
There aren’t enough facepalms for this sh*t really.

The chief executing officer of that entire department should get fired for this. Such BS has been going on for years!

Absolutely useless indeed!

And I am most certain that after a while, you entered a phase wherein the bots kept saying you had to deactivate a given build, as if there was any way to actually do this operation directly, like by pressing on a simple button (duh) without resorting to the convoluted demoting of a bundle by forcing a new one into all tracks.
I mean, who the f*** even thinks like that?

As far as my experience goes, working with Apple’s AppConnect system has been a joyful breeze in comparison and they don’t spam you with robotrash email like Google does.
Google is all about AIs AIs AIs but we see how far this nonsense goes and it’s pathetic and unreliable.

1 Like

This helped me once when I had to deactivate an APK I guess you can do the same for bundles:

"
So now the question is what can you do to deactivate it? The answer is a bit confusing in the UI, but makes sense once you think about it. You need to

  • create a release with NO (0!) APKs in it
  • publish that release to the beta track

This tells Play that you deliberately want there to be no active APKs in Beta. These users will still get production APKs, but your old beta APK will no longer be active. We’re sorry this got confusing, you were caught by a subtle edge case.

"
From: android - Remove obsolete beta version from Google Play - Stack Overflow

I have found a reason why any game/app made with Unity cannot be targeted to include any children.

In Unity’s Privacy Policy page ( Privacy Policy Hub) under the section
I play a game that was built with or uses certain Unity software, what should I know?”,
It says Unity collects “unique advertising identifiers”, e.g. “Android Ad ID”.

This does not square up with the recent (Nov 16 2021) Google Play Developer Policy Updates 2021 - APAC /EMEA video:

Precisely, at 25:17 (&t=1505s), that second bullet point, which says “You must not transmit Android advertising identifier (AAID), … from children or users of unknown age”.

I hope I’m wrong about how I’m reading this! I would really like to include children with my target audience, and apply my educational app to the Designed for Families Program. (App is free and does not have any ads. It just uses vanilla Unity, no analytics/packages at all, only regular Unity and I don’t collect/share anything.)

A separate issue I’m wondering about is Google’s own confusing presentation to explain details about how to answer if your app “collects” data. Provide information for Google Play's Data safety section - Play Console Help under “Data Collection” section, that seems to very much include Unity-developed games/apps in both its definition at the top and the first bullet point of “Libraries and SDKs”. I am thinking, parents would want to know about this. However, at the bottom of this same section, it gives some potential out because of “end-to-end encryption”-- which I believe @JeffDUnity3D has explained that Unity satisfies, because Unity sends its data over SSL connections. Just because it’s transmitted securely, data is still “collected”-- isn’t the the entire point of including this disclosure?

Besides using Charles Proxy, couldn’t there just be a list of examples that Unity devs can look up to see how to properly answer, depending on what kind of Unity app we made? Like we choose “regular Unity, no packages” , “with Unity Ads”, “Analytics”, etc. Even for just the most popular publishing scenarios.

1 Like

Nice post.

FWIW, the GPC did send me a large number of stupid warnings during development, some about violations regarding the Designed for Families, even when my app is not designed for this segment and specifically kept out of it. Sometimes their robots posted random garbage, sometimes outrageously long lists that were like a collection of all things that could go wrong with an app, often under “Conditionally Passed”. I wasted tons of time trying to solve them ahead of further uploads when in fact the best option is just to run the blockade and see what goes on when publishing at the higher level. Otherwise you’ll get mad trying to comply with all sorts of Googlean nonsense. Just force your way through and f*** robots.

1 Like

Another ref from Google’s Families Policy Requirements (#5, first bullet point):

Thank you Starbox. I feel very bad for you and @CanisLupis to have had to go through all that heartburn. It’s one thing to labor over code to create software, but going through the publishing process with such stress would drive me nuts. Reminds me, I tried claiming a knowledge panel this year numerous times, went through all kinds of hoops but just got caught in a loop of canned responses back from Google, and never got it. and I have my doubts about sympathies for this kind of struggle from the general public, given 61% of apps not being upfront about what they send
ref: https://www.washingtonpost.com/technology/2021/08/29/facebook-privacy-monopoly/
and this one (it focuses on Apple, but 61% of top Iphone apps not being upfront about tracking can’t give the general public a nice safe feeling about apps in general). https://www.washingtonpost.com/technology/2021/09/23/iphone-tracking/ Is it just part of the overall price of everything being “free”?

My Google Play Console’s Data Safety section for my app says, “App doesn’t collect or share data”. (It does because it uses Unity? but has end-to-end encryption so is exempt??) It has my “security practices” at “Data isn’t encrypted” (actually it is, by SSL, but it thinks my app doesn’t collect data) and “Data can’t be deleted”. I haven’t had the problems described in this thread, but it doesn’t seem right to me. I just wish it were a lot more clear.

I’m afraid even with a ‘paid’ model, data leaking is now a staple and legal powers, for what they’re still worth, are trailing eons behind until another big company stomps into the courts.

If this is true, can this be stated explicitly in Unity’s Privacy Policy? I trust you as an authoritative source, and I’m happy to hear it-- just saying, this was not clear to me, in light of the official Privacy Policy page.

Unity’s page on CCPA (California’s law similar to Europe’s GDPR) seems to be more consistent with what you’re saying, making more of a distinction between whether or not a game has Unity Ads, but the Privacy Policy page leaves this point vague, and the reader would logically (and may legally) conclude that core Unity does indeed collect Ad ID.

The CCPA page seems to try to make some point about how, to paraphrase it, “Unity would never gasp sell your personal information, because of Unity’s definition of sell you see, but actually according to the law, um, we do.” Otherwise, the general tone of Unity’s legal pages is good and practical.

1 Like

Maybe it is safer to assume that a level of data leaking and selling occurs but try to find a legal choice that corresponds to a low intensity leak. Sort of.

I’ve passed your feedback to the legal team.

1 Like

Lol, this is funny.

Then a couple of sentences later.

Lol.

2 Likes

So they don’t sell it, they “just” share it. Ahem.

I just finished a new children’s game, and was going to publish it to Google Play.

But their Families Policy Requirements says: “You must not transmit Android advertising identifier”
And Unity privacy policiy says: “Unity has collected (…) unique advertising identifiers”

So it’s not possible at all to create a children’s game with Unity? Or are there any workarounds you can do? Maybe manually removing the internet permission from the app, so it can’t be transmitted?

Do you have ads in your game? What version of Unity are you using?

No ads. Version 2019.4.12f1

The problem is that your privacy policy says that you always collect the advertising ID. For all versions of Unity, and even when there are no ads. That is not compatible with the Google Play Family Policy.

Did you have uploaded the game to google play and got rejected or this is a preliminary question about a mismatch between google play requirements and what unity states inside their own privacy policy?

Because this is a thread about google rejecting the apps for various reasons.

But don’t get me wrong I’m curious about the answer to your question.

But also looking at this page

if you are targeting the Google Play Family Policy, you can see that there are certified SDKs for unity, approved by google for this specific ad program. So if you follow those instructions and you use the code provided there should not be a problem between you google and unity.

I think they have some deal behind the scene on what they can get from the users of the app, ecc

I’m speculating but maybe unity will behave differently, will collect information differently if the build is set to use those SDKs. This to conform with google legal requirements.

So maybe you are reading the wrong unity policies. you need to check those that are related to those google approved SDKs

Edit: or maybe I’m reading all this wrong. :smile: don’t mind me.

This information may help https://docs.unity.com/ugs-overview/Resources/IAP_Google_data_safety.pdf

I was going to upload it, but stopped when I read their family policy. I dont’t want to get it rejected. That may increase the risk of getting my account suspended.

That page says it’s ok to use Unity ads, but it doesn’t say about Unity game engine. My game doesn’t have ads, but it looks like Unity will collect and share the ad Id anyway.

I would prefer not to guess what Unity is doing. If they are not collecting the ad ID in every game, they should say so in their privacy policy.

This is about in app purchases. I don’t use that. No ads. No IAP. No analytics.

Do you have a similay sheet for just plain games with no services added?