4 key changes from Google on app privacy and data, including a new ‘IDFV’ for Android
An IDFV on Android? Child and family protections? Limitations on the use of permanent device identifiers? App privacy nutrition labels? And, an Ads Personalization off switch that, like Limit Ad Tracking in the olden days of iOS 13, actually zeroes out your advertising identifier?
Well, sort of.
Google just announced a bevy of safety and security updates that apps have 30 days to comply with or be at risk of some sort of unspecified sanction. Several of them we knew about or were rumored, but at least a couple of them are new and interesting.
1. Android’s limit ad tracking now actually limits ad tracking
We knew this one and reported on it recently. Google’s Ad Personalization on-off toggle — its version of Apple’s old Limit Ad Tracking — has until now essentially relied on the honor system. Toggling ad personalization off didn’t actually reset the identifier.
As I wrote a month ago:
In the past, Google has essentially relied on the honor system: if an Android owner opts out of ads personalization, the advertising identifier was still available if an adtech vendor asked for it.
The reason was simple: the Android ad identifier, AAID/GAID, is also used for analytics, fraud detection, attribution, and more. But it was still odd. Now, toggling personalization off will set the GAID to a string of zeroes. Meaning that you can’t use it, even if you wanted to. (By the way, we checked: this will only impact about 2% of devices globally.)
That, of course, leaves a gap. So a month ago Google promised a new identifier, and now it has delivered on that promise: App Set ID.
2. App set ID: the new Android IDFV?
We’re not saying it’s the IDFV, but the new Android device identifier App Set ID bears a remarkable resemblance to the IDFV. It’s an identifier that will be common across all apps installed by a user from the same publisher. And it’s intended to be used for non-ad-based insights from the same developer.
As Google says:
For use cases such as analytics or fraud prevention on a given device, you may need to correlate usage or actions across a set of apps owned by your organization. Google Play services offers a privacy-friendly option called app set ID.
It won’t work on sideloaded apps or apps from another app market or store. It requires Google Play services on the device, and it requires a developer account that Google Play services recognizes. It’s long-lived but not permanent: it will be reset by a factory reset of the device, and if it hasn’t been accessed in 13 months it will go poof.
But don’t get too many ideas:
App set ID cannot be used for ads personalization or ads measurement.
Google is explicitly not allowing this to be used for advertising. This is simply for analytics, fraud prevention, and — I presume — any other non-infringing use cases publishers can dream up. Note: Google says you cannot connect this with the Android Ad ID (AAID/GAID), and you cannot connect it to “any personal and sensitive data for advertising purposes.”
Also, if you use Ad Set ID, you’re on your own in terms of legalities in whatever jurisdiction you operate. Google says:
That might put a bit of a damper on any excitement around a new identifier on Android.
3. Privacy nutrition labels for Android, sort of, and other big privacy changes
Apple recently added privacy “nutrition labels” for apps which display in their App Store preview. Google is about to follow suit.
While there’s no complete vision on how the data will be used, Google is now asking all developers to provide information about what data their apps collect:
Developers must provide accurate information related to personal or sensitive user data their apps collect, use, or share.
Google’s new privacy and data policies won’t only impact app listings. Disclosures and consent must be in-app, not just in app descriptions or on a website, and must be prominent: visible in ordinary usage of the app and not buried in a settings screen, Google says, adding that you “may not access or collect any personal and sensitive data until the user consents.”
In addition, apps in fintech, payments, and security categories have additional restrictions. Apps that collect device information like IMEI (International Mobile Equipment Identity) or IMSI (international mobile subscriber identity) must be disclosed, and generally may not be linked to other identifiers.
4. Kids & family identifier restrictions
Finally, if your app is for children, there are some new rules that you need to follow. Most important: only approved SDKs may be added to your app:
Your app must not include an SDK that is not approved for use in child-directed services.
There are a few implications here:
First off, tracking children using an ad ID is not permitted. But secondly, Google mentions people with “unknown ages,” which would seem to indicate that if you don’t know how old a user is, you need to use only Google Play certified ad SDKs to display ads to those users.
In addition, ads cannot involve interest-based targeting based on browsing behavior, can’t be retargeted/remarketed, must be appropriate for children, must follow Google’s family ads formats, and must — as usual — comply with all local regulations.
This is a lot, but there’s more
There’s likely a lot of work to do for app publishers here, including age verification and rework on what IDs or data you do or do not collect.
Few if any legit publishers would use any growth tactics like these, but in any case they are no explicitly prohibited.
Many publishers have been working hard on new privacy requirements on the iOS side. Now Google has provided some for the Android side.
Just in case you were getting bored.