Google play Requires Prominent App Disclosure for using the useVisitorData hook

[wardjk87]

Our app uses version 3.1.0 and calls useVisitorData when our app initializes, in order to prevent fraud in our app. Recently we got the following correspondence from Google Play, stating that our app would be removed from the store unless we provide a prominent app disclosure inside our app:

"Your app is uploading users' Installed application information to https://api.fpjs.io/ without a prominent disclosure. As per Google Play’s [User Data] link

In cases where your app’s access, collection, use, or sharing of personal and sensitive user data may not be within the reasonable expectation of the user of the product or feature in question, you must provide an in-app disclosure of your data access, collection, use, and sharing and seek affirmative user consent."

We found no instructions for compliance with Google Play in order to user this paid plugin service. The documentation should include how to resolve compliance, in order to be able to use the plugin on an app released via Google Play.

[wardjk87]

[ilfa]

Hello @wardjk87,

Thank you for the issue. We are aware of this problem and already working on the solution. We are going to stop collecting the inventory of installed apps from user devices.

We are planning to release this fix to the Android agent first and then we will update the agent version in the React Native SDK. We are planning to do it at the beginning of October.

[wardjk87]

@ilfa Thank you for your prompt communication and feedback. Will the new version of the SDK not require a prominent disclosure in the app?

Since we do not want our app to be delisted, is there an alternative solution other than to remove the SDK or comply with the required in-app prominent disclosure? For example, will downgrading resolve the issue? We only have until Sept 30 to comply or appeal.

[ilfa]

@wardjk87 let me ask my colleagues about the exact ETA for the Android Agent release. (As I remember, you can even update it as a peer dependency without waiting for a new version of the RN SDK.)

[ilfa]

Hello @wardjk87!

I appreciate your patience. We couldn't guarantee a new release before September 30th, but I discussed available options with my team.

1. You could add a prominent disclosure that the list of installed apps is collected and shared with a 3rd party vendor.
2. If you use the library only for identification, you could downgrade to React Native SDK v2.2.0 and lower (to have Android SDK version lower than v2.3.0). If you use smart signals let us know which, and we could check if they were supported in this version. Here you can check the reasons for the major release v3.0.0, looks like it shouldn't be a problem to downgrade.

[wardjk87]

@ilfa Thank you for the prompt communication and practical steps.

We have investigated v2.2.0. It looks like we don't need to refactor our front end code.

On the backend, we pass the visitor ID to enforce our fraud detection with Fingerprint Pro. We use the following enforcement options provided by Fingerprint Pro to determine fraud: suspect score, vpn, ip geolocation, and bot detection. Are any of this not supported in v2.2.0?

We are going to test out our integration to see if we find any issues, and then we will submit a new version to Google Play.

[ilfa]

@wardjk87 VPN detection is significantly worse in this version, other signals are presented with the same quality.

I'll let you know as soon as we release a new version with the fix.

[wardjk87]

@ilfa We successfully released a version of our app with v2.2.0 of fingerprint, and so far Google has indicated we are compliant. Thanks for guidance. We will update the fingerprint version once a compatible version is available that does not require an in app disclosure.

[necipallef]

Hi @wardjk87, we released v3.2.0 version of the library, it should resolve the issue. Please use it and let us know if you face any problems. Thanks!