SDK automatically collects device location without verification of user consent.

[Kaszmir]

Hello,

I recently received a message from Google Play regarding our app's usage of the SDK com.paypal.android.sdk:data-collector, 3.20.0. Although this library is part of checkout:android-sdk, we do not directly utilize it in our app. We don't collect or utilize user location within our application, nor do we request location permissions from users.

I've made an update from version 1.1.0 to 1.2.0, aiming to rectify any potential issues associated with the SDK. However, I'm not sure if this update will resolve the matter.

I'm seeking guidance or potential solutions to disable the collection of device location by the data-collector. If you have any suggestions or advice on actions we can take to resolve this issue, it would be greatly appreciated.

Thank you for your assistance.

[github-actions[bot]]

Thank you for reaching out to the Native Checkout SDK team. This integration path is now inactive for new merchants. If you are an existing merchant, please contact us here for further assistance.

New merchants can integrate the Native Checkout experience via the Braintree Android SDK or PayPal Android SDK. For more information please see their respective developer documentation linked below.

• Braintree Android SDK
• PayPal Android SDK

[chpypl]

Hello, there is not a way to disable or customize collection of data from the data-collector library.

[Kaszmir]

@chpypl Thank you for your response. So the only solution is asking users about location permission?

[christophe-chausseray]

I received the same message from Google Play.

@chpypl As there is not a way to disable the data-collector library on this SDK, do we need to migrate to the new PayPal Android SDK ? Will it solve the problem ?

[chpypl]

Can you share the message from Google Play?

[Kaszmir]

@chpypl sure:

Your app contains an SDK com.paypal.android.sdk:data-collector, 3.20.0 - or has a library dependency on this SDK - which automatically collects device location without verification of user consent. In cases where users may not reasonably expect that their personal and sensitive user data will be required to provide or improve the policy compliant features or functionality within your app, you must provide an in-app disclosure of your data access, collection, use, and sharing. As a result, because this SDK enables collection without adequately checking for the consent, using this SDK version can result in your app violating the disclosure and consent and / or approved purpose requirements of Google Play's User Data and Permissions and APIs that Access Sensitive Information policies.

Review your app behavior to ensure compliance with these policies by February 5, 2024 midnight (UTC). If in violation, your app may be subject to additional enforcement at any time including removal from the Play Store and new app submissions being blocked from release.

[chpypl]

What version of the SDK were you using when you received the email?

[Kaszmir]

@chpypl 1.1.0 and made an update to 1.2.0

[chpypl]

Were you using a previous version of the SDK in a build published on google play? What version numbers were they?

[Kaszmir]

@chpypl Yes, we were using version 1.1.0 for a long time and using this version we've got this message. After bumped up numbers the message still appears for the most recent build of our app so I believe that the update from 1.1.0 to 1.2.0 did not help at all.

[prof18]

@chpypl Same here! In our case, the email from PlayStore is telling also According to your SDK provider, you may consider upgrading to 3.21.0.. Any chance we can get an updated version that uses 3.21.0?

[mauromarques]

same here, using com.paypal.android.sdk:data-collector, 3.20.0

[pascaprevost]

I also have the same issue :-(

[pascaprevost]

I put these 2 lines in my dependencies and there is no warning anymore on Google Play Store. Payments work fine also.

implementation 'com.paypal.android.sdk:data-collector:3.21.0'
implementation 'com.paypal.checkout:android-sdk:1.2.0'

[chpypl]

Hello, version 1.2.1 is now available with an upgrade to data-collector version 3.21.0. More info is available on the release notes

[lol768]

@chpypl Is there/will there be any sort of post-mortem here about what went wrong here, and why the data collector didn't comply with disclosure/consent requirements from day 1?