I have developed 2 simple webapps in html+javascript for android. And today I have received 2 email from google ( 1 for each app ):
Hello Google Play Developer,
Our records show that your app, xxx, with package name com.xxx.xxx.xxx, currently violates our User Data policy regarding Personal and Sensitive Information.
Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy.
Action required: Include a link to a valid privacy policy on your app's Store Listing page and within your app. You can find more information in our help center.
Alternatively, you may opt-out of this requirement by removing any requests for sensitive permissions or user data.
If you have additional apps in your catalog, please make sure they are compliant with our Prominent Disclosure requirements.
Please resolve this issue by March 15, 2017, or administrative action will be taken to limit the visibility of your app, up to and including removal from the Play Store. Thanks for helping us provide a clear and transparent experience for Google Play users.
Regards,
The Google Play Team
These are the manifests:
FIRST APP:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.xxx.xxx.xxx" >
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name=".MainActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
SECOND APP:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.xxx.xxx.xxx" >
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name=".MainActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
And this is what the Google Play console show me in the "Store Listing" for both apps:
Your app has an apk with version code 6 that requests the following permission(s): android.permission.GET_ACCOUNTS. Apps using these permissions in an APK are required to have a privacy policy set.
As you can see from the manifest file, I am not requesting that permission.
So what do I have to do now ?
EDIT:
librarias used in both apps:
import android.content.Context;
import android.content.Intent;
import android.net.ConnectivityManager;
import android.net.Uri;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.webkit.WebSettings;
import android.webkit.WebView;
import android.webkit.WebViewClient;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.webkit.WebChromeClient;
import android.webkit.WebView;
import android.webkit.WebViewClient;
EDIT 2:
Dependencies in the build.gradle:
dependencies {
compile fileTree(dir: 'libs', include: ['*.jar'])
wearApp project(':wear')
compile 'com.android.support:appcompat-v7:23.0.1'
compile 'com.google.android.gms:play-services:7.8.0'
}
Maybe play-services request that permission ?
I'm pretty sure that you're using some ad network or dependency that request such permissions.
As an example several ad networks relies on READ_PHONE_STATE permission which could also trigger such notice from Google.