According to Google Play's Developer Program Policies, a developer
Currently, though, we track user installs using three different third-party services: Branch.io, Mixpanel and AppsFlyer. I have a BroadcastReceiver registered on my AndroidManifest.xml
<receiver
android:name="org.example.InstallListener"
android:exported="true">
<intent-filter>
<action android:name="com.android.vending.INSTALL_REFERRER" />
</intent-filter>
</receiver>
The code for the BroadcastReceiver goes like this:
public class InstallListener extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
// Mixpanel
InstallReferrerReceiver mixpanelReferrerTracking = new InstallReferrerReceiver();
mixpanelReferrerTracking.onReceive(context, intent);
// Branch.io
InstallListener branchIoReferrerTracking = new InstallListener();
branchIoReferrerTracking.onReceive(context, intent);
// AppsFlyer
SingleInstallBroadcastReceiver appsFlyerReferrerTracking = new SingleInstallBroadcastReceiver();
appsFlyerReferrerTracking.onReceive(context, intent);
}
}
This is based on a guide by AppsFlyer for registering multiple install trackers.
The question now is, if we are to comply with Google Play's policy above, how can we obtain the user consent before we send the referrer data to our third-party libraries?
From what I understand, the com.android.vending.INSTALL_REFERRER is broadcasted and received by the BroadcastReceiver upon installation from Google Play, so I imagine this could be anytime before I can even launch a dialog to ask for the user's consent.
Is it also correct that installation tracking data is part of the personal or sensitive data that the policy is referring to?
One solution we are considering is to save the referrer extra from the intent to SharedPreferences after receiving the broadcast, then pick it up from there once we obtain the user's consent and only then pass it on to the third-party trackers. Would this solution be correct?
There is no real need in storing the data in your SharedPreferences "independently" - You can simply implement the MultipleInstallBroadcastReceiver provided by the AppsFlyer SDK and hold the SDK initialisation to after getting the user's consent. This will probably apply to other SDKs that collect this data.
In addition, I can say that the vast majority of AppsFlyer users are using (one of the) MultipleInstallBroadcastReceiver / SingleInstallBroadCastReceiver receivers, and we have never encountered any issues regarding this.
P.S. A bit off topic, but might be relevant - Google offers a newer / better / more secure way of obtaining the Store's INSTALL_REFERRER: https://developer.android.com/google/play/installreferrer/igetinstallreferrerservice
With AppsFlyer you can just import the 'com.android.installreferrer:installreferrer:1.0' library using gradle and the AppsFlyer SDK will do the rest.