Attention is being focused on how Google Play — Google’s app and content store — provides the name, email address and city location of those who purchase apps. Google’s privacy policies don’t make clear this is happening, something Google probably needs to correct.
Personal Info That Google Gives Developers
Developer Dan Nolan posted about this issue yesterday, saying that he found that for those who purchased his Paul Keating Insult Generator app on Google Play, he was able to see their email addresses, suburbs (which I’ll assume means city names) and in some cases, their full names.
That wouldn’t necessarily be bad, if Google Play purchasers understood this was happening. But Nolan feels it’s not clear:
Every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred. With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase
In terms of hunting down those making bad reviews, given that reviews already show full names, which often lead to Google+ pages where people may share even more information about themselves, that’s perhaps not such a big problem. Nor have there been many reports of this type of thing happening in all the time Google’s run its app store.
Not New, Not A Bug
That’s also important because this isn’t something new but rather the way Google Play has always operated, Google has confirmed to us. The company had no comment about today’s attention other than to say Google Play has always operated this way, nor is there any bug involved.
But handing out email addresses is, to me, pretty personal information. It is to Google, as well. I sure had no idea that Google Play did this. Nor do I think others would understand that.
Looking For Disclosure
Here’s what you see when you buy an app through the Google Play site:
Nothing in that purchase window lets me know that the developer (rather than Google) is going to get my email address. Nor does the subsequent confirmation screen.
At best, there’s a link that I agree to terms of service that might allow this. What do those say about sharing? Let’s see.
Google Play’s Terms Explain What Magazines Get, Not Others
There’s a section that explains Google may collect personal information:
Information about You. In order to access certain services in Google Play, you may be required to provide information about yourself such as your name, address, and billing details. Google’s privacy policies explain how we treat your personal data and protect your privacy when using Google Play.
Whether your email address might be shared with others seems to be relegated to something covered in Google’s broader privacy policy. Yet, further down in the Google Play terms is this:
If you purchase a subscription of any length on Magazines on Google Play, Google will share your name, email address, mailing address and a unique identifier with the magazine’s publisher. The magazine publisher will use this information in accordance with its privacy policy. You will be provided the opportunity to opt out of any communications from the publisher that do not relate to the subscription you are purchasing, and to opt out of marketing communications from third parties, at the time you purchase your subscription. If you purchase a single issue on Magazines on Google Play, Google may provide your postal code to the magazine’s publisher. We also provide magazine publishers with sales information on magazine purchases.
For some reason, Google thinks it’s important to highlight that when you buy a magazine subscription, your name, email and mailing address will be given to a publisher. So why not do that for app purchases, explain what developers get? And since it’s not spelled-out, are some users (the few who read the policy) reasonably assuming their emails are not being shared?
Main Privacy Policy Provides For Sharing
As for Google’s main privacy policy, it probably gives Google cover for sharing in the way it does, in this section:
For external processing: We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
Of course, I don’t know if I consider some small app publisher I’ve never heard of before to be a “trusted business” with Google just because they’re in the Google Play Store. I suppose so. But then again, if they do something wrong, Google might drop them from Google Play but have no ability to also take back my email address from them.
It’s also not clear that downloading an app requires a developer to need my email for “external processing,” which is one of the reasons why Google says it might provided personal information like email without a user’s consent.
Google Wallet Policy Provides For Sharing, Too
As for the Google Wallet privacy policy — relevant because technically Google Play purchases are made with Google Wallet — it largely refers people back to the main privacy policy to understand how their personal information may be shared. It also contains the same language about sharing if needed to process a transaction.
Better Disclosure, Please
In the end, I’d say Google’s doing a poor job of disclosing that emails are being passed along to developers. The privacy policies may allow it, but if this is going to be spelled-out for magazine purchases, be clear for other purchases, too — and especially make that clear at the time of purchase.
By the way, Google did say that information is not shared for free app purchases, only paid ones.
As for why developers might find this information useful, not to harass purchasers but to help them, see our related story, Why I’m Glad Google Play Gives Developers Customer Data.
Comments