Starting in 2020, we at Pushbullet began receiving more and more Play Store policy violation notifications from Google. At first the violation notifications seemed plausible, if a bit abrasive. At this point though, I’m pretty sure we’re being picked on by an AI. We’ll see what you think after you hear our story.
Let’s get some basics out of the way
To start off, it is very reasonable for you to think we must be doing some pretty horrible things if we are receiving so many policy violation notifications from Google. To address this, I’m going to show you that we are not only not doing horrible things, we are often not doing anything at all.
Next, I want to establish some quick facts about Pushbullet. 1) our app has zero advertising in it, 2) we do not share any data with third parties and 3) we have end-to-end encryption available for users using our optional features that are more sensitive. This is basically the dream for users of a (mostly) free service.
With that out of the way, let’s dive in to just how we’ve become such experts on Play Store policy violation notifications and how we’re still on the Play Store today.
What is a Play Store policy violation notification?
A Play Store policy violation notification is an email that informs you that your app is going to be removed from the Play Store in 7 days unless you can address the policy violation. Here is what they look like:
As you can see above, the violation and how to resolve it are very clearly communicated. After all, the only thing you need to do is add a valid Privacy Policy to your app and Play Store listing along with prominent in-app disclosure. Couldn’t be easier.
Unless you already have those things, as we did. If that is the case, then the guessing game begins. Here is where we can share our experience and wisdom from years of guessing that Google wants.
So, how do you survive for years while receiving all sorts of policy violations from Google?
To answer this question, I’m going to analyze each of the violation notifications we’ve received the past couple of years and share how we addressed them.
June 9, 2020, the beginning
The first thing to know is that this notification was received out of the blue, not as part of a review to publish an update. I just woke up one day to this notification.
This was the first time Google informed us of Privacy Policy and disclosure issues so we made a good faith effort to resolve this (before is on the left, after on the right):
Notice that we ensure a clear disclosure everywhere and link to link to the Privacy Policy during our onboarding flow. Exactly what Google wanted and we felt this was reasonably well done.
We submitted the update, it was approved, and we assumed we had resolved this issue.
(We were very wrong)
July 7, 2021, around 1 year later
I attempted to publish a small update to our app and received this violation notice in response:
I guess something is still wrong with our disclosures or Privacy Policy? I took a look and noticed we didn’t have a link to our Privacy Policy on the screen where users can enable / disable SMS sync. I had only added a link to the screen during the onboarding flow. Such an easy mistake to make, and easy to fix.
I added the links to the SMS settings screen, submitted another update, and this time it was approved without further issue. This Privacy Policy issue must be done now. Right?
Nope.
July 21, 2021, three weeks later
Again, when attempting to publish a small update I received this:
Hmmmmmm. Ok. At this point I have no idea what the real issue is. After thinking up possibilities, I come to the conclusion that I will prepare a specific Privacy Policy page for our SMS sync feature and have it stored locally in the APK so there is no potential for networking to cause trouble:
I submitted another update with this change and it was approved. Finally cracked the code and got this fixed forever!
Wrong.
February 12, 2022, six months later
Out of the blue I once again woke up to a policy violation notification from Google. No recent app updates or anything like that. Upon reading the policy issue it hit me: this may never end.
I am clearly not making Google happy. I really really need to make Google happy. Let’s try another idea for how to make Google happy.
This time I moved the link to our Privacy Policy up to the top of the screens and added a dialog where the user must manually confirm the data upload disclosure before we allow them to enable the feature:
Surely, surely this must be good enough? So I submitted another update with these changes, and praise be it was approved. I must be good at this guessing game!
(You can laugh at me)
May 15, 2022, three months later
Is it reasonable to be getting a little frustrated at this point? I hope so. I have been genuinely trying to make Google happy but this damned Privacy Policy appears to be beyond my capacity.
In my head I’m composing epic rants about denial-of-service attacks against humans due to the asymmetric effort of responding to a violation notification versus issuing them. But nobody has time to write that. Instead I get back to guessing what Google wants from me.
I’ll admit, this time I was feeling a little petulant with my change. I just increased the size of the in-app text for the Privacy Policy link and re-submitted.
Approved! I don’t like this world very much.
(Decaying sanity)
October 2, 2022, 4 months later
Oh my god.
But there is beacon of hope this time! If you really really really look, the issue is more clearly articulated. The issue appears to be that the Privacy Policy I link to in our Play Store configuration does not have new SMS sync section that I added to the in-app Privacy Policy.
I thought that since our SMS sync feature can only be enabled in-app, the focused in-app policy would be great since it focuses on just that specific feature.
This was a horrible horrible terrible idea and I should feel bad for having it.
I put together a new policy that kind of merges all the things and updated the Privacy Policy link in our Play Store settings. This didn’t need any in-app changes but the violation notification’s instructions clearly say I must update my app so I proceed to do that.
Approved.
(Weary beyond words)
October 26, 2022, three weeks later (yesterday)
At least this one is a little different? I think all I need to do is add a few words explaining that when you select a Google account to sign in to our app, that email address is sent to our servers. Should be easy but, in all sincerity, does this seem like a reasonable chain of events to you?
Somehow our app was perfectly acceptable to Google THREE WEEKS AGO. But now, today, we must drop everything and immediately tweak our app-linked Privacy Policy or our app and company is shot in the head by Google.
What you and I are up against
Google has always loved automated enforcement. They’ve been doing it since the dawn of time. There is no point in complaining. Instead, let’s try to understand how what is happening and what we can do to survive.
To enforce Google’s extensive set of policies automatically, Google’s tool of choice is to employ machine learning / AI.
AI is an amazing tool for Google. They can train a model to identify apps that appear to not be in compliance with a policy and then check every single app in the Play Store constantly.
For us as app developers, this has two issues. First, there will be false positives. It is possible we really don’t have any violation. Second, as more and more policies have their enforcement automated, not only does the chance of receiving a false positive violation notification go up, but also trivial policy “violations” suddenly become enforced with an iron fist.
The mental model to embrace to maintain your sanity
We believe the first thing you should do is internalize that policy enforcement at Google is entirely mechanized.
Your app did not receive a deliberate analysis by a human leading to the violation notification. There is no one to debate. There is no opinion at all. Your app simply didn’t look enough like the AI’s training data.
This means that when you receive a violation notification and your first thought is to try to speak with someone, you are already thinking about things the wrong way.
The correct response to a policy violation notification
Now that you know you’re up against an automated policy enforcement AI, your goal is to look as much as possible like the training data. Unfortunately, this can be easier said than done since we do not have access to the training data.
All is not lost, however. You have actionable info in the simple fact that what your app looks like now is not acceptable. Identify a set of changes you think may be viable solutions, then simply change even more things that would generally appear to bring you even further into compliance. The more things you change, the more likely one of them is going to get you the green light.
For now.
You’re only in compliance for now
A mistake I made repeatedly is thinking once my update was approved, we were good until I updated again. This will never be the case.
New policy enforcement AIs are being trained all the time and existing ones are being tweaked. I think there’s little to do but accept that fending off policy enforcement AIs is going to be a cost of doing business for apps on the Play Store.
Action Required: Your app is not compliant with Google Play Policies
I know we’ll be receiving more of these emails in the future. In the end, as long as our updates get approved, the notices can be thought of as something like a modern nuisance.
On the other hand, if our updates stop getting approved, our inability to guess what Google needs us to do will result the removal of our app from the Play Store and the death of our company which will be a bit of a bummer.
For now we plan to make continue making changes to our app and submitting updates. Ideally our changes will continue being found acceptable and we can put this and future notices behind us.