Apps should not transmit the following from children or users of unknown age:
- Android Advertising ID (AAID), SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, and/or IMSI
This means that apps which solely target children should never transmit these identifiers, and apps that target children and older age groups may only transmit these identifiers from users that they know are adults.
Transmit means to send data through the network to any off-device destination, including the developer’s own server as well as destinations not controlled by the developer.
In addition, apps targeting children should not request the device phone number from the TelephonyManager API.
As part of Google Play services update in late 2021, apps with target API level set to 31 can use a new Google Play services permission to control access to Android Advertising ID (AAID). To help with compliance, developers with apps that solely target children can use this mechanism to ensure that AAID access is disabled. Details can be found in the AAID section below.
Where needed for analytics, developers are encouraged to use app set ID.
How to comply with Families data practices for SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, IMSI, and phone number
To comply with Families data practices for SIM Serial, Build Serial, BSSID, MAC, SSID, IMEI, IMSI, and phone number, all apps:
- Can have a target API Level of at least 29 (Android 10) to help prevent these identifiers from being transmitted by your app;
- should not transmit these identifiers from children or users of unknown age, or use SDKs that transmit these identifiers from children or users of unknown age; and
- should not request or collect the phone number from the TelephonyManager API.
How to comply with Families data practices for Android Advertising ID (AAID)
Apps that target children
Apps that solely target children can comply with Families data practices for AAID in two ways:
- If your app is updated to target API level 31 (Android 12), ensure that your app or a library included in your app does not declare the new AAID permission, or that AAID is disabled. For more information on this permission and how to include or disable AAID, see this article. By updating to target API level 31 and not including the permission, AAID will automatically be disabled (set to a string of zeros).
- You must ensure your app code and SDK calls are configured correctly such as to not transmit AAID. This may require doing one or more of the following:
- Modifying the SDK configuration settings inside your code or your app config file.
- Modifying individual calls to the SDK, such as including a tag in an ad request that indicates the user is under the age of consent.
- Updating global app settings on the SDK website or configuration portal. For example, turning on a global child directed setting on the SDK configuration portal.
- It is possible that certain SDKs may not have the ability to function without transmitting AAID. In this case, you must remove these SDKs from your app.
As a reminder, apps that solely target children must only use SDKs that have self-certified their compliance with Play’s Families Ads Program requirements to show ads and should only use SDKs which are approved for use in child directed services.
Apps that target children and adults
To comply with Families data practices for AAID, apps that target children and adults:
- Must make sure that AAID is transmitted only when it's known that the user is not a child:
- Ensure that, by default, app code and SDKs do not transmit AAID
- Only after determining that the user is not a child, adjust code, SDK settings, and SDK calls such that AAID may be transmitted. For example, once you have determined the user is an adult, you may remove a tag from an ad request that indicates the user is under the age of consent.
As a reminder:
- Only use SDKs that have self-certified their compliance with Play’s Families Ads Program requirements to display ads to children or users of unknown age
- Apps that target both children and adults must not implement APIs or SDKs that are not approved for use in child-directed services unless they are used behind a neutral age screen or implemented in a way that does not result in the collection of data from children (see Families Policy Requirements).