Google Play, and subsequently Google Wallet, were subjected to scrutiny last week for its privacy policy. A developer found that the service sends him a customer’s personal information at the time of purchase. Some see it as a massive invasion of privacy, and one lawmaker wants answers.

The Hill reports that Rep. Hank Jonhson sent a letter to Google CEO Larry Page this week demanding answers in regards to Google Play’s apparent privacy issues. You may remember Hank Johnson from last year’s AppRights movement that sought to regulate how much information apps could take from users.

In the letter, Johnson says that Google’s sharing of consumers’ personal information with developers could have a number of negative consequences. Here’s the three he lists:

First, sharing certain personal information like a physical address may harm consumers. In the past, unscrupulous sellers have used physical addresses to threaten consumers who posted negative reviews of products or services online. According to an article in the New York Times in 2010, an online vendor of physical items used consumer information to threaten women who complained about overcharges and abusive customer service. In one instance, the vendor sent a photograph of the woman’s apartment with an email that warned “I AM WATCHING YOU!” to discourage further complaints. Although that instance involved a clear and present threat, the mere knowledge that criticizing an app is potentially harmful is also a threat to free and unencumbered speech. The harms of this chilling effect go beyond consumers. Developers use criticism and comments to improve products, resolve disputes, and grow as a company as they tinker with apps to improve them.

Second, sharing physical addresses may endanger the safety of children online. Many parents allow young children to use their parents’ mobile device for safety or financial reasons. It may concern or surprise these families to discover their child’s purchase of an app aimed to children also provides the child’s address. Beyond eclipsing parents’ expectations for children’s privacy on mobile device, these circumstances could also give rise to devastating harms.

Finally, over-sharing personal data may pose security risks. A third party may use paid apps that are purchasable through Google Play to cull personal data – physical location or otherwise – for identity theft. Just as a consumer has notice when app uses their geolocation, they should also have notice when their address is shared.

Now, Johnson doesn’t think developers are using consumers’ personal data in nefarious ways. He’s more or less curious as to why Google allows the sharing of this information in the first place. As such, he has posed a number of questions to Page in regards to the policy.

(1) Unlike some competitors in the mobile app ecosystem, Google acts as a marketplace for developers to exchange goods and services with consumers.
a. Please describe how an open marketplace benefits consumers.
b. How does a consumer’s experience on Google Play via a mobile device compare with their experience purchasing goods in other marketplaces?

(2) Please discuss the types of information shared with developers through Google Wallet.
a. How is this information necessary for developers to process transactions?
b. What other purposes does sharing this information serve?
c. How is the breadth of information shared proportionate to Google’s need to share it?
d. Have any harms or breaches of trust occurred because of this sharing?

(3) The Google Wallet Privacy Policy states that it only shares information with third parties like developers as permitted until the Google Privacy Policy or as necessary for transactions.
a. What is the process for the consumer to obtain notice in this statement or in the Google Privacy Policy?
b. Is there a moment during purchasing an app where they learn that their address is disclosed as part of purchasing an app through Google Play?
c. Was this also the policy for payment processing before Google Play?

(4) The Google Wallet Privacy Policy states that Google is not responsible for how developers or other third parties choose to use or share consumer information.
a. What precautions does Google take to avoid harmful uses of consumer’s data by third parties?
b. Are there any mechanisms in place to mitigate the exploitation of data by third parties?

Google has until February 28 to provide an answer. Knowing the company, it will probably address some of the questions posed by Johnson, but not all.