Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Crashlytics can be an effective and convenient way for you to discover the causes and severity of crashes in your app. But to do its job, Crashlytics needs to collect and analyze a lot of information about your users and their activity.
Few things are more frustrating for a developer than their app repeatedly crashing. This can cause delays in development, degrade user experience, or, at worst, end up completely destroying your project.
This is where crash reporting software, such as Crashlytics, can be useful. Crashlytics will log usage data about your app and provide insights into the nature of stability problems.
Crashlytics provides a software development kit (SDK) that developers can integrate into an Android, iOS or Unity app. It was created by Fabric. The company was acquired by Google in 2017, and Crashlytics is now part of Google's Firebase platform.
This only needs to be a short section, containing some key information specified by Crashlytics.
It's also a requirement under certain privacy laws to which you're likely to be subject.
Many people think of "personal information" as being the obvious things like a person's name, address or social security number. However, the definition is a lot broader than this.
According to Crashlytics' Terms of Service, Crashlytics collects data such as:
This sort of data can constitute personal information. It reveals information about individual people, and can, in theory, be linked to them. It also reveals how individuals use your app. Many people would consider this to be intrusive.
The collection of device and usage information also falls under the ambit of certain data protection and privacy laws, such as:
These laws are in place to ensure that you treat your users' personal information respectfully and that you're transparent about what personal information you collect.
Not all privacy laws are equally demanding.
The EU's GDPR, on the other hand, is much more extensive and covers every aspect of how you collect and process the personal information of your users. It also has a much wider definition of what constitutes personal information.
Generally speaking, you don't only have to consider the privacy laws of your home country. You must also obey the privacy laws of the places where your users reside. So if you have users in the EU, you're obligated to make sure your app follows the strict rules imposed by the GDPR.
We're going to take a look at three examples of Privacy Policies that make reference to Crashlytics. Each approaches the requirements slightly differently, but together you can learn from them and provide your users with something compliant and comprehensive.
Callabio appears to have covered most of what is required of it under the Crashlytics Terms of Service. However, it doesn't specifically state that this information will be used to track users, and it doesn't disclose that Crashlytics collects location data.
Callabio then goes on to provide links to further privacy information provided by Google and Fabric, which is a welcome addition:
Here's our second example, from DBDSoft. DBDSoft has included some of the information required by Crashlytics but not all of it:
DBDSoft identifies the types of information collected: "device state information, unique device identifiers, device hardware and OS information [...] physical location.."
DBDSoft does name Crashlytics but doesn't specifically state that this information will be shared with them. It's important to mention this because your users need to know where this information is going.
This meets the requirement that you state that information will be shared with third parties, including Crashlytics.
Crashlytics is also mentioned in the Third-Party Services clause in the Third Party SDK's section. Here, users are informed that the Fabric SDK makes it possible for the app to "capture and collect crash logs through the Crashlytics service and interact with the Twitter Platform."
This meets the requirement that the types of information collected by Crashlytics are listed.
In the clause that covers what information Momento collects, a general Usage Information section notes that "anonymous analytical information" is collected when the service is used and this includes "information about your interaction with the Services, including the actions you take on the Services."
Even though Crashlytics isn't mentioned here explicitly, this clause still works to meet the requirement that you disclose that your app uses technology to track your users' activities and collect information from them.
Let's take a look at some examples.
Slack places an option to access its "Privacy and licenses" at the bottom of its Settings menu:
Tapping on this option leads to the following screen:
Here's a slightly different approach from Malwarebytes.
Here are the options available in the About screen:
The Crashlytics Terms of Service makes some specific demands of developers who have users based in the European Union.
If you have users in the EU, or if you're based in the EU, you'll need to abide by EU privacy law.
Just to reiterate: this applies to all the users you have in the EU. It doesn't matter whether you're based in the United Kingdom, United States, or the United Arab Emirates - or anywhere else, for that matter. What matters is where your users are located.
EU privacy rules apply to anyone collecting the personal information of people in the EU for the purposes of "offering goods or services." Note that this applies whether or not your app costs money or makes a profit.
The Crashlytics Terms of Service states the following:
Meeting EU data protection standards means abiding by these two important privacy laws:
Not every company is very good at complying with these rules. But it's very important that you do so, as the EU's Data Protection Authorities aren't shy about taking legal action.
In fact, Google itself was hit with an eye-watering €50 million fine in January 2019 because of the way in which it was collecting consent. So it might be not surprising that, by default, Firebase Crashlytics collects users' personal information without their consent.
If you're serving EU users, you should enable opt-in reporting. This is an option provided by the service, and so it's your responsibility to activate it. This will give your users real control about whether you use their personal information for this purpose.
Here's Google's guidance on how to do this for Android users within Firebase:
Many apps collect consent for crash reporting. Here's an example from Ookla's Android app, Speedtest:
You should also provide an option to allow your users to withdraw consent once they've given it (or provide consent if they've previously refused it). Here's how Speedtest does this:
The Crashlytics Terms of Service gives the following requirement:
The Crashlytics Terms require that you obtain EU users' consent to transfer their data to countries outside of the EU.
This is a somewhat confusing provision.
There are rules about transferring personal information out of the EU, to non-EU countries. These rules are discussed at Chapter 5 of the GDPR. There are several different ways to legally perform such a transfer. The GDPR sets out several safeguards, and the European Commission provides a list of "approved" countries for whom no safeguards are required.
It is possible to transfer a user's personal information out of the EU on the basis of their consent. However, this is normally a last resort, where none of the other safeguards are available.
In fact, data transfers to Crashlytics are covered by a different safeguard - Google's certification under the EU-US Privacy Shield Framework. This means that, under the GDPR, it isn't necessary or appropriate to seek a user's consent to transfer their data outside of the EU for the purposes of using Crashlytics.
In light of this, it isn't clear why Crashlytics requires developers to earn consent for such transfers. It is difficult to find any examples of apps that actually do this.
This fulfills Crashlytics' requirement that developers give their users notice of the international transfer of their personal information.
Although this part of Crashlytics' Terms of Service is confusing, and although it appears to have been ignored by many if not all developers, remember that you do agree to fulfill this requirement by using the service.
This must include information about:
You must disclose that:
There are extra requirements pertaining to any of your users in the EU:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022