20 April 2020
Google Firebase is a valuable tool for developing mobile apps. But Firebase allows Google to collect your users' data in a variety of ways, and you are legally obliged to make your users aware of this.
Several Firebase products collect personal information from your users. For example:
It's really important that you disclose all of this to your users.
Before you start using Firebase, you have to agree to Google's terms. There are several different legally-binding agreements, and they impose a lot of obligations on developers.
Here's an example, from the Google Analytics for Firebase Terms:
This section of the Google Analytics for Firebase Terms states that you must:
If legally required to do so, make "commercially reasonable efforts" to:
Furthermore, the Google Analytics for Firebase Use Terms requires the following information be disclosed:
Here's another example, from Firebase Crashlytics and App Distribution Terms:
Take look at this section of the Google Play Developer Distribution Agreement:
For more information, see our information about Privacy Policies for Android apps.
Depending on where your users are based, you may have to comply with one or more of the following privacy laws:
Every major economy has privacy laws. Remember that you may have to comply with several of these laws if your app is available in multiple regions.
Our guide to privacy laws by country can help you out.
First, we'll cover the basic information required under Google's terms and under most privacy laws, including the California Online Privacy Protection Act (CalOPPA). Then there's some additional information you'll need to provide if you have users in the EU.
Below we've summarized how some popular Firebase services collect and use user data:
You will collect and use different types of data depending on which of these Google services you use.
Here's how Termius explains the types of data its app collects:
Later on, Termius explains how it uses this data. We've underlined the points that are most relevant to Firebase services:
You must disclose which Google/Firebase services you use.
You also need to identify each Firebase service that you employ in your app.
Note how KnowDrugs breaks down the individual Firebase services it uses and describes the data collected by each.
Here's another approach from Fika:
Fika operates a website and an app. It lists the first- and third-party cookies it uses in a separate Cookies Policy. Google Analytics for Firebase appears among a list of several service providers using third-party cookies.
If you use a targeted advertising service such as Google AdMob, you'll need to disclose the cookies you use for targeted advertising.
You should disclose how long you retain (store) user data, and/or how long Google and other companies retain user data on your behalf.
Google provides information about how long it retains different types of user data collected via various Firebase services in its document, Privacy and Security in Firebase.
You should let users know how long the various services you use will retain their data. This is a requirement under certain privacy laws and also a requirement of the Apple App Store Review Guidelines.
Here's an example from MealsUp:
Google requires that you notify your users about how to opt out of Google Analytics for Firebase.
Google provides some information about how to integrate opt-out controls in your Firebase app on its page, Configure Analytics Data Collection and Usage.
Here's an example of a Firebase opt-out mechanism from the "Privacy Settings" menu of The Guardian's mobile app:
Here's an example from Soloslides:
In addition to disclosing which Google services you use, you must also disclose how you share user data with any other third parties.
This is most likely to be relevant if you operate your app for business purposes, in which case you probably share personal information with third parties such as:
In each case, you should identify the type and/or the name of the third party with whom you share personal information, and also the reasons for which you share personal information with that third party.
Here's an example from Inne:
Note that if you have users in the UK or EU, you must provide a mechanism that allows your users to control their data.
For more information, see our article Eight User Rights Under the GDPR.
Here's an example from App in the Air:
Note that the first paragraph, which we've underlined, would be enough to comply with California's CalOPPA privacy law. The latter two paragraphs are included to comply with the EU GDPR.
Here's an example from First Light Games:
CalOPPA requires "operators of commercial websites" to disclose how they treat "Do Not Track" signals from browsers.
While mobile apps are considered "commercial websites" for the purposes of CalOPPA, this particular provision only applies if you operate a website alongside your Firebase app.
There are more rigorous requirements if you have users based in the EU, the UK, or the wider European Economic Area (EEA).
First, you should take a look at Google's EU User Consent Policy. This requires that you use Google's Consent SDK, or another similar mechanism, to earn the consent of your users before you can place cookies on their device.
Here's an example of how such a consent request looks, from The Met Office app:
You need to put safeguards in place to transfer personal information out of the EU. Certain Firebase services transfer your users' data to Google's servers in the US. There is a safeguard in place for this, as Google participates in the EU-US Privacy Shield.
Here's an example from Incogny:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
Here's an example from the account creation screen of the TikTok app:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.