Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 2.1. Your Collection and Use of User Data
- 2.2. Your Use of Google Services
- 2.4. Your Retention of User Data
- 2.5. How to Opt Out of Google Analytics for Firebase
- 2.6. How You Share Data
- 2.7. How to Access, Modify, or Delete Data
- 2.9. "Do Not Track" Signals
- 2.10. Other Requirements for Apps With EU Users
- 4. Summary
Google Firebase is a valuable tool for developing mobile apps. But Firebase allows Google to collect your users' data in a variety of ways, and you are legally obliged to make your users aware of this.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Several Firebase products collect personal information from your users. For example:
- Account information
- Information about a user's device
- Android Ad ID or Apple Identifier for Advertisers (IFDA)
- App usage data
- Any other personal information you request via your app (e.g. location, name, email address)
It's really important that you disclose all of this to your users.
Before you start using Firebase, you have to agree to Google's terms. There are several different legally-binding agreements, and they impose a lot of obligations on developers.
Here's an example, from the Google Analytics for Firebase Terms:
This section of the Google Analytics for Firebase Terms states that you must:
- Abide by all relevant privacy laws
- Disclose that you use Google Analytics for Firebase
If legally required to do so, make "commercially reasonable efforts" to:
- Ensure your users are provided with information about cookies
Furthermore, the Google Analytics for Firebase Use Terms requires the following information be disclosed:
- Which Google Analytics for Firebase features you use
- How you use first and third-party cookies and identifiers
- How your users can opt out of analytics
Here's another example, from Firebase Crashlytics and App Distribution Terms:
- That is accessible from within your app
- That describes what data your app collects
- How you share data with Google and other third parties
- How your app tracks your users' activity and collects their information
Take look at this section of the Google Play Developer Distribution Agreement:
For more information, see our information about Privacy Policies for Android apps.
- Identify what data your app collects, and explain how and why your app collects that data
- Confirm that any third parties with whom you share data have adequate privacy protections in place
- Explain how you retain and delete user data
- Explain how your users can withdraw consent for your collection of their data, or request that you delete their data
Depending on where your users are based, you may have to comply with one or more of the following privacy laws:
- European Union: The General Data Protection Regulation (GDPR) applies to all app developers. The GDPR is a particularly strict and extensive law. Because of the way Firebase collects and uses data, there are some additional requirements for developers with users in the EU.
- United Kingdom: The UK continues to follow EU privacy law, and so developers with users in the UK will need to comply with the GDPR.
- Canada: The Personal Information Processing and Electronic Documents Act (PIPEDA) applies to all private sector businesses, of any size.
Every major economy has privacy laws. Remember that you may have to comply with several of these laws if your app is available in multiple regions.
Our guide to privacy laws by country can help you out.
First, we'll cover the basic information required under Google's terms and under most privacy laws, including the California Online Privacy Protection Act (CalOPPA). Then there's some additional information you'll need to provide if you have users in the EU.
Your Collection and Use of User Data
Below we've summarized how some popular Firebase services collect and use user data:
- Cloud Functions for Firebase: Collects a user's IP address for event-handling and HTTP functions
- Firebase Authentication: Can collect a user's password, email address, phone number, user agent, and IP address for authentication purposes
- Firebase Cloud Messaging: Collects Instance IDs to determine which device to send a message to
- Firebase Crash Reporting: Collects crash traces and instances IDs for diagnostic purposes
- Firebase Crashlytics: The latest version collects a user's installation UUID and IP address, older versions collect other types of data (more information here)
- Firebase Dynamic Links: Collects an iOS user's device specs to open apps to a specific web page
- Firebase Hosting: Collects IP addresses for security and diagnostic purposes
- Firebase Performance Monitoring: Collects a user's instance ID and IP address to monitor resource access and map performance events
- Firebase Predictions: Collects instance IDs to help predict customer-specified events
- Firebase Realtime Database: Collects a user's IP address and user agent to identify usage trends
- Firebase Remote Config: Collects instance IDs for saving user-specific settings
- Google Analytics for Firebase: Can collect a user's mobile ad ID, IDfV ID (iOS) or Android ID, instance ID, and Analytics app instance ID for analytics purposes
- ML Kit for Firebase: Can collect a user's uploaded images and instance ID for use with Vision API
You will collect and use different types of data depending on which of these Google services you use.
Here's how Termius explains the types of data its app collects:
Later on, Termius explains how it uses this data. We've underlined the points that are most relevant to Firebase services:
Your Use of Google Services
You must disclose which Google/Firebase services you use.
You also need to identify each Firebase service that you employ in your app.
Note how KnowDrugs breaks down the individual Firebase services it uses and describes the data collected by each.
Here's another approach from Fika:
Fika operates a website and an app. It lists the first- and third-party cookies it uses in a separate Cookies Policy. Google Analytics for Firebase appears among a list of several service providers using third-party cookies.
If you use a targeted advertising service such as Google AdMob, you'll need to disclose the cookies you use for targeted advertising.
Your Retention of User Data
You should disclose how long you retain (store) user data, and/or how long Google and other companies retain user data on your behalf.
Google provides information about how long it retains different types of user data collected via various Firebase services in its document, Privacy and Security in Firebase.
You should let users know how long the various services you use will retain their data. This is a requirement under certain privacy laws and also a requirement of the Apple App Store Review Guidelines.
Here's an example from MealsUp:
How to Opt Out of Google Analytics for Firebase
Google requires that you notify your users about how to opt out of Google Analytics for Firebase.
Google provides some information about how to integrate opt-out controls in your Firebase app on its page, Configure Analytics Data Collection and Usage.
Here's an example of a Firebase opt-out mechanism from the "Privacy Settings" menu of The Guardian's mobile app:
Here's an example from Soloslides:
How You Share Data
In addition to disclosing which Google services you use, you must also disclose how you share user data with any other third parties.
This is most likely to be relevant if you operate your app for business purposes, in which case you probably share personal information with third parties such as:
- Payment processors
- Marketing companies
- Shipping companies
In each case, you should identify the type and/or the name of the third party with whom you share personal information, and also the reasons for which you share personal information with that third party.
Here's an example from Inne:
How to Access, Modify, or Delete Data
Note that if you have users in the UK or EU, you must provide a mechanism that allows your users to control their data.
For more information, see our article Eight User Rights Under the GDPR.
Here's an example from App in the Air:
Note that the first paragraph, which we've underlined, would be enough to comply with California's CalOPPA privacy law. The latter two paragraphs are included to comply with the EU GDPR.
Here's an example from First Light Games:
"Do Not Track" Signals
CalOPPA requires "operators of commercial websites" to disclose how they treat "Do Not Track" signals from browsers.
While mobile apps are considered "commercial websites" for the purposes of CalOPPA, this particular provision only applies if you operate a website alongside your Firebase app.
Other Requirements for Apps With EU Users
There are more rigorous requirements if you have users based in the EU, the UK, or the wider European Economic Area (EEA).
First, you should take a look at Google's EU User Consent Policy. This requires that you use Google's Consent SDK, or another similar mechanism, to earn the consent of your users before you can place cookies on their device.
Here's an example of how such a consent request looks, from The Met Office app:
- Contact details for the "data controller" (you/your business)
- Your lawful basis for processing personal information
- Information about your users' rights under the GDPR
- Contact details for your Data Protection Authority and notification of the right to make a complaint
- The relevant safeguards you use in order to transfer personal information to countries outside of the EU
You need to put safeguards in place to transfer personal information out of the EU. Certain Firebase services transfer your users' data to Google's servers in the US. The Privacy Shield Framework used to be an acceptable method for transfers of data. However, it was invalidated and is now replaced by the EU-U.S. Data Privacy Framework.
- When setting up the app
- When creating an account
- Within your "Settings" or "About" menu
- When collecting personal information, e.g. when requesting an email address or taking payments
Here's an example from the account creation screen of the TikTok app:
- How and why you collect user data, and what user data you collect
- Which Google services you use
- How long you retain user data
- How to opt out of Google Analytics for Firebase
- How you share data with other third parties in addition to Google
- How users can access, modify, or delete their data
- How your website responds to "Do Not Track" signals (if applicable)