3

Google describes the rules for Firebase as:

You are required to notify your App Users by disclosing the following information:

  • The Google Analytics for Firebase features you have implemented.
  • How you and third-party vendors use first-party cookies, or other first-party identifiers, and third-party cookies and similar technologies, such as identifiers for mobile devices (including
  • Android Advertising ID and Advertising Identifier for iOS), or other third-party identifiers, together.
  • How App Users can opt-out of the Google Analytics for Firebase features you use, including through applicable device settings, such as the device advertising settings for mobile apps, or any other available means.

I'm not sure how to read the last point. Does a developer that uses Firebase (especially one located in the EU) has a duty to provide every user with a way to opt out of Google Analytics?

Improve this question
1

1 Answer 1

Reset to default
2

These Google guidelines can just serve as a broad orientation for you. In the end, you are the data controller and have the obligation to comply with relevant regulations, e.g. the EU-GDPR. One important part of the GDPR is that you can only process personal data

  • if you have explicit and free consent from the affected user (Art. 6 (1) a), or
  • if you have a legitimate interest (Art. 6 (1) f)
  • (and a few other cases that don't generally apply).

Consent can be revoked. In fact, revoking consent must be as easy as giving it (Art 7 (3)). Users must be informed about the possibility to revoke their consent when you ask them for consent. If you process data under Art. 6 (1) f, then users can opt-out under Art. 21. They must be notified about this possibility at the first opportunity.

You therefore have a clear legal obligation to either implement a revokable opt-in solution or a simple opt-out solution for analytics within your app. This could be a simple toggle in your settings page, plus the relevant information during sign-up or first launch of your app.

The simplest way to conform to the GDPR is not to collect any personal data. Consider launching your app without analytics or third party services, and only implement such features after you have discussed this with legal counsel.

Note that until May 25th 2018, other rules continue to apply.

Improve this answer
2
  • Is "Don't use our App is you don't want to be tracked" an opt-out solution?
    – Christian
    Commented Apr 13, 2018 at 16:23
  • @Christian I'm not certain … if you require users to consent to data processing that is not necessary for the functionality of your app's service, then that consent is invalid according to Art. 7 (4). Analytics are clearly not necessary. If you rely on your legitimate interest (Art. 6 (1) f) then I don't think there would be a restriction, but that is a much weaker legal basis and may imply extra documentation requirements. Please discuss this with a qualified lawyer.
    – amon
    Commented Apr 13, 2018 at 21:07

Not the answer you're looking for? Browse other questions tagged or ask your own question.