Firebase analytics and the consent dialog

Question

I have a simple application in the play store that doesn’t have access to the users personal information (uses only bluetooth and network).

I have been considering using the Firebase analytics to get some insights how people use the app and where I can improve. However I have a serious problem with understanding all the legal obligations that would involve. From what I gather, I would need a privacy policy, which is not a problem. But from what I can see Firebase Analytics Policy I would need to comply with European Union User Consent Policy.

So as I understand the app would need to display some form of a dialog where the user would agree or not for the data collection. The issue is, I’m afraid most of the people would say no, which is they right. But I’m asking if I really need to do this, because I don’t think I have ever seen a single app asking me for this sort of agreement (while I can see many websites doing that).

Answer 1

Even if Google doesn't provide an exact answer for what needs to be done, they provided a lot of guidance both in Firebase terms, and within their EU user consent policy pages.

You are required to notify your App Users by disclosing the following information:

• The Google Analytics for Firebase features you have implemented.
• How you and third-party vendors use first-party cookies, or other first-party identifiers, and third-party cookies and similar technologies, such as identifiers for mobile devices (including Android Advertising ID and Advertising Identifier for iOS), or other third-party identifiers, together.
• How App Users can opt-out of the Google Analytics for Firebase features you use, including through applicable device settings, such as the device advertising settings for mobile apps, or any other available means.

--> most importantly don't forget about the opt-outs.

For end users in the European Union:

• You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and
• You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.

&

If the EU user consent policy applies to your website or app, two of the key things to consider are:

• Do you have a means of obtaining consent from your end users? If not, you’ll need one.
• What message should you present to your users to get consent?

--> obtain consent

Now, Google even provides some basics about how a message like that might look like in an app and how a notice code would work:

We use device identifiers to personalise content and ads, to provide social media features and to analyse our traffic. We also share such identifiers and other information from your device with our social media, advertising and analytics partners who may combine it with other information you’ve provided to them or they’ve collected from your use of their services. See details OK

// This code works on Android API level 1 (Android 1.0) and up.
// Tested on the latest (at the moment) API level 19 (Android 4.4 KitKat).
// In the main activity of your app:

public class MainActivity extends Activity {

  (...)

  @Override
  public void onStart() {
    super.onStart();
    final SharedPreferences settings =
        getSharedPreferences("localPreferences", MODE_PRIVATE);
    if (settings.getBoolean("isFirstRun", true)) {
      new AlertDialog.Builder(this)
        .setTitle("Cookies")
        .setMessage("Your message for visitors here")
        .setNeutralButton("Close message", new OnClickListener() {
          @Override
          public void onClick(DialogInterface dialog, int which) {
            settings.edit().putBoolean("isFirstRun", false).commit();
          }
        }).show();
    }
  }
}

When it comes to legal theory, this is what the European think tank on privacy says in “Opinion 02/2013 on apps on smart devices” [WP29]. In short, it is

“important to note the distinction between the consent required to place any information on and read information from the device, and the consent necessary to have a legal ground for the processing of different types of personal data. Though both consent requirements are simultaneously applicable, each based on a different legal basis, they are both subject to the conditions of having to be free, specific and informed (as defined in Article 2(h) of the Data Protection Directive). Therefore, the two types of consent can be merged in practice, either during installation or before the app starts to collect personal data from the device, provided that the user is made unambiguously aware of what he is consenting to”

It's not impossible, though since I work on these topics daily at iubenda (we've recently finished all integrations regarding Firebase), I understand that it might look overwhelming at first.

Here are some rules of thumb:

• make sure you inform about the privacy practices within the app, on the Play Store and also on your marketing site
• disruptive identifiers need to be blocked until the notice has been accepted, opt-outs need to be pointed out

p.s. next time you'll probably want to go ask on Law or UI in the StackExchange network, since this is only related with the programming part quite marginally. If this is interesting to you, you might like to follow iubenda along on our journey to make these tasks easier for devs like you and me :)