Privacy Policy for Firebase

Google's Firebase is a great tool for building mobile apps, but you can't use the platform if you don't draft a Privacy Policy. There's a simple reason for this: If there's any chance that your app will capture personal data from its users, then you must comply with various regulations and laws.

We'll explain why this is, what you need to do to comply and show you some examples of the clauses you'll need in your Privacy Policy for Firebase (and legal) compliance.

In Article 4 of the EU's General Data Protection Regulation (GDPR), personal data is broadly defined as any data that can identify a person or their household.

There's no exhaustive list of what counts as personal data, but it includes:

• Names
• Home addresses
• Email addresses
• IP addresses
• Biodata
• Employment information

Since most apps will collect at least some personal data from users, it's important that you draft and publish a Privacy Policy that users can view before they download anything. But why is personal data such a big deal, and what function do Privacy Policies serve?

Essentially, Privacy Policies strike a balance between:

• The rights of individuals to have more control over their personal information, and
• The need for businesses to gather data to provide goods and services

A Privacy Policy lets consumers or individuals use apps without worrying about who has access to their personal details.

Unsurprisingly, most if not all developer platforms will expect you to draft a Privacy Policy if you plan on accessing their services.

The Basics of Firebase

Firebase is a one-stop-shop for designing, building, and growing mobile apps. Through Firebase, you can create a fully-functional mobile app without stressing over time-consuming developer issues, such as coding and building an entire program from scratch.

Basically, once you've built the app, Firebase handles your:

• Push messaging
• File storage
• Analytics
• Database configuration
• Security

And so on.

These services are all managed by Google through the cloud, so all you need to worry about is growing and promoting your app to a wider audience. You can build and publish an app fast, but not without a Privacy Policy, of course.

Privacy Policies and Firebase

To sign up with Firebase and use its features, you must agree to its Terms of Service. Let's check out Firebase's position on Privacy Policies.

APIs Terms of Service

If you're using Google APIs, you must comply with Section 3(d) of the API Terms of Service. This clause sets out that you must:

• Abide by any relevant privacy laws
• Provide a Privacy Policy
• Tell users what data you collect, why you collect it, how you use it, and if you share it with third parties, including Google

Google Analytics for Firebase Terms of Service

For any other app development other than APIs, including turning on Google Analytics, you should look at Section 7 of the Google Analytics For Firebase Terms of Service. This is more comprehensive than the clause above and it places various obligations on you as the app designer.

The important parts are:

• You must have a legally compliant Privacy Policy
• You need to post this Privacy Policy somewhere that users can find it
• You should take reasonable steps to get informed consent to personal data processing, and
• You should not share personal data with Google

What we know so far is that Firebase requires you to draft and publish a Privacy Policy if you plan on collecting personal data through your app, including for analytics purposes. You must also abide by any applicable laws when drafting this Policy.

Which laws, though?

Applicable Law

The applicable laws depend on your intended jurisdiction, but the main laws you should know about are the:

• Australian Privacy Act (APA, Australia)
• General Data Protection Regulation (GDPR, European Union/EU)
• Personal Information and Electronic Documents Act (PIPEDA, Canada)
• California Consumer Privacy Act (CCPA, California, USA) as expanded by the CPRA
• California Online Privacy Protection Act (CalOPPA, California, USA)

The good news is that the rights and obligations are broadly the same across all these laws. When it comes to personal data, individuals have the right to know:

• What personal data you're collecting
• Why you're collecting it
• How you collect it
• What you plan on doing with the data
• How they can opt-out of non-essential data sharing
• Where they can find out more information about their privacy rights i.e. how to contact you

So, what should you include in a Privacy Policy? Let's first go over the requirements of a basic Privacy Policy and then look more closely at extra clauses you'll need for analytics purposes using Firebase.

General Privacy Policy Clauses to Include

Most apps don't need overly long Privacy Policies. What's more important is that they're clear, concise, and easy for users to understand. This is in line with the overriding principles of data privacy law - informing people of their rights.

A basic Privacy Policy, then, should include clauses that address the rights listed above. If you do this, then you're complying with the various privacy laws and regulations around the world.

Declaration of Data Collection

Inform users that you intend to collect their personal data. This applies even if you're collecting data for essential purposes, such as fulfilling an order or processing payment.

Here's a very simple clause from Atlassian. As you can see, you only need a short declaration of intent:

Takeaway: Tell users that you wish to collect information about them before taking it.

Data Collected Through the App

Next, you should explain what data you collect and when. In other words, you should tell users that you're collecting personal data or personally identifiable information and set out specifically when you collect it.

Twitch, a Firebase user, breaks these details into various short paragraphs. This makes it easier for readers to scan the clauses and quickly gather the information they're looking for. Here's how Twitch describes collecting "user-provided" data:

By using the phrase "such as," the company ensures that it doesn't need to list every single type of user-identified information possible. This protects the company in the future.

Takeaway: Be transparent about what data you gather.

Your Reason for Collecting Data

It's not enough to say you're collecting data. You must justify why the data is necessary. Why? Because you should only ever ask for the minimum amount of data to complete a task. For example, you shouldn't ask for a home address to send out an email newsletter.

Here's a great example from Arnold Clark, a vehicle dealership. Arnold Clark specifically sets out what data it collects, when it collects it, and even how long the data is retained for. These concise, brief paragraphs are a great template for your own Privacy Policy clause:

Takeaway: List clear reasons why you need the information you're collecting.

Your Method of Collecting Data

Users have a right to know what technology you use to gather their identifiable information. The good news is that this clause doesn't have to be overly specific. It just needs to provide a clear answer to the question, "How do you get my data in the first place?"

Here's how NPR addresses this issue in its Privacy Policy. It doesn't describe in detail all the technologies used to capture data, but the description provided is sufficient:

Many websites use cookies to collect information from site users, and so cookies should always be addressed in a Privacy Policy. However, rather than going over cookies twice, we'll look at a few cookie clauses in relation to Firebase later.

Takeaway: Explain what methods you use to gather information, without being too specific and limiting yourself at a future date.

Data Usage Purposes

Be transparent and clear about what you plan on doing with a user's personal information. This includes if you intend to share the information with third parties. Users should understand exactly what will happen to their information once it's in your possession.

Below is an example from Twitch. The company clearly communicates how it uses the data it receives, and it helpfully offers users a way to revoke their consent in the future:

Takeaway: Set out how you use the data given to you, and explain how users can change their consent settings.

Opting Out of Marketing

You can't force any user to accept marketing communications. Every user has the right to opt out of anything other than essential contact with your company. You must set this out clearly so there's no doubt about a user's rights.

Here's how Atlassian phrases this clause. It doesn't promise that the user will never hear from the company again. Only that they won't get certain marketing communications:

Takeaway: Allow users to opt out of marketing as easily as possible and inform them how to do so.

Contact Details

You must make it simple for a user to contact you if they have any questions about your Privacy Policy or their rights, or if they want to amend the details you have on file. All you need is a simple clause with at least one, but preferably two, ways to contact you.

Here is a contact information clause from Twitch that addresses its EU customers by providing contact information for its EU representative:

Takeaway: Provide up-to-date contact details.

Additional Privacy Policy Clauses for Firebase

App designers typically want to collect analytical data about their users. To comply with the Google Analytics for Firebase Use Policy, you need three more specific clauses explaining:

• Which analytics features you use;
• Your cookie usage; and
• How users can opt-out of analytics

Let's take a look at each requirement individually.

Use of Analytics

You must highlight that you use Google Analytics for Firebase, and why. It's also important that you set out what type of data you collect, such as cookies or other personally identifiable information.

Here's an example from Black Box Puzzles. The company explains that it uses Google Analytics for Firebase and then lists the tools that may be used. Alongside providing a link to Google's Privacy Policy, it sets out how Google Analytics for Firebase may share data with other Firebase tools:

Cookies

It's important that you set out how you use cookies for advertising or other purposes.

Cookies are small files that help "remember" user behavior, and so they often collect personal data. Be clear about how you use cookies for any purpose, whether it's for remembering login details, a shopping cart, or tracking user behavior.

Twitch complies with Firebase's policy of distinguishing between "first-party" (Twitch) and "third-party" (external domain) cookies. First, it sets out how cookies are used to capture data when users visit the website. It's then explained that third-party cookies are used for analytics purposes:

Takeaway: Be clear about the cookies you use, and why.

Opting Out

As with the previous opt-out clause, you must explain that users can opt out of analytics and other unnecessary tracking. You only need to tell users that they can opt out using their own mobile device settings. There's no need to list the steps, as we can see from the clause from Black Box Puzzles.

How to Create a Privacy Policy for Your Website

Now you have a basic Privacy Policy for Firebase. So, where do you place it?

Displaying Your Privacy Policy for Firebase

After you create your Privacy Policy, you must display it somewhere that's easily accessible to your users. And you should always get your users to consent to your Policy.

Here are the four main places where you might put links to your Privacy Policy.

Website Footer

By placing a link to your Privacy Policy in your website's footer, users can peruse it whenever they want. It's easily accessible from each page.

Here's what the Atlassian footer looks like with its Privacy Policy linked with other legal agreements and important information:

App Download Page

You should always give users a chance to view and consent to your Privacy Policy before they download your app. You can use a checkbox or ask users to acknowledge that they've read the notice.

This is Snapchat's download page with its Privacy Policy linked:

Account Registration Page

Ensure that users have a chance to read your Privacy Policy and agree to it before signing up for an account with you.

This is what Myprotein's account registration page looks like, linking to the Privacy Policy and making it clear that by clicking the continue button, the user will be agreeing to the Policy:

Pop-up Website Banner

The moment someone lands on your website for the first time you can show them a banner that directs them to your Privacy Policy. That way, you can assume that people using your app or website consent to your terms.

You can include your Privacy Policy link in your cookie consent notice, as seen below from Shopify:

Conclusion

To use Firebase and design apps through the platform, you must write and publish a Privacy Policy that complies with international privacy regulations and data protection standards.

At a minimum, your Privacy Policy must cover:

• What data you collect
• Why you're collecting it
• How you'll use this information
• What technology you use to collect the data
• The cookies and analytics technology you use
• How users can opt out of all non-essential activities
• Where users can go for more advice or information

You must acknowledge that you use Google Analytics for Firebase if this is something you plan on using, and you must clearly display your Privacy Policy somewhere prominent so that users can view it before giving you their data. This is the only way to ensure their consent is voluntary, which is how to comply with Firebase's terms.