- 1. The Basics of Firebase
- 2. Privacy Policies and Firebase
- 2.1. APIs Terms of Service
- 2.2. Google Analytics for Firebase Terms of Service
- 2.3. Applicable Law
- 3.1. Declaration of Data Collection
- 3.2. Data Collected Through the App
- 3.3. Your Reason for Collecting Data
- 3.4. Your Method of Collecting Data
- 3.5. Data Usage Purposes
- 3.6. Opting Out of Marketing
- 3.7. Contact Details
- 4.1. Use of Analytics
- 4.2. Cookies
- 4.3. Opting Out
- 6.1. Website Footer
- 6.2. App Download Page
- 6.3. Account Registration Page
- 6.4. Pop-up Website Banner
- 7. Conclusion
In Article 4 of the EU's General Data Protection Regulation (GDPR), personal data is broadly defined as any data that can identify a person or their household.
There's no exhaustive list of what counts as personal data, but it includes:
- Home addresses
- Email addresses
- IP addresses
- Employment information
Essentially, Privacy Policies strike a balance between:
- The rights of individuals to have more control over their personal information, and
- The need for businesses to gather data to provide goods and services
The Basics of Firebase
Firebase is a one-stop-shop for designing, building, and growing mobile apps. Through Firebase, you can create a fully-functional mobile app without stressing over time-consuming developer issues, such as coding and building an entire program from scratch.
Basically, once you've built the app, Firebase handles your:
- Push messaging
- File storage
- Database configuration
And so on.
Privacy Policies and Firebase
To sign up with Firebase and use its features, you must agree to its Terms of Service. Let's check out Firebase's position on Privacy Policies.
APIs Terms of Service
If you're using Google APIs, you must comply with Section 3(d) of the API Terms of Service. This clause sets out that you must:
- Abide by any relevant privacy laws
- Tell users what data you collect, why you collect it, how you use it, and if you share it with third parties, including Google
Google Analytics for Firebase Terms of Service
For any other app development other than APIs, including turning on Google Analytics, you should look at Section 7 of the Google Analytics For Firebase Terms of Service. This is more comprehensive than the clause above and it places various obligations on you as the app designer.
The important parts are:
- You should take reasonable steps to get informed consent to personal data processing, and
- You should not share personal data with Google
Which laws, though?
The applicable laws depend on your intended jurisdiction, but the main laws you should know about are the:
- Australian Privacy Act (APA, Australia)
- General Data Protection Regulation (GDPR, European Union/EU)
- Personal Information and Electronic Documents Act (PIPEDA, Canada)
- California Consumer Privacy Act (CCPA, California, USA)
- California Online Privacy Protection Act (CalOPPA, California, USA)
The good news is that the rights and obligations are broadly the same across all these laws. When it comes to personal data, individuals have the right to know:
- What personal data you're collecting
- Why you're collecting it
- How you collect it
- What you plan on doing with the data
- How they can opt-out of non-essential data sharing
- Where they can find out more information about their privacy rights i.e. how to contact you
Most apps don't need overly long Privacy Policies. What's more important is that they're clear, concise, and easy for users to understand. This is in line with the overriding principles of data privacy law - informing people of their rights.
Declaration of Data Collection
Inform users that you intend to collect their personal data. This applies even if you're collecting data for essential purposes, such as fulfilling an order or processing payment.
Here's a very simple clause from Atlassian. As you can see, you only need a short declaration of intent:
Takeaway: Tell users that you wish to collect information about them before taking it.
Data Collected Through the App
Next, you should explain what data you collect and when. In other words, you should tell users that you're collecting personal data or personally identifiable information and set out specifically when you collect it.
Twitch, a Firebase user, breaks these details into various short paragraphs. This makes it easier for readers to scan the clauses and quickly gather the information they're looking for. Here's how Twitch describes collecting "user-provided" data:
By using the phrase "such as," the company ensures that it doesn't need to list every single type of user-identified information possible. This protects the company in the future.
Takeaway: Be transparent about what data you gather.
Your Reason for Collecting Data
It's not enough to say you're collecting data. You must justify why the data is necessary. Why? Because you should only ever ask for the minimum amount of data to complete a task. For example, you shouldn't ask for a home address to send out an email newsletter.
Takeaway: List clear reasons why you need the information you're collecting.
Your Method of Collecting Data
Users have a right to know what technology you use to gather their identifiable information. The good news is that this clause doesn't have to be overly specific. It just needs to provide a clear answer to the question, "How do you get my data in the first place?"
Takeaway: Explain what methods you use to gather information, without being too specific and limiting yourself at a future date.
Data Usage Purposes
Be transparent and clear about what you plan on doing with a user's personal information. This includes if you intend to share the information with third parties. Users should understand exactly what will happen to their information once it's in your possession.
Below is an example from Twitch. The company clearly communicates how it uses the data it receives, and it helpfully offers users a way to revoke their consent in the future:
Takeaway: Set out how you use the data given to you, and explain how users can change their consent settings.
Opting Out of Marketing
You can't force any user to accept marketing communications. Every user has the right to opt out of anything other than essential contact with your company. You must set this out clearly so there's no doubt about a user's rights.
Here's how Atlassian phrases this clause. It doesn't promise that the user will never hear from the company again. Only that they won't get certain marketing communications:
Takeaway: Allow users to opt out of marketing as easily as possible and inform them how to do so.
Here is a contact information clause from Twitch that addresses its EU customers by providing contact information for its EU representative:
Takeaway: Provide up-to-date contact details.
App designers typically want to collect analytical data about their users. To comply with the Google Analytics for Firebase Use Policy, you need three more specific clauses explaining:
- Which analytics features you use;
- Your cookie usage; and
- How users can opt-out of analytics
Let's take a look at each requirement individually.
Use of Analytics
You must highlight that you use Google Analytics for Firebase, and why. It's also important that you set out what type of data you collect, such as cookies or other personally identifiable information.
Twitch complies with Firebase's policy of distinguishing between "first-party" (Twitch) and "third-party" (external domain) cookies. First, it sets out how cookies are used to capture data when users visit the website. It's then explained that third-party cookies are used for analytics purposes:
Takeaway: Be clear about the cookies you use, and why.
As with the previous opt-out clause, you must explain that users can opt out of analytics and other unnecessary tracking. You only need to tell users that they can opt out using their own mobile device settings. There's no need to list the steps, as we can see from the clause from Black Box Puzzles.
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
App Download Page
Account Registration Page
Pop-up Website Banner
- What data you collect
- Why you're collecting it
- How you'll use this information
- What technology you use to collect the data
- The cookies and analytics technology you use
- How users can opt out of all non-essential activities
- Where users can go for more advice or information