Requirement for an Android App that uses Firebase Google Analytics to provide the user with an opportunity to opt out

google

Google describes the rules for Firebase as:

You are required to notify
your App Users by disclosing the following information:

  • The Google Analytics for Firebase features you have implemented.
  • How you and third-party vendors use first-party cookies, or other first-party identifiers, and third-party cookies and similar
    technologies, such as identifiers for mobile devices (including
  • Android Advertising ID and Advertising Identifier for iOS), or other
    third-party identifiers, together.
  • How App Users can opt-out of the Google Analytics for Firebase features you use, including through applicable device settings, such
    as the device advertising settings for mobile apps, or any other
    available means.

I'm not sure how to read the last point. Does a developer that uses Firebase (especially one located in the EU) has a duty to provide every user with a way to opt out of Google Analytics?

Best Answer

These Google guidelines can just serve as a broad orientation for you. In the end, you are the data controller and have the obligation to comply with relevant regulations, e.g. the EU-GDPR. One important part of the GDPR is that you can only process personal data

  • if you have explicit and free consent from the affected user (Art. 6 (1) a), or
  • if you have a legitimate interest (Art. 6 (1) f)
  • (and a few other cases that don't generally apply).

Consent can be revoked. In fact, revoking consent must be as easy as giving it (Art 7 (3)). Users must be informed about the possibility to revoke their consent when you ask them for consent. If you process data under Art. 6 (1) f, then users can opt-out under Art. 21. They must be notified about this possibility at the first opportunity.

You therefore have a clear legal obligation to either implement a revokable opt-in solution or a simple opt-out solution for analytics within your app. This could be a simple toggle in your settings page, plus the relevant information during sign-up or first launch of your app.

The simplest way to conform to the GDPR is not to collect any personal data. Consider launching your app without analytics or third party services, and only implement such features after you have discussed this with legal counsel.

Note that until May 25th 2018, other rules continue to apply.