iubenda blog


About Google’s “EU user consent policy”

🖋 This article has recently been posted/updated: September

When you use certain Google products, like Firebase, Google enforces their EU user consent policy. In this post we’ll look into the most important statements under this policy and the connections you have to make in your mind.

Google says “when using Google products that incorporate this policy, certain disclosures must be given to and consents obtained from end users in the European Union where EU data protection law requires such disclosures and consents”.

It means that you cannot provide the service unless you have properly informed your users about the data processing and if you employ cookies or device identifiers, respectively, you can not start tracking or using these before the user has given their consent.

There are various Google products that incorporate this policy, among them AdSense, Google Analytics Advertising Features and certain Firebase features. You’ll find the links here below:

Let’s look at an example for mobile apps with Firebase.

The Firebase example

Even if Google doesn’t provide an exact answer for what needs to be done, they provide a lot of guidance both in Firebase terms, and within their EU user consent policy pages. Regarding user disclosure, you get a couple of informative paragraphs:

You are required to notify your App Users by disclosing the following information:

  • The Google Analytics for Firebase features you have implemented.
  • How you and third-party vendors use first-party cookies, or other first-party identifiers, and third-party cookies and similar technologies, such as identifiers for mobile devices (including Android Advertising ID and Advertising Identifier for iOS), or other third-party identifiers, together.
  • How App Users can opt-out of the Google Analytics for Firebase features you use, including through applicable device settings, such as the device advertising settings for mobile apps, or any other available means.

It includes a description of your use of Firebase and the features you’ve applied. Most importantly though, you shouldn’t forget about the opt-outs.

Now, there are additional request regarding European Union users:

For end users in the European Union:

  • You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and
  • You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.

&

If the EU user consent policy applies to your website or app, two of the key things to consider are:

  • Do you have a means of obtaining consent from your end users? If not, you’ll need one.
  • What message should you present to your users to get consent?

In plain English this means that you should ask for consent before storing any cookies or device identifiers on the users’ devices.

Now to take this further, Google even provides some basics about how a message like that might look like in an app:

We use device identifiers to personalise content and ads, to provide social media features and to analyse our traffic. We also share such identifiers and other information from your device with our social media, advertising and analytics partners who may combine it with other information you’ve provided to them or they’ve collected from your use of their services. See details OK

You’re even provided some code samples for in-app notices!

Consent Notice Scripts for iOS and Android

 

Here are the scripts in full:

iOS script to output a “cookie notice”


// This code will work in iOS 2 and up
// (spoiler: you're not going to need anything below iOS 6).
// Tested in iOS 7 
// In your app's UIApplicationDelegate:

- (BOOL)application:(UIApplication *)application
    didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
  (...)
  NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
  if (![defaults boolForKey:@"termsAccepted"]) {
    NSString *message =
      @"Your message for visitors here";
    UIAlertView *alert =
      [[UIAlertView alloc] initWithTitle:@"Cookies"
                                 message:message
                                delegate:self
                       cancelButtonTitle:nil
                       otherButtonTitles:@"Close message", nil];
    [alert show];
  }
}


// Elsewhere in the file:

- (void)alertView:(UIAlertView *)alertView
    clickedButtonAtIndex:(NSInteger)buttonIndex {
  NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
  [defaults setBool:YES forKey:@"termsAccepted"];
  [defaults synchronize];
}

Android script to output a “cookie notice”


// This code works on Android API level 1 (Android 1.0) and up.
// Tested on the latest (at the moment) API level 19 (Android 4.4 KitKat).
// In the main activity of your app:


public class MainActivity extends Activity {

  (...)

  @Override
  public void onStart() {
    super.onStart();
    final SharedPreferences settings =
        getSharedPreferences("localPreferences", MODE_PRIVATE);
    if (settings.getBoolean("isFirstRun", true)) {
      new AlertDialog.Builder(this)
        .setTitle("Cookies")
        .setMessage("Your message for visitors here")
        .setNeutralButton("Close message", new OnClickListener() {
          @Override
          public void onClick(DialogInterface dialog, int which) {
            settings.edit().putBoolean("isFirstRun", false).commit();
          }
        }).show();
    }
  }
}

More about the legal background

When it comes to legal theory, this is what the European think tank on privacy says in “Opinion 02/2013 on apps on smart devices” [WP29]. In short, it is

“important to note the distinction between the consent required to place any information on and read information from the device, and the consent necessary to have a legal ground for the processing of different types of personal data. Though both consent requirements are simultaneously applicable, each based on a different legal basis, they are both subject to the conditions of having to be free, specific and informed (as defined in Article 2(h) of the Data Protection Directive). Therefore, the two types of consent can be merged in practice, either during installation or before the app starts to collect personal data from the device, provided that the user is made unambiguously aware of what he is consenting to”

After reading all of the above, here are some rules of thumb:

  • make sure you inform about the privacy practices within the app, on the Play Store and also on your marketing site
  • disruptive identifiers need to be blocked until the notice has been accepted, opt-outs need to be pointed out

 

iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system called Cookie Solution.

Take me to the privacy policy

Take me to the Cookie solution


Google Analytics Remarketing Privacy PolicyGoogle Analytics User ID in Your Privacy PolicyGoogle Analytics also Means You Should Have a Privacy Policy

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app
www.iubenda.com

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now
RSS FEED

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now