When you use certain Google products, like Firebase, Google enforces their EU user consent policy. In this post we’ll look into the most important statements under this policy and the connections you have to make in your mind.
Google says “when using Google products that incorporate this policy, certain disclosures must be given to and consents obtained from end users in the European Union where EU data protection law requires such disclosures and consents”.
It means that you cannot provide the service unless you have properly informed your users about the data processing and if you employ cookies or device identifiers, respectively, you can not start tracking or using these before the user has given their consent.
There are various Google products that incorporate this policy, among them AdSense, Google Analytics Advertising Features and certain Firebase features. You’ll find the links here below:
- Google Adsense EU User Consent Policy
- Google Analytics Advertising Features EU User Consent Policy
- Google Analytics for Firebase EU User Consent Policy
Let’s look at an example for mobile apps with Firebase.
The Firebase example
Even if Google doesn’t provide an exact answer for what needs to be done, they provide a lot of guidance both in Firebase terms, and within their EU user consent policy pages. Regarding user disclosure, you get a couple of informative paragraphs:
You are required to notify your App Users by disclosing the following information:
- The Google Analytics for Firebase features you have implemented.
- How you and third-party vendors use first-party cookies, or other first-party identifiers, and third-party cookies and similar technologies, such as identifiers for mobile devices (including Android Advertising ID and Advertising Identifier for iOS), or other third-party identifiers, together.
- How App Users can opt-out of the Google Analytics for Firebase features you use, including through applicable device settings, such as the device advertising settings for mobile apps, or any other available means.
It includes a description of your use of Firebase and the features you’ve applied. Most importantly though, you shouldn’t forget about the opt-outs.
Now, there are additional request regarding European Union users:
For end users in the European Union:
- You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and
- You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.
&
If the EU user consent policy applies to your website or app, two of the key things to consider are:
- Do you have a means of obtaining consent from your end users? If not, you’ll need one.
- What message should you present to your users to get consent?
In plain English this means that you should ask for consent before storing any cookies or device identifiers on the users’ devices.
Now to take this further, Google even provides some basics about how a message like that might look like in an app:
We use device identifiers to personalise content and ads, to provide social media features and to analyse our traffic. We also share such identifiers and other information from your device with our social media, advertising and analytics partners who may combine it with other information you’ve provided to them or they’ve collected from your use of their services. See details OK
You’re even provided some code samples for in-app notices!
Consent Notice Scripts for iOS and Android
Here are the scripts in full:
iOS script to output a “cookie notice”
// This code will work in iOS 2 and up
// (spoiler: you're not going to need anything below iOS 6).
// Tested in iOS 7
// In your app's UIApplicationDelegate:
- (BOOL)application:(UIApplication *)application
didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
(...)
NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
if (![defaults boolForKey:@"termsAccepted"]) {
NSString *message =
@"Your message for visitors here";
UIAlertView *alert =
[[UIAlertView alloc] initWithTitle:@"Cookies"
message:message
delegate:self
cancelButtonTitle:nil
otherButtonTitles:@"Close message", nil];
[alert show];
}
}
// Elsewhere in the file:
- (void)alertView:(UIAlertView *)alertView
clickedButtonAtIndex:(NSInteger)buttonIndex {
NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
[defaults setBool:YES forKey:@"termsAccepted"];
[defaults synchronize];
}
Android script to output a “cookie notice”
// This code works on Android API level 1 (Android 1.0) and up.
// Tested on the latest (at the moment) API level 19 (Android 4.4 KitKat).
// In the main activity of your app:
public class MainActivity extends Activity {
(...)
@Override
public void onStart() {
super.onStart();
final SharedPreferences settings =
getSharedPreferences("localPreferences", MODE_PRIVATE);
if (settings.getBoolean("isFirstRun", true)) {
new AlertDialog.Builder(this)
.setTitle("Cookies")
.setMessage("Your message for visitors here")
.setNeutralButton("Close message", new OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
settings.edit().putBoolean("isFirstRun", false).commit();
}
}).show();
}
}
}
More about the legal background
When it comes to legal theory, this is what the European think tank on privacy says in “Opinion 02/2013 on apps on smart devices” [WP29]. In short, it is
“important to note the distinction between the consent required to place any information on and read information from the device, and the consent necessary to have a legal ground for the processing of different types of personal data. Though both consent requirements are simultaneously applicable, each based on a different legal basis, they are both subject to the conditions of having to be free, specific and informed (as defined in Article 2(h) of the Data Protection Directive). Therefore, the two types of consent can be merged in practice, either during installation or before the app starts to collect personal data from the device, provided that the user is made unambiguously aware of what he is consenting to”
After reading all of the above, here are some rules of thumb:
- make sure you inform about the privacy practices within the app, on the Play Store and also on your marketing site
- disruptive identifiers need to be blocked until the notice has been accepted, opt-outs need to be pointed out
(Update: Google has recently introduced some significant changes in relation to the EU’s General Data Protection Regulation (GDPR). You can read all about the changes and how they will affect you here.)
iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system called Cookie Solution.
