Google's extensive Firebase platform helps your website or app function and grow through analytics and software. However, you can't use Firebase or its systems without following Firebase's Terms of Service Privacy Policy requirements.

Privacy Policies are used to notify and obtain consent from users of the collection of their personal data by the company's website or app. These disclosures are a way to protect an individual's rights in their data and prevent potential future legal issues.

There are quite a few platforms and software that require certain provisions in your Privacy Policy to use their features. Google's Firebase is no different. Firebase's many platforms perform their functions based on the personal data collected when a user visits a site that uses Firebase.

Firebase includes some of the most popular analytical platforms and storage systems out there (i.e. Google Analytics). To continue using these many beneficial analytics, you must update your Privacy Policy to be up to snuff with Firebase's requirements. Here's how to make sure you comply with Firebase's Privacy Policy standards.


What is Firebase?

Before we delve into the Privacy Policy requirements, let's take a brief look at what Google's Firebase is.

Firebase is Google's web and app application that provides analytics, software, messaging, and crash reports for your website or app. Firebase is a massive platform that covers all areas of your company to help with speed, analyzing usage by visitors, storage, and driving growth to your site.

Firebase is the umbrella term for Google's many software platforms that include:

  • Google Analytics
  • Cloud Firestore
  • Test Lab
  • Crashlytics
  • ML Kit

Firebase performs all of its tasks by collecting the personal and sensitive data of the users that visit its partner sites. This is why Firebase requires partnering companies to include a Privacy Policy and a few specific clauses to be included that relate to its platforms' functions and systems.

Firebase Privacy Policy Requirements

Firebase Privacy Policy Requirements

Section 7 of the Google Analytics for Firebase Terms of Service states the specific requirements your company must disclose in your Privacy Policy. You must include in your Privacy Policy:

  • Your use of Firebase Google Analytics
  • Your use of cookies, identifiers for mobile devices, or third-party vendors and how they are used
  • How a user may opt-out of Firebase Analytics

Here is the section that notes these requirements:

Google Analytics Firebase Terms of Service: Privacy clause with requirements highlighted

All of these requirements must be included somewhere in your company's Privacy Policy.

Without including these disclosures you may run afoul of Google and not be able to use Firebase and its analytical tools.

Let's take a closer look at each of the requirements you need to include in your Privacy Policy.

Your Use of Firebase Google Analytics

Your Use of Firebase Google Analytics

If you use Firebase you must disclose that you use Firebase and any of its services. The main Firebase service to pay attention to is Google Analytics. Google Analytics is the main service on Firebase and what is required to use Google Analytics is required to use Firebase.

Google Analytics is a web service that analyzes your site's performance and visitors' activity. From this analysis, companies are able to see a full report on how their site is performing.

As Google Analytics uses cookies, IDs, and other technologies to store and collect the private data of visitors, disclosing the use of them in a Privacy Policy is a must.

Firebase requires disclosure of the use of Google Analytics. You can either do this by including a section for Google Analytics in a Privacy Policy or through a link. Google provides a link you may include in your Privacy Policy to comply with the Terms of Service.

The provided link takes a user directly to Google's page explaining how Google uses data from websites or apps that use one of its platforms.

Google Privacy and Terms: How Google uses information from sites or apps that use our service - Intro excerpt

Here's how LogMeIn incorporates this provided link into its Privacy Policy:

LogMeIn Privacy Policy: Google Analytics and Adobe Marketing Cloud clause

On the other hand, you don't have to include the link and can instead just state that your site uses Google Analytics and how it uses the service.

Instead of including the link provided by Google, ThoughtWorks includes a section in its Privacy Policy that's dedicated to Google Analytics. It describes how the company uses Google Analytics to collect information, store information, and what Google does with the information:

ThoughtWorks Privacy Policy: Google Analytics clause

Companies that use Google Analytics must also follow Google's EU User Consent Policy. Google's EU User Consent Policy requires companies that collect data from individuals that live within the EU Economic Area to disclose the use of cookies and obtain consent to the use of the cookies.

To comply with the User Consent Policy you must:

  • Obtain consent to use cookies and share and store the data for ads
  • Retain records of consent
  • Describe the procedure of how to revoke consent
  • Hold third parties that use the collected data to standards

If you have customers living in the EU Economic Area and use Google Analytics you must incorporate these into your Privacy Policy as well.

Notice of Use of Cookies, Identifiers, and Third-Party Vendors

Notice of Use of Cookies, Identifiers, and Third-Party Vendors

Firebase and Google Analytics use cookies and identifiers to collect and store the personal information of users. To comply with Firebase's Terms of Service, you must disclose in your Privacy Policy the use of cookies, identifiers for mobile devices, and third-party vendors to properly obtain consent.

Cookies

Cookies are used by websites and apps to store the data related to their users. The stored data in the cookies help websites improve functionality, advertise, and performance.

As cookies are a way to collect personal and sensitive information, such as email addresses and credit card information, you must disclose the use of them in a Privacy Policy.

How you do it is entirely up to you. You can either include a section in your general Privacy Policy or a separate Cookies Policy depending on where you users are.

Lulus includes a Cookies and Advertising section in its Privacy Policy that states what cookies are, the cookies it uses, and what it does with the information stored in the cookies:

Lulus Privacy Policy: Cookies and Advertising clause

Another option is creating a separate Cookies Policy. A separate Cookies Policy is not required by U.S. law or Firebase, but is a requirement for businesses that fall under the scope of the EU's Cookie Law, or the ePrivacy Directive.

Identifiers for Mobile Devices

Identifiers for Mobile Devices

Identifiers for mobile devices, commonly called IDs, are strings of letters and numbers that are connected to a specific cell phone or tablet. IDs are like cookies in that they store specific information from the user, but are different in key ways.

IDs can only be collected by a downloaded app, such as UberEats, but not a website. IDs also track a user's action for a longer period of time than cookies.

Apps collect the IDs from a user's specific tablet or phone and can use the data to identify the user and send them specific advertisements based on that data.

There are two main types of IDs, depending on the operating system a phone uses. They are:

  • iOS - Identify for Advertisers (IDFA)
  • Android - Google Advertising ID (GAID)

It is not required to state which ID is used. Just noting the use of them is enough.

Snap Inc. provides a section in its Privacy Policy for device information that is collected by its many apps including battery life and timezone through the use of unique device identifiers:

Snap Privacy Policy: Device Information clause

WhatsApp includes a clause that lets users know it collects device-specific information during installation and use. It lists the information it collects including IP addresses, device identifiers and location features when enabled:

WhatsApp Privacy Policy: Device and Connection Information collected clause

Third-Party Vendors

In addition to disclosing the use of cookies and IDs, you must state how you and third-party vendors or third-party cookies use the data. This can be included in your Google Analytics section or in a separate third-party partners section.

Third-party vendors are used to help improve the services of the sites and their functionality. These vendors can be used to help with troubleshooting to storing data on a cloud. No matter what they do, users must be notified of the relationship between your site and third parties.

Lattice uses Google Analytics on its site in addition to other third-party vendors. Lattice's Privacy Policy states the use of third-parties, what each party does, and the requirements the third-parties must meet to partner with Lattice:

Lattice Privacy Statement: Third Party Service Providers clause

How a User May Opt-Out of Firebase Analytics

Google Analytics and other Firebase Analytics can only be used once explicit consent has been obtained as these services collect and store sensitive information. Hence why users must be able to opt out of any Firebase Analytics used, including Google Analytics or device advertising settings.

Google does not allow sensitive information to be transferred to third parties without consent and requires companies to protect the information along with ensuring an individual's rights to the information is maintained:

Google Analytics Firebase Terms of Service: Information Rights and Publicity clause

You can follow Google's Information Rights and Publicity requirement by including an opt-out link, procedure of how a user can opt-out of the service, or link to how to control their preference settings in your Privacy Policy.

Embed provides users with an Opt-Out link in its general Google Analytics section to opt-out of the service. It also includes an opt-out link for each specific technology it uses to collect and store information including Google Analytics Doubleclick:

Embed Privacy Policy: Google Analytics Doubleclick clause

The opt-out link takes a user to Google's general page of how to block ads, save settings in Google, and control ads on websites that partner with Google:

Google Support: Ads Help - Block certain ads with instructions

Another way to offer users to opt-out of the service is by providing procedures or pages specific to the company on how to opt-out of the services.

What to Remember Going Forward

Firebase requires three simple disclosures to include in your Privacy Policy: The use of Google Analytics, cookies and third-party vendors, and options to opt-out of the service.

How you disclose this and where in your Privacy Policy is entirely up to you.

However, if you fail to comply with Firebase's Terms of Service and its required clauses, you may lose the ability to use all of Firebase's many platforms and could face potential legal issues.