Firebase Analytics: New Apple Privacy Guidelines (Fall 2020)

[aschuch]

In fall 2020, Apple will enforce new privacy guidelines for 3rd-party analytics SDK, such as Firebase Analytics. Details are outlined in this document: https://developer.apple.com/app-store/user-privacy-and-data-use/

1. Privacy Information on the App Store

Apple will require developers to provide information about the privacy practices when submitting apps in App Store Connect. The provided information will be used to inform users about the privacy practices of an app on the App Store.

If you use third-party code — such as advertising or analytics SDKs — you’ll also need to describe what data the third-party code collects, how the data may be used, and whether the data is used to track users.

Question

Developers need to know the exact set of data that is collected by the Firebase SDK in order to provide this information to Apple.

• Could you please share an exact list of datapoints that is currently being collected by the Firebase SDK?
• What data is optionally collected by the SDK when the user has given access to specific permissions to the encapsulating app (location, camera, photos, contacts, calendar permission)?

2. Permission to track

Apple will require apps to explicitly ask for the users permission to track them or access their device’s advertising identifier. The new AppTrackingTransparency framework needs to be used to prompt the user for permission.

According to Apple, the AppTrackingTransparency framework needs to be used to ask for permission in the following cases:

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers. Examples of tracking include, but are not limited to:

• Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
• Sharing device location data or email lists with a data broker.
• Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
• Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

Question

Given an app that only includes Firebase Analytics (no AdMob or other advertising SDKs) and does not link to the AdSupport.framework (so that the IDFA is not used):

• Does Firebase Analytics conduct any of the activities outlined by Apple which requires developers to use the new AppTrackingTransparency framework to ask for permission?
• Do you generally recommend developers to use the new AppTrackingTransparency framework to ask for user's permission when using Firebase Analytics?

Looking forward to your interpretation of the new rules and your recommendation towards developers.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[morganchen12]

To answer your questions:

• No, Analytics will not access the ad ID if no advertising SDKs are present and AdSupport is not linked. However, #1686 makes it so that explicit ad ID access control is required, which is something we need to add on the Firebase side.
• Yes, if you're using Analytics with an ad framework you should follow Apple's guidelines. You may not be able to submit to the App Store otherwise.

[morganchen12]

Googlers-only bug number: b/160005774

[aschuch]

Thanks for your comment, @morganchen12!

I am still missing some answers to 1. (Privacy Information on the App Store):

• Could you please provide a list of datapoints that are tracked by Firebase Analytics here or document them in the Readme?
• Does Firebase Analytics track the user's location, contacts, photos, etc in case the encapsulating app has gathered permission from the user?

Answers to those questions, will be important for all developers integrating Firebase Analytics in order to answer the privacy questions during Apple's app review process as well as inform app users about the use of data by the 3rd-party Firebase SDK.

My question in 2. (Permission to track) explicitly asked about an app that only includes Firebase Analytics (no AdMob or other advertising SDKs). We are aware that we need to follow Apple's guidelines when submitting to the App Store, however, these guidelines are very much dependent on what data Firebase Analytics collects and if this data is used to combine user data from one app with user data from other developers’ apps to target advertising or measure advertising efficiency.

From Apple's website:

Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

Does Firebase use the collected data to perform such activity?

[morganchen12]

Analytics' collected data is described in this support document. Analytics will track the user's country but not their granular location and will not automatically track or log contacts, photos, or other data even if the user has given permission for the app to access that data. If you're using Analytics and want to track that data you must log it manually.

Analytics does use ad ID data to determine advertising efficiency, so this does constitute tracking under Apple's guidelines.

[elpida-v]

We’ve heard of several Apple rejections of apps in the Kids Category that use Firebase, even if they have disabled IDFA. The rejections relate to the latest Apple Review Guidelines regarding kids apps as described in section 1.3 (https://developer.apple.com/app-store/review/guidelines/#safety).

We consider using Firebase Auth and Cloud Firestore but we are reluctant to do so, in fear that Apple may reject our app even if we don’t use IDFA. We don’t plan to use analytics nor advertising. Can you give us some insight into this? Will there still be references to IDFA if we just use the above products and opt-out from IDFA?

[morganchen12]

@poco99 for the kids' category app rejection see #5153. Using non-Analytics Firebase dependencies will not get your app auto-rejected for IDFA reasons. If you don't plan on using Analytics, you can exclude the Analytics binary entirely from your app.

[elpida-v]

@morganchen12 Thank you for the clarification.

[sipersso]

Analytics' collected data is described in this support document. Analytics will track the user's country but not their granular location and will not automatically track or log contacts, photos, or other data even if the user has given permission for the app to access that data. If you're using Analytics and want to track that data you must log it manually.

Analytics does use ad ID data to determine advertising efficiency, so this does constitute tracking under Apple's guidelines.

So this would in essence mean that I would have to show the AppTransparencyFramework dialog in order to be able to keep using Firebase Analytics? Do I understand this correctly?

[morganchen12]

Currently that is the case if the AdSupport framework is linked. You can use FirebaseAnalytics without linking AdSupport, but linking is not as explicit a control as we'd like because of issues like #1686.

Edit: This is no longer required with the latest version of Analytics. Analytics will now recognize the blank ad ID if AppTrackingTransparency consent is unavailable and continue to work correctly without ad features, even if AdSupport is linked.

[sipersso]

Thanks for the update. This is good to know. I know that there are other frameworks that currently links AdSupport too, so this is definitely something to watch out for.

[willbattel]

Will the Firebase team be providing any official guidance in the future, such as in a blog post or docs page, about how developers using the SDK can best navigate this change in policy?

There is speculation that Google will be getting rid of their GAID in a similar fashion. Regardless of whether this happens or not, it would be nice to have some concrete information compiled that developers can reference to ensure that Firebase is behaving exactly as desired.

[Gerharbo]

A blogpost or guidance in the developer documentation would even be better.

Isn’t it possible to disable the usage of a unique id? Whether it is or isn’t linked to a ad framework.

Thanks.

[morganchen12]

@kev-lam and the rest of the Analytics team are working on more comprehensive official guidance.

[Gerharbo]

@morganchen12 thanks for the quick reply and update!

[dbaroncelli]

Do we have any update on this? In particular I would like to ask if there is a way to use Firebase Analytics and AdMob (but without targeted ads!) without requesting the IDFA and having to show the permission prompt.

[morganchen12]

You can use Firebase + AdMob and serve ads without the advertising identifier, but expect to see decreased ad revenue. The AdMob docs for iOS 14 can be found here.

[dbaroncelli]

You can use Firebase + AdMob and serve ads without the advertising identifier, but expect to see decreased ad revenue. The AdMob docs for iOS 14 can be found here.

So, can you confirm that Firebase Analytics doesn't require IDFA, and we don't need to state our app is using it when we publish to the AppStore? And can you confirm neither Firebase Auth nor Firestore require it?

[willbattel]

You can use Firebase + AdMob and serve ads without the advertising identifier, but expect to see decreased ad revenue. The AdMob docs for iOS 14 can be found here.

Just for 100% clarity, if we do not want to use the IDFA in iOS 14, all we have to do is forgo the ATT framework and the Firebase SDK will operate with no issues other than decreased revenue and reduced attribution data?

[morganchen12]

In the latest version of Analytics, yes. Older versions aren't aware of the zeroed out IDFA and will treat it as a normal advertising identifier, which probably won't cause any issues, but is not ideal.

[Abrahanfer]

Will Firebase Analytics request ATT Authorization in future versions or Are we responsible, as developers, to request that authorization?

[morganchen12]

Analytics will never automatically request ATT authorization. It's up to you to decide whether or not access to the advertising identifier is critical to your business and request the required permissions if necessary.

[morganchen12]

@dbaroncelli Analytics does not require the IDFA. If you don't link AdSupport, you don't need to fill out the App Store questionnaire.

Firestore and Auth have never depended on the advertising identifier, and will continue to not require IDFA access in future versions.

[dbaroncelli]

@morganchen12 can you please explain what it means to "link AdSupport" ? I am currently using the standard AdMob configuration for iOS. Does it mean I am currently linking AdSupport? I would like to keep using AdMob but without IDFA and targeted advertising. How do I remove the link to AdSupport?

[morganchen12]

If you're using AdMob you're likely using AdSupport as well. I'm not sure if you can remove AdSupport in that case--you may want to ask AdMob support.

[willbattel]

If you're using AdMob you're likely using AdSupport as well. I'm not sure if you can remove AdSupport in that case--you may want to ask AdMob support.

Unfortunately that support link just dumps you into the community forum where I doubt other users are going to confidently be able to answer this. Is there not a Firebase/AdMob dev that can be cc'd to answer this?

I have a Production support role in GCP but AdMob isn't one of the options listed under Firebase- which doesn't necessarily surprise me, but does make it difficult for us to find someone to talk to who knows the answer.

[morganchen12]

AdSupport is listed as a weak_framework in the GoogleMobileAds podspec and is not required in the manual install instructions, so it's not required for serving ads with AdMob.

[simonmaddox]

We use Firebase for Crashlytics and for Analytics events. We don't link AdSupport, or use the IDFA.

Based on my reading of Apple's webpage on User Privacy and Data Use, we would have to ask for permission to track. Is this understanding correct?

As someone that doesn't know the inner workings of Google's data collection, this seems to be calling out Firebase:

Examples of tracking include, but are not limited to:

• Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

and

The IDFV may not be combined with other data to track a user across apps and websites owned by other companies unless you have been granted permission to track by the user.

The examples Apple provide where permission to track is not required do not appear to describe our use of Firebase.

[nomoth]

Hi @morganchen12 ,

We need to link AdSupport as we work with many Ad providers. So we will integrate ATT and ask for consent. But do we need to obtain user consent before initializing the Firebase Analytics SDK?

Thanks

[morganchen12]

@nomoth You do not need to present the ATT prompt before initializing the Analytics SDK.

@simonmaddox Analytics will only combine your users' data with data from other apps if access to the advertising identifier is granted. Crashlytics' crash data is not used for advertising, and is thus not combined with any other third-party applications or services.

[ryanwilson]

It looks like Apple finally released the list of explicit items that are required to be disclosed: https://developer.apple.com/support/app-privacy-on-the-app-store/

We'll be looking at this closely and get an answer ASAP for each product.

[fliperamma]

Hey @ryanwilson Thanks for sharing that link. I understand this is not the ideal place to ask, but would you know if the changes there (answer the privacy questions while preparing a release) were also postponed until the next year or if those will be available/needed in the following weeks (together with the iOS 14 release)?

[ryanwilson]

@fliperamma I have no extra insight other than going from Apple's page linked in the original report - under the "Describing How Your App Uses Data" section it starts with "Later this year," then later mentions "You will soon be required to provide information...". This leads me to believe that it's not tied to the iOS 14 launch but will be coming some time this year.

[dbaroncelli]

AdSupport is listed as a weak_framework in the GoogleMobileAds podspec and is not required in the manual install instructions, so it's not required for serving ads with AdMob.

@morganchen12 I am sorry, but it's still not clear to me: If our iOS app has AdMob already installed, and we don't want to use AdSupport, do we need to do change something specifically in our configuration?

[morganchen12]

No changes are required.

[benjiwheeler]

@morganchen12 wrote:

You can use FirebaseAnalytics without linking AdSupport

How do we set up our iOS app to use FirebaseAnalytics, without linking AdSupport (or anything else that would make Apple reject us)? We only want to collect anonymous telemetry, not IDFA, and we don't use any ads.

[vdaele]

You can use FirebaseAnalytics without linking AdSupport I would also like to understand how this can be done.

We currently use pod 'Firebase/Analytics' (v6.9.0) in our Podfile, our app does not use Ads, we only use [FIRApp configure]; and [FIRAnalytics logEventWithName... calls and still our (Kids) app was rejected because we use "Third-party analytics or third-party advertising with the ability to collect, transmit or share identifiable information, including, for example, IDFA."

[morganchen12]

@benjiwheeler AdSupport is excluded by default. If you've added AdSupport to your app and want to remove it, remove the AdSupport framework from your app target's Link Binary with Libraries build phase. You can check that AdSupport is not linked at runtime with this snippet:

print(NSClassFromString("ASIdentifierManager") != nil) // returns true if AdSupport is present

@vdaele the issue you're describing was fixed in 6.27.1 (FirebaseAnalytics 6.6.2). Make sure you're not linking AdSupport into your app via the steps above and, if your app is still getting rejected, file an appeal to Apple.

[amaurydavid]

Apple released a very helpful webpage in which they describe how apps can have a good view of how their user's data is being used and if it's considered tracking or not. Maybe the Firebase team could:

1. Reuse the table "Types of data" to list each type of data used by Firebase (and specificy the Firebase's component: Analytics, Auth, Crashlytics, Remote config, ...)
2. Associate them with usages from the "Data use" table.
3. Associated them with a booleen indicating whether each type of data is, or can be, used while linked to the user. For example I suppose diagnostic data can be linked to users as soon as the developer uses the userId property, but otherwise is not.
4. And also state for each association if the data collected is mixed with third party data. For example I guess that the collected IDFA is mixed with third party data so that Firebase can build a profile for each IDFA to inform us about the gender or interests of the person behind an IDFA in the "audiences" screen.

Having such detailled tables will be important, if not mandatory, so that each developer will be able to correctly fill the App Store privacy section when Apple will activate it.

[morganchen12]

Thanks @amaurydavid, this is something we're aware of and we're working on publishing documentation as you've described to address this issue comprehensively so developers won't need to come to this GitHub thread for Q&A. The reason it's taking so long is there are some cross-Google considerations involved. We have a hard deadline for releasing this documentation by the end of the year, but are hoping to release it much sooner.

[vdaele]

@morganchen12

@vdaele the issue you're describing was fixed in 6.27.1 (FirebaseAnalytics 6.6.2). Make sure you're not linking AdSupport into your app via the steps above and, if your app is still getting rejected, file an appeal to Apple.

Our app was indeed approved when using FirebaseAnalytics 6.6.2. Thank you for your excellent support!

[amaurydavid]

There are new APIs related to "user consent" in FirebaseAnalytics 7.0.0, but I can't find a documentation page that clearly states what it does. The inline documentation says

Sets the applicable end user consent state (e.g. for device identifiers) for this app on this device. Use the consent settings to specify individual consent type values. Settings are persisted across app sessions. By default consent types are set to ConsentStatus.granted.

Does that mean that we can now disable IDFA sharing using this ? As nothing in the API clearly states that it's restricted to collecting device identifiers, I fear setting the consent to denied would have the same effect as using setAnalyticsCollectionEnabled.

[morganchen12]

Hey @amaurydavid,

The Consent API introduced in Firebase 7 allows you to customize analytics and ad data usage according to the level of consent your users give you. Though it has consent in the name, it is separate from AppTrackingTransparency consent and is not a robust mechanism for preventing the collection of the device's advertising identifier (see here for more details).

Currently, you can guarantee the IDFA is not collected only by removing AdSupport from your build target. Starting next year, you can prevent the collection of the advertising identifier by choosing to not present the AppTrackingTransparency permissions dialogue to your users, regardless of whether or not AdSupport is linked.

[ghost]

Hi @morganchen12, thanks for the very useful explanations here! If I understand it correctly, using ONLY Firebase Crashlytics and Firebase Remote Config (no Analytics and no AdMob) should cause no issues at all (even if our apps have advertising and link the AdSupport framework). Could you please confirm this? Thanks a lot in advance!

[morganchen12]

@matance yes, Firebase will not record your IDFA if Analytics is not included in the project, even if AdSupport is linked. Be aware that non-Firebase advertising SDKs may record the IDFA if AdSupport is linked.

[aschuch]

https://developer.apple.com/news/?id=vlj9jty9

This information will be required to submit new apps and app updates to the App Store starting December 8, 2020.

[piobyz]

Thanks @amaurydavid, this is something we're aware of and we're working on publishing documentation as you've described to address this issue comprehensively so developers won't need to come to this GitHub thread for Q&A. The reason it's taking so long is there are some cross-Google considerations involved. We have a hard deadline for releasing this documentation by the end of the year, but are hoping to release it much sooner.

Would be nice to have it before Apple will start requiring this App Privacy Details on December 8, 2020.

[morganchen12]

We do plan on publishing our doc before Apple's deadline. It needs to go through a lot of review internally before that can happen, so I can't guarantee we'll succeed, but currently things are on track.

[micheau-bastien]

We do plan on publishing our doc before Apple's deadline. It needs to go through a lot of review internally before that can happen, so I can't guarantee we'll succeed, but currently things are on track.

Hi! Thanks, can't wait to read the document! Will it also cover use-case with only Firebase Analytics without ad ? From my perspective, Firebase Analytics alone should only add Coarse Location, User ID and Product Interaction to "Data not linked to you". Is that a correct assumption?

[morganchen12]

The document content we've prepared thus far covers conditional data collection for Firebase SDKs, including Analytics with and without AdSupport.

Unfortunately, our guidance discourages us from categorizing the data Firebase collects on your behalf, so I'm not able to tell you which boxes in the questionnaire you should fill out. This is not because we know all the categories behind the scenes and want to keep them a secret from you; rather, it's because Apple's definitions (though not strictly legal definitions) may have legal implications and the Firebase staff who are active on this repository, including myself, are not qualified to provide answers to legal questions. We can tell you in detail what data Firebase collects, but we cannot tell you how that data fits under Apple's definitions. With that in mind, here's the data collection bits that may be relevant to your question:

• Analytics collects anonymized IP addresses and uses them to approximate user location. This is how the Analytics dashboard is able to break down your user base by country.
• Without AdSupport, Analytics does not collect any identifiers except the Firebase Installations ID by default.

I know it's not what you want to hear, but if you need to explicitly categorize the above data collection items, you will need to retain your own legal counsel.