GDPR compliance Analytics for Firebase, persistent identifier (Android IDs and IDFV)
1,502 views
Skip to first unread message
cgon...@gmail.com
Apr 29, 2019, 4:27:44 PM4/29/19
to Firebase Google Group
Hello,
according to https://firebase.google.com/support/privacy/ IDFVs/Android IDs are used.
When are these identifier used?
They are a problem. Since under special circumstances the user has the right that the data is deleted. Anyway using persistent identifier is not good.
According to https://support.google.com/firebase/answer/6318039 "By default, on Android the SDK collects the Advertising ID. If the Advertising ID is not collected, the device's hardware identifier, e.g., Android ID (SSAID), is collected instead."
Does it mean that
1) if the user disables the use of the advertise ID within the mobile system functions or
2) i disable the collection of the Advertise ID through the Analytics interface, does that mean it uses the Android IDs
the Android IDs are used?
I can't see any reason for using the Android IDs.
kind regards
according to https://firebase.google.com/support/privacy/ IDFVs/Android IDs are used.
When are these identifier used?
They are a problem. Since under special circumstances the user has the right that the data is deleted. Anyway using persistent identifier is not good.
According to https://support.google.com/firebase/answer/6318039 "By default, on Android the SDK collects the Advertising ID. If the Advertising ID is not collected, the device's hardware identifier, e.g., Android ID (SSAID), is collected instead."
Does it mean that
1) if the user disables the use of the advertise ID within the mobile system functions or
2) i disable the collection of the Advertise ID through the Analytics interface, does that mean it uses the Android IDs
the Android IDs are used?
I can't see any reason for using the Android IDs.
kind regards
Kato Richardson
Apr 29, 2019, 5:21:38 PM4/29/19
to Firebase Google Group
Hello cgongames,
Without some persistent identifier, it's impossible to collect analytics data for even a single session, much less analyze repeat visitors and so on.
Note that a persistent identifier doesn't prevent a user's data from being deleted. It's possible to delete all Analytics data associated with a given device/user by calling resetAnalyticsData and setAnalyticsCollectionEnabled. See this article.
I don't know under what circumstances an Advertiser ID wouldn't be present and we'd fall back to using the Android SSAID. Sorry I can't be more helpful with that part.
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/7f218a90-1a13-4b59-a71a-d54abe59f320%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Julien Gassmann
Apr 30, 2019, 2:54:21 PM4/30/19
to fireba...@googlegroups.com
Hi Kato,
this isn't a simple question or short topic. And it's confusion which ID is used for which data. I spent a whole day just about this.
Firebase for Analytics is separated in two parts:
Demographic data and device information/events user perform.
The app Instance ID is used to identify the same user. The app instance ID might be used for Device Information/Events user perform.
The Advertise ID is available upon version 4.4 Kitkat.
Advertise ID is usually used for demographic Data (therefore it was invented). Before Android 4.4 the demographic Data was associated with the Android ID.
It might be that the device information/user events are associated with the advertise ID even if it's disabled through Device. This is still allowed through gdpr. Only the usage for personalized advertise isn't allowed anymore when the advertise ID is disabled.
The advertise ID can be reset at any time. No problem therefore.
But if by example the SSID is used instead of advertise ID:
As mentioned above, the data isn't deleted from the
server backend of the
statistic.
SSID can't be changed/reset.
Therefore personal data is kept into the server backend of the statistics. And this is under some circumstances, when the user got the right to delete his data invalid by GDPR. And i can't see a valid reason for collection persistent identifier. Therefore the usage of Analytics by legitimation through §6f GDPR is no more allowed. You would need the user consent.
When user give consent, he has always the right that the data is deleted. This persistent identifier makes it so complicated.
The Unity3d SDK doesn't provide the deletion of data only the reset of App Instance ID. A deletion of the App doesn't mean that there isn't anymore personal data collected when the SSID or similar persistent Identifier is used. I have to know, if i should implement a deletion through my server and also if i need user consent.
I
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEbQ%3D%3DcR3NhUQrGxWpwtpudw%2BACZfZn6w41F5VkjrkCQUQ%40mail.gmail.com.
Kato Richardson
May 7, 2019, 1:31:26 PM5/7/19
to Firebase Google Group
Hi Jullen,
Thanks for the additional details. It looks like you can disable collection of SSAID (Settings.Secure.ANDROID_ID) in your AndroidManifest.xml:
<meta-data android:name="google_analytics_ssaid_collection_enabled" android:value="false" />. I'm uncertain if this is necessary, but it should address your concern.
You may also want to look at the user deletion API.
☼, Kato
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADYgt-u2ENxheSJ4KuCAH29MFYx-z%2BzC2HZqLd_rkFLUQoMxDQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages