Crashlytics can be an effective and convenient way for you to discover the causes and severity of crashes in your app. But to do its job, Crashlytics needs to collect and analyze a lot of information about your users and their activity.
You may not have really considered it, but this has some major privacy implications. If your app uses Crashlytics, you're required to maintain a Privacy Policy that explains these implications to your users.
Let's take a look at how you can create a Privacy Policy that will satisfy both your agreements with Crashlytics and the law.
- 1. What Is Crashlytics?
- 2. Why Do I Need a Privacy Policy for Crashlytics?
- 2.1. Information Collected by Crashlytics
- 2.2. Crashlytics Terms of Service
- 2.3. Privacy Law
- 3. What to Include in Your Crashlytics Privacy Policy
- 4. Making Your Privacy Policy Accessible
- 5. Special Rules for Developers with EU Users
- 5.1. Collecting Consent
- 5.2. International Transfers
- 6. Summary
What Is Crashlytics?
Few things are more frustrating for a developer than their app repeatedly crashing. This can cause delays in development, degrade user experience, or, at worst, end up completely destroying your project.
This is where crash reporting software, such as Crashlytics, can be useful. Crashlytics will log usage data about your app and provide insights into the nature of stability problems.
Crashlytics provides a software development kit (SDK) that developers can integrate into an Android, iOS or Unity app. It was created by Fabric. The company was acquired by Google in 2017, and Crashlytics is now part of Google's Firebase platform.
Why Do I Need a Privacy Policy for Crashlytics?
Fundamentally, developers using Crashlytics require a Privacy Policy because of the type of information that Crashlytics collects and processes about their users.
If you already have a Privacy Policy for your app, you'll need to update it to include the information required by Crashlytics.
This only needs to be a short section, containing some key information specified by Crashlytics.
But it's not only Crashlytics that requires you to create a Privacy Policy. It's also a requirement under certain privacy laws to which you're likely to be subject.
Information Collected by Crashlytics
Many people think of "personal information" as being the obvious things like a person's name, address or social security number. However, the definition is a lot broader than this.
According to Crashlytics' Terms of Service, Crashlytics collects data such as:
- Device state information
- Unique device identifiers
- Location data
- Usage data
- Email address (depending on how the developer implements Crashlytics)
This sort of data can constitute personal information. It reveals information about individual people, and can, in theory, be linked to them. It also reveals how individuals use your app. Many people would consider this to be intrusive.
Crashlytics Terms of Service
As mentioned, Crashlytics specifically requires customers to maintain a Privacy Policy. Here's an excerpt from Section 2.6 of the Crashlytics Terms of Service:
Let's break that down. In order to use Crashlytics, you need a Privacy Policy that:
- Is "readily accessible" from your website and/or app
- Lists the types of information that Crashlytics collects
- States that this information is shared with third parties (including Crashlytics)
- Explains how Crashlytics collects and uses this information
- Discloses that your app uses technology to track your users' activities and collect information from them
Privacy Law
The collection of device and usage information also falls under the ambit of certain data protection and privacy laws, such as:
- The EU General Data Protection Regulation (GDPR)
- The California Online Privacy Protection Act (CalOPPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
These laws are in place to ensure that you treat your users' personal information respectfully and that you're transparent about what personal information you collect.
Not all privacy laws are equally demanding.
California's CalOPPA, for example, doesn't impose any requirement beyond creating a Privacy Policy and ensuring that it's accessible from your website and/or app.
The EU's GDPR, on the other hand, is much more extensive and covers every aspect of how you collect and process the personal information of your users. It also has a much wider definition of what constitutes personal information.
Generally speaking, you don't only have to consider the privacy laws of your home country. You must also obey the privacy laws of the places where your users reside. So if you have users in the EU, you're obligated to make sure your app follows the strict rules imposed by the GDPR.
What to Include in Your Crashlytics Privacy Policy
We're going to take a look at three examples of Privacy Policies that make reference to Crashlytics. Each approaches the requirements slightly differently, but together you can learn from them and provide your users with something compliant and comprehensive.
Our first example comes from Callabio, which provides Crashlytics with its own section in its Privacy Policy.
Callabio appears to have covered most of what is required of it under the Crashlytics Terms of Service. However, it doesn't specifically state that this information will be used to track users, and it doesn't disclose that Crashlytics collects location data.
Callabio then goes on to provide links to further privacy information provided by Google and Fabric, which is a welcome addition:
Here's our second example, from DBDSoft. DBDSoft has included some of the information required by Crashlytics but not all of it:
DBDSoft identifies the types of information collected: "device state information, unique device identifiers, device hardware and OS information [...] physical location.."
DBDSoft does name Crashlytics but doesn't specifically state that this information will be shared with them. It's important to mention this because your users need to know where this information is going.
The Momento app's Privacy Policy includes information about its use of Crashlytics in two places. First, in the clause that discusses what information Momento shares, with who and why, it's noted that "device and usage information will be shared with...Crashlytics."
This meets the requirement that you state that information will be shared with third parties, including Crashlytics.
Crashlytics is also mentioned in the Third-Party Services clause in the Third Party SDK's section. Here, users are informed that the Fabric SDK makes it possible for the app to "capture and collect crash logs through the Crashlytics service and interact with the Twitter Platform."
This meets the requirement that the types of information collected by Crashlytics are listed.
In the clause that covers what information Momento collects, a general Usage Information section notes that "anonymous analytical information" is collected when the service is used and this includes "information about your interaction with the Services, including the actions you take on the Services."
Even though Crashlytics isn't mentioned here explicitly, this clause still works to meet the requirement that you disclose that your app uses technology to track your users' activities and collect information from them.
Making Your Privacy Policy Accessible
Using Crashlytics means agreeing not only to maintain a Privacy Policy, but also to make it "readily accessible" within your app.
Many apps make their Privacy Policies available via the "Settings" or "About" menu. You should make sure that a user can access your Privacy Policy easily within just two or three taps and not have to search extensively for it.
Let's take a look at some examples.
Slack places an option to access its "Privacy and licenses" at the bottom of its Settings menu:
Tapping on this option leads to the following screen:
Selecting "Privacy Policy" opens an in-app custom browser pointed at Slack's Privacy Policy:
Here's a slightly different approach from Malwarebytes.
Malwarebytes' Privacy Policy is accessible via the About menu, which can be selected from the app's sidebar:
Here are the options available in the About screen:
Selecting the Privacy Policy opens the user's default browser and directs them to the policy:
Make sure your Privacy Policy is easily accessible from your website and mobile app at all times to comply with privacy laws and with Crashlytics' Terms of Service.
Special Rules for Developers with EU Users
The Crashlytics Terms of Service makes some specific demands of developers who have users based in the European Union.
If you have users in the EU, or if you're based in the EU, you'll need to abide by EU privacy law.
Just to reiterate: this applies to all the users you have in the EU. It doesn't matter whether you're based in the United Kingdom, United States, or the United Arab Emirates - or anywhere else, for that matter. What matters is where your users are located.
EU privacy rules apply to anyone collecting the personal information of people in the EU for the purposes of "offering goods or services." Note that this applies whether or not your app costs money or makes a profit.
Collecting Consent
The Crashlytics Terms of Service states the following:
Meeting EU data protection standards means abiding by these two important privacy laws:
- The ePrivacy Directive. Sometimes known as the EU Cookies Directive, the ePrivacy Directive requires you to earn consent for using cookies and other devices. This includes any software that accesses a user's information or tracks their behavior, such as Crashlytics.
- The General Data Protection Regulation (GDPR). The GDPR sets the standard of consent. It requires that, wherever you're asking for consent, you must do so in a meaningful way. You can't assume that you have a user's consent for crash reporting and then ask them to opt out. You need to take proactive steps to ensure that they're really happy for you to use their personal information in this way.
Not every company is very good at complying with these rules. But it's very important that you do so, as the EU's Data Protection Authorities aren't shy about taking legal action.
In fact, Google itself was hit with an eye-watering €50 million fine in January 2019 because of the way in which it was collecting consent. So it might be not surprising that, by default, Firebase Crashlytics collects users' personal information without their consent.
If you're serving EU users, you should enable opt-in reporting. This is an option provided by the service, and so it's your responsibility to activate it. This will give your users real control about whether you use their personal information for this purpose.
Here's Google's guidance on how to do this for Android users within Firebase:
There are different instructions if you're developing an app for iOS or Unity.
Many apps collect consent for crash reporting. Here's an example from Ookla's Android app, Speedtest:
You should also provide an option to allow your users to withdraw consent once they've given it (or provide consent if they've previously refused it). Here's how Speedtest does this:
International Transfers
The Crashlytics Terms of Service gives the following requirement:
The Crashlytics Terms require that you obtain EU users' consent to transfer their data to countries outside of the EU.
This is a somewhat confusing provision.
There are rules about transferring personal information out of the EU, to non-EU countries. These rules are discussed at Chapter 5 of the GDPR. There are several different ways to legally perform such a transfer. The GDPR sets out several safeguards, and the European Commission provides a list of "approved" countries for whom no safeguards are required.
It is possible to transfer a user's personal information out of the EU on the basis of their consent. However, this is normally a last resort, where none of the other safeguards are available.
In fact, data transfers to Crashlytics are covered by a different safeguard - Google's certification under the EU-US Privacy Shield Framework. This means that, under the GDPR, it isn't necessary or appropriate to seek a user's consent to transfer their data outside of the EU for the purposes of using Crashlytics.
In light of this, it isn't clear why Crashlytics requires developers to earn consent for such transfers. It is difficult to find any examples of apps that actually do this.
SeriesGuide makes reference to Crashlytics' Privacy Shield certification in its Privacy Policy:
This fulfills Crashlytics' requirement that developers give their users notice of the international transfer of their personal information.
Although this part of Crashlytics' Terms of Service is confusing, and although it appears to have been ignored by many if not all developers, remember that you do agree to fulfill this requirement by using the service.
Summary
Crashlytics requires all developers using the service to have a Privacy Policy, or update their existing Privacy Policy to include information about Crashlytics.
This must include information about:
- The types of information Crashlytics collects
- How Crashlytics collects and uses this information
You must disclose that:
- This information is shared with Crashlytics (i.e. Google) and other third parties
- Crashlytics tracks your users' activities
The Privacy Policy must be readily accessible from within your app.
There are extra requirements pertaining to any of your users in the EU:
- Get consent for collecting crash reporting data
- Provide notice of, and get consent for, the transfer of your users' personal information outside of the EU
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.