🐛 [firebase_core] Auto Inject is not GDPR-compliant

[creativecreatorormaybenot]

Bug report

It is illegal to include Firebase Analytics in an app without the user's consent in some countries, e.g. in Germany.

This means that we have to e.g. exclude the Firebase Analytics script unless users explicitly consent to analytics collection.
We do this by means of Usercentrics and Google Tag Manager.

This is also why I came up with this workaround to not crash Flutter web apps when complying with GDPR.

Steps to reproduce

Using firebase_analytics after #7358, the Firebase Analytics JS SDK is automatically added via a <script> and downloaded by the browser.

Expected behavior

The developer should be able to control when the script is downloaded or not in order to comply with GDPR.

Ideally, it should be able to configure this via GTM.

[Jonas-Sander]

It is illegal to include Firebase Analytics in an app without the user's consent in some countries, e.g. in Germany.

Nitpick/Question: From what I know it should only be illegal to use analytics without valid consent.
Isn't there a configuration option that changes the behavior of Google/Firebase Analytics to opt-in instead of opt-out?

I use the term "Use analytics" in a broad sense - from what I know (I'm no expert) the bigger problem would the EU ePrivacy Directive since it mandates that even before saving information on the end-user device you have have valid consent (except for strictly necessary data that is needed to provide the service). Thats why there are Cookie banners everywhere.

So the follow-up question would be: Do you say this because if Google/Firebase Analytics is included inside the app then it automatically saves or sends data on the users device?

This is also why I came up with this workaround to not crash Flutter web apps when complying with GDPR.

This workaround seems unrelated to GDPR but only necessary because of Adblockers.
Although I think it's bad behavior that the app crashes if Google Analytics is blocked.

[creativecreatorormaybenot]

Nitpick/Question: From what I know it should only be illegal to use analytics without valid consent.
Isn't there a configuration option that changes the behavior of Google/Firebase Analytics to opt-in instead of opt-out?

Well, yes. It was just that the authorities did not look into it in that far in our case. They just said we were not allowed to download the script (which is crazy but I do not make the rules).

So the follow-up question would be: Do you say this because if Google/Firebase Analytics is included inside the app then it automatically saves or sends data on the users device?

They had the same issue with Google Fonts for example (as it accesses a US server that stores your IP). Iirc, we used Usercentrics to dynamically download the scripts.

[Jonas-Sander]

Now that you give the example with Google Fonts it makes sense why it might non-compliant. Like I said I'm no expert and this is just my guess.

An IP address constitutes personal data per GDPR. The Firebase service scripts (Analytics, Firstore, etc) are downloaded from gstatic.com instead of being included while building the app. At least with the Google Fonts endpoint Google additionally logs information about the client calling the endpoint (from what I know).

So basically to use Firebase services there are several possibilities:

• Download scripts from gstatic.com which leaks personal data (at least the IP-address, maybe more) to Google. This is the current approach with the "auto-inject" mechanism.
• Include the same scripts when building the app which leaks no data to third-partys.

GDPR sets forth the principle of data-minimization. So if there is a less invasive way to do something then this way should be chosen.

Regarding Google Fonts there was a judgement of a court in exactly this kind of case in Germany. Since instead of using Google Fonts and leaking information to Google the webmaster could've just provided the same font via their own server he was violating the visitors rights.

Alas my guess is that the auto-inject mechanism is non-compliant with the GDPR.
This is not just a theoretical problem but may lead to real fines for companies.