Do we need to disclose Firebase Dynamic Links in our privacy policy?

Yes. Firebase Dynamic Links processes personal data including device identifiers, click timestamps, and platform information. Under GDPR, CCPA, and similar regulations, you must disclose any third-party data processors. Since Google LLC processes this data, you must name Firebase Dynamic Links and Google in your policy and provide a link to Google's privacy policy.

What specific data does Firebase Dynamic Links collect?

Firebase Dynamic Links collects link click timestamps, device platform (iOS/Android), device identifiers, advertising IDs, and custom attribution parameters embedded in the link. This data enables Google to track which users clicked links, when they opened apps, and on which devices—allowing attribution of app installations to specific marketing campaigns.

Does Firebase Dynamic Links require a cookie consent banner?

No. Firebase Dynamic Links does not use cookies. However, it does collect device identifiers and tracking data that may constitute personal data under GDPR and CCPA. While a cookie banner is not necessary, you must still obtain valid consent (or have a legal basis) for Firebase Dynamic Links' data collection under privacy regulations.

Who processes Firebase Dynamic Links data and where?

Google LLC, a United States-based company, is the data processor. Data is transferred to Google's servers in the US. Under GDPR, transfers to the US require an adequacy decision or Standard Contractual Clauses (SCCs). You should reference Google's standard contractual terms and data processing agreement when implementing Firebase Dynamic Links.

Deep Linking & Attribution

Privacy policy clauses for Firebase Dynamic Links

Firebase Dynamic Links is a Google-operated deep linking service that creates shortened URLs capable of surviving app installations and directing users to specific content. Websites and apps use it to track user journeys across platforms and attribute app installations to marketing campaigns.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Firebase Dynamic Links collects

Your privacy policy must disclose each of the following data types when you use Firebase Dynamic Links.

Link click and open data

Device and platform information

Attribution parameters

When does Firebase Dynamic Links trigger privacy obligations?

Installation & Data Flow Start

Firebase Dynamic Links begins collecting data the moment its SDK is integrated into your app or website. The service immediately captures:

–Click and open events: Every time a user taps a dynamic link, Firebase logs the timestamp, device identifier, and whether the app was already installed.
–Device & platform data: OS version, device model, advertising ID (IDFA/GAID), and IP address are transmitted to Google's servers.
–Attribution parameters: Custom URL parameters you embed in links are forwarded to Google and retained for attribution analysis.

Common compliance pitfalls

Pitfall 1: Failing to Disclose Attribution Parameter Collection

Many operators embed custom parameters in Firebase Dynamic Links (e.g., `?campaign=summer_sale&user_id=12345`) without realizing these are transmitted to Google and stored in Firebase. If those parameters contain or correlate with personal identifiers, you've sent personal data to a third party without explicit disclosure.

Why it happens: Attribution feels like internal analytics, so teams don't flag it as a data-sharing event requiring third-party processor disclosures.

Consequence: GDPR Article 14 violation (failure to disclose the third-party recipient); potential enforcement by data protection authorities if Firebase is not named in your privacy policy. CCPA Section 1798.100(d) violation (failure to disclose categories of personal information sold or shared to service providers).

Pitfall 2: Missing Data Processing Agreement with Google

Firebase Dynamic Links qualifies Google as a data processor under GDPR Article 28 (or a "service provider" under CCPA). Operating without a signed Data Processing Agreement (DPA) is a direct violation; Google provides a DPA through its standard terms, but many small teams never review or formally execute it.

Why it happens: Indie founders assume Google's standard ToS suffice; they don't realize a DPA is a separate, mandatory contractual requirement.

Consequence: GDPR Article 28(4) violation and potential fines; data authorities (e.g., Austrian DPA, UK ICO) have fined organizations for missing processor agreements even when the processor is compliant.

Pitfall 3: Collecting IDFA/GAID Without Explicit Consent

Firebase Dynamic Links automatically collects advertising identifiers (IDFA on iOS, GAID on Android). Under GDPR ePrivacy rules and iOS privacy policy, storing these identifiers requires prior opt-in consent, separate from app functionality consent.

Why it happens: Teams assume Firebase's consent prompt handles all identifiers; in reality, IDFA/GAID require explicit user permission in-app or system-level settings.

Consequence: iOS App Store rejection (Apple's privacy guidelines); GDPR enforcement action; inability to serve EU/EEA users compliantly.

Privacy policy clauses for Firebase Dynamic Links

What data Firebase Dynamic Links collects

When does Firebase Dynamic Links trigger privacy obligations?

Installation & Data Flow Start

Regulatory Triggers

First Concrete Step

Where data goes

Common compliance pitfalls

Pitfall 1: Failing to Disclose Attribution Parameter Collection

Pitfall 2: Missing Data Processing Agreement with Google

Pitfall 3: Collecting IDFA/GAID Without Explicit Consent

Legal note

Sample privacy policy clause

What regulators look for

DPA Audit Focus Areas

Enforcement Priority

Frequently asked questions

Do we need to disclose Firebase Dynamic Links in our privacy policy?

What specific data does Firebase Dynamic Links collect?

Does Firebase Dynamic Links require a cookie consent banner?

Who processes Firebase Dynamic Links data and where?

Don't ship without Bandit.