How can I add a "I accept the terms & privacy policy" checkbox to Google Firebase Authentication UI?

Question

GDPR in the EU requires us to have an opt-in checkbox for the "terms" and "privacy policy" users accept when signing up. Using the Firebase Authentication UI (FirebaseUI), I don't get this by default. How can I add such a checkbox to FirebaseUI?

To clarify: The tosUrl provided by FirebaseUI is not enough for this. The GDPR requires clear, unambiguous and affirmative consent – in short: they need to actively check a checkbox. We can't just accept terms implicitly by signing up.

So how do I get an (unchecked) checkbox for users to accept terms and privacy policy? Or do I really have to build a custom UI? I can't believe that Google would not support the GDPR…

Answer 1

The FirebaseUI provides you with the parameter tosUrl that is used to direct to the terms of services page. Example:

var uiConfig = {
    signInSuccessUrl: '<url-to-redirect-to-on-success>',
    signInOptions: [
      // Leave the lines as is for the providers you want to offer your users.
      firebase.auth.GoogleAuthProvider.PROVIDER_ID,
      firebase.auth.FacebookAuthProvider.PROVIDER_ID,
      firebase.auth.TwitterAuthProvider.PROVIDER_ID,
      firebase.auth.GithubAuthProvider.PROVIDER_ID,
      firebase.auth.EmailAuthProvider.PROVIDER_ID,
      firebase.auth.PhoneAuthProvider.PROVIDER_ID
    ],
    // Terms of service url.
    tosUrl: '<your-tos-url>'
  };

Then upon signing in, it will tell the user that by clicking Sign in button, then you accept the terms and conditions.

more info here:

https://github.com/firebase/firebaseui-web

Answer 2

First of all this

GDPR in the EU requires us to have an opt-in checkbox for the "terms" and "privacy policy" users accept when signing up.

is not true.

The "explicit" consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice (Art 9(2)), quote from here:

2. When relying on consent to process personal data, consent must be explicit: WRONG! This was a hotly debated topic during the passage of the GDPR, but the final text requires that consent must be “unambiguous”, not “explicit” (Art 4(11)). Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice (Art 9(2)). But for non-sensitive data, “unambiguous” consent will do - and this allows the possibility of implied consent if an individual’s actions are sufficiently indicative of their agreement to processing.

More on explicit / unambiguous consent in context of GDPR can be found here.