From The Blog: Getting your Corona apps ready for GDPR!

Great news Corona developers! Starting with daily build 2018.3286, metrics collected by Corona-made apps are now GDPR safe. We no longer collect any ID’s or data points that would be considered personal data under these data regulations.

We will be updating our privacy policy to reflect these changes. Keep in mind that builds of Corona pre-2018.3286 are not GDPR compliant and if you have apps for sale in the EU they will need to be updated with 2018.3286 or later.

Q. What is GDPR?

A. GDPR stands for “General Data Protection Regulation“. It’s a law affecting businesses established in the European Union or has end users based in the EU that requires you to get explicit permission from users to collect private data and manage that data. Businesses that don’t comply can face heavy fines.

Q. What if I want to continue to use a public build or older daily build?

A. Then you will still need to update your apps and present the user a dialog box asking for permission for Corona to collect data in addition to any other services that you need to also ask permission for.

Q. What is the best way to know if my user is in the EU?

A. Because users travel or may use technologies like VPNs, there is no reliable way to determine if a resident of the EU is in the EU. Also, other privacy laws are changing to be more stringent in additional areas. It’s best to ask all users for this permission.

Q. What do I need to do to get permission from our app users?

A. There are several steps you need to complete to give your users the opportunity to control their data.

1. 1. Present a dialog to your users explaining that you’re using third-party services that collect private data.

2. Make sure to include a link to your privacy policy. To save space in your dialog, your privacy policy should link to the privacy policies of any service you’re using.
3. Your dialog can present the user an on/off switch for each service to allow the end user to choose which services they want to grant permission to or decline permission. That switch should default to off since the intent is to get “opt-in” from the end user. See the UK’s Information Commissioner’s Office document on GDPR Consent
4. Store the settings locally so you can remember their choices. Saving the settings online will require you to store personal data and you would have to ask permission for that.
5. On a settings screen, include options to allow the user to select to turn on or off permissions.
6. When the user changes their mind, then your app can react to those changes.
7. For now, if a user declines to use a service, simply use “if” statements to not initialize the plugin or call any methods of that plugin. If they later change their mind, then you can initialize the plugin and call it’s methods.
8. As services update their SDK’s to offer GDPR management API’s and we update our plugins to support them, you can update your apps to add support. As an example, Appodeal’s new SDK will support showing non-targeted ads to users who don’t grant permission and higher quality ads to those who grant permission. There will be a way to let Appodeal’s SDK know if the user has granted permission or not.

Q. What changes do I need to make to take advantage of a plugin’s GDPR features?

A. Unfortunately every plugin provider is implementing this in radically different ways. Some will require you to pass a consent parameter on an initialization call, others are handling their own permission, others will have methods in their SDK to manage data. As we update the plugins to be GDPR compliant, we are also updating each plugin’s documentation. There should be a yellow note near the top of each plugin’s page that points you to GDPR additions to be aware of.

Q. How will I know when a plugin has been updated?

A. The best way is to check the documentation page and look for the GDPR note at the top of the document.

Q: Where I can learn more about GDPR compliance?

A: See the following:

• The EU’s official site – https://gdpr-info.eu/
• Appodeal’s primary GDPR page: https://www.appodeal.com/home/gdpr/
• Appodeal’s GDPR guide – https://blog.appodeal.com/blog/2018/05/08/appodeal-gdpr-guide/
• Appodeal’s Blog – https://blog.appodeal.com/blog/2018/05/16/gdpr-qa-getting-closer-date/

Corona is committed to making sure you can be compliant with these laws. If you have questions about this, please ask in our Community Forums.

View the full article

Is it true that all Corona apps need to implement this even though no ad plugin is used? Appodeal is still collecting user data in the background, right?

Appodeal is considered an Ad plugin.  If you’re not including ads, you won’t need to get permission for the ads. If you update to the daily build of Corona, you can update without asking for permission. But if you’re using Game Center, IAP, Google Play Games Services, you will probably still need to collect permission.

While Appodeal owns Corona and we share some resources, when it comes to GDPR, we need to be looked at as two different companies.

Rob

Thanks for the clarification, Rob!

Just to be clear for my understanding, if I’m not using ads but IAP, I should provide my own privacy policy and also link to privacy policies from any other third-party services being used, including Corona Lab?

Cheers,

David

Hello Rob,

I understand that CoronaLabs and Appodeal as well are interested in having metrics about the usage and spread of Corona-made apps. Starting with build 2018.3286, the collected data is GDPR compliant. That’s fine! But just in case, is there a way to opt-out? Or do Corona apps always talk back home? In this case, wouldn’t it be correct to mention this in the app’s data protection information? 

Cheers, Simon

Are you sure about Game Center and GPGS? Hasn’t the user’s consent already been demanded on Apple’s or Google’s side in this case, by registering for that service?

Same with IAP?

Hi Simon, the data we collect is simple metrics like Daily Active Users (DAU), MAU, #sessions, etc. There is not a way to opt out. This is data that we need. You can assume these apps will call back to our stats server. As of the current privacy rules, and the data we are collecting, you should not need to ask permission to collect it. But you should have a privacy policy on your website somewhere that details your privacy, You can mention Corona there if you wish and link back to our privacy policy for developers and make it clear that we are not collecting any private data.

Rob

"8. As services update their SDK’s to offer GDPR management API’s and we update our plugins to support them, you can update your apps to add support. As an example, Appodeal’s new SDK will support showing non-targeted ads to users who don’t grant permission and higher quality ads to those who grant permission. There will be a way to let Appodeal’s SDK know if the user has granted permission or not. "

Hi, I need a clarification about this : I’ve downloaded and used the corona sdk sample from appodeal  for request consent ,here https://github.com/coronalabs/plugins-sample-appodeal/tree/gdpr.

I can’t found the parameter for sending the costumer consent/permission after has been asked to him ,that it would be (I suppose)  in init appodeal plugin method, not in the appodeal sample nor in  corona documentations about plugin (here http://docs.coronalabs.com/plugin/appodeal/init.html and in the other pages about).

So, what is the name of the parameter that I should use for sending consent?
Maybe my oversight and in case I’m sorry for my mistake.

Thank you

It seems that this will be available in Appodeal version 2.3.3, which will hopefully be released today.

@nadar, @philipp3 is correct. This depends on Appodeal 2.3.3 which we have not released yet. We are working on getting this plugin updated.

Rob

Hey guys.

The release is ready, but … it’s not that simple. Due to some Appodeal’s stable/beta versioning correction, we are waiting for their call to release a new stable update and docs update with all needed information. Just a little inside info for ya, stay tuned.

Ok, thank you Rob and philipp3, I’ve seen that Google it’s in the same situation for Consent Sdk  for Admob, not released yet even if expected for mid May. Let’s hope, thank you in any case.
 

ok, thank you very much!

Hello!

If we want our application to be GDPR ready for iOS, with Appodeal, we have to use the beta version of Corona Appodeal plugin, right?

That way we will drop support for all 8-10.02 iOS users! Any chance to get hasUserConsent soon… like really really soon???

Thank you!

I’ll see what I can find out.

Rob

Hi PewPewNinja,
 

If we want our application to be GDPR ready for iOS, with Appodeal, we have to use the beta version of Corona Appodeal plugin, right?

 Yes, as stated by Appodeal that’s the only way to use new APIs for now. Appodeal dropped support for them on stable, we’ve even prepared an update earlier, but obviously can’t release it, maybe some over stable SDK will inlcude gdpr compliance APIs.
 

Any chance to get hasUserConsent soon… like really really soon???

Latest Corona Appodeal modular plugin beta gives you that ability already.
 

I was thinking about hasUserConsent for stable but I failed to explain it like I had it in mind

You gave me the answer though, thank you.

One more thing please, because I got two different answers from Appodeal support.

Am I allowed to set hasUserConsent = false and not show the consent dialog?

Well, I’m no expert in this stuff, but I guess you can do that, since basically no user gave you his consent, which is analogue to hasUserConsent = false.

Thank you!

That’s what I think too and already done for my customers who asked for it.

If the iOS-app does only show ads with hasUserConsent = false, am I required to check the box “app uses Ad-ID (IDFA)” in the App Store upload process?