GDPR Compliance

And so it begins…

Not entirely sure what to do about it though as I have no access to that user’s FB account?!

Is that because you have “Login with Facebook” or is there something else?

I don’t think we’ve addressed GameCenter, GPGS, In-App purchases.  We don’t collect that data, so it would be your responsibility to link to the various privacy policies and it seems like an all or nothing opt-in for your users. That is if they decline consent for GPGS for example, simply don’t initialize it. My understanding was those services would offer their own consent. You can’t exactly use GameCenter, GPGS or IAP without some personally identifiable ID being collected.

Rob

Thanks Rob,

This is good. So does this mean we need to ask user to give consent on different items individually like for GPGS, IAP, ADS etc

It is the intent of the EU to be as granular as possible.  You probably could get away with a global consent form that grants consent for everything to save you time, but the more permission you ask for in a big batch, the more likely a user will say no. If you ask for each item or at least group of items (permission for ads, permission for analytics, permission for IAP, etc.) 

What you do is up to you. We are not lawyers and cannot provide anything that resembles legal advice.  You might want to visit our blog at https://coronalabs.com and read our previous posts on GDPR where we link to resources that can answer many of these questions.

Rob

Hi Rob,

I am aware that these services are collecting data and we need to ensure consent is collected if we want to continue using these services. My question is, when Corona packages these plugins and make them available to everyone on the Marketplace (whether the plugin is free or paid), is there additional data that is collected by Corona when the plugin is used in our apps?

Ben

My biggest issue now is with analytics services. I read Yoger Game’s data policy (http://www.yogergames.com/data-policy/), and in the Analytics section it states, “…The analytics data collected is anonymous and is not personal data. At first startup of an app we generate a random unique identifier which does not contain any personal information, and cannot be used to uncover any such information.”

In reference to Yoger’s use of GA, the last two sentences contradict one another, because it is clearly stated that random unique identifiers are PII under GDPR and for games that target kids under whatever the legal age for that country, parental consent is required.

I am making kids apps too and if i really want to be compliant to GDPR-K and COPPA - based on my current reading and research, there isn’t any analytics service out there we can use without getting parental consent (which in itself is a dire quest)

Going down this path, it seems that the only analytics we can work on from now onwards will be what the app stores give us…

Ben.

Yoger and I go about it the same way. Per-app (not per-user), we generate a UUID. Then we use that UUID together with an anonymized IP address. IMHO, there is no way that can be used to identify anyone, or even build a profile of interests for that UUID (since it is only used for that one app)

Let’s say Google Analytics accidentally leaks their data. You won’t be able to map that random UUID to any other data set. You won’t be able to map the anonymized IP address to any other data set.

Ben, starting with daily build 3286, we stopped collecting anything that fell into the personal ID category (IP address, IDFV, the Android equiv). (Note, you should use 3301 or later since we fixed some build bugs on older iOS and Android versions).  If you use a community made plugin, we don’t control the source to that plugin and it’s up to the vendor to make sure their plugin is GDPR compliant. And for plugins we have control over the plugin source, once we call the third-party SDK, we no longer have control over what that SDK does.

Rob

Thanks for explaining the method.

Have you rolled out a consent form for your apps? Can you share how your consent form looks like?

Do you use a single tick/action to consent all? Or do you use individual ticks/actions for each plugin?

What is the average % of parents giving you consent?

Ben

Thanks Rob, just want to confirm the plugins are not collecting additional data.

Ben.

Do you have any sample code on how you anonymized IP address before sending it to GA?

Ben.

Ben: https://support.google.com/analytics/answer/2763052?hl=env . Set aip=1

I’m using this code: https://bitbucket.org/Jonjonsson/google-analytics-for-corona-sdk/src/master/

Thanks for the links. :slight_smile:

Hi perflubron,

I can’t create a new “mobile app” property on Google Analytics. It keeps asking me to link to Firebase and integrate the Firebase SDK.

How do you do it for your new apps?

Ben

Been a while since I created a new app, back then it worked :/ 

Sorry

Maybe I need to recycle an old inactive id.

Ben

@gamebit set it up as you would do for a website and then set up a view that is “mobile app”

Humorous (?) aside:  my son launched Rovio’s Angry Birds Epic for the first time in a few weeks, and got a pop to accept their TOS.  Just an “accept” button, and a “read tos” button, that’s it.

(there are other more-deeply burried opt-out buttons etc, but before you can even go hunting for them you’ve got to slog through TOS)

So, curious, I took a look at their TOS, and oh my, what a steaming pile of legalese rubbish it has become.

I think the net effect of GDPR will be to render terms/privacy notices unreadable to the average non-lawyer human!  :smiley:

ref Rovio’s terms, privacydata, faq

fwiw, in case you find a need to diy, there is some code here