GDPR Compliance

Thanks @dave

Thank SGS

Just checking; This requires that you use the REST API, right?

Like @davebollinger mentioned above, I’ve also seen some indie titles following that approach. There is a warning message where the dev says “we collect data to show you tailored ads etc.” and you are asked to accept it to continue. There is not even a simple privacy policy link you can easily reach.

I’m not sure that it’s working as EU expected. I guess it will work pretty loosely until someone gets fined or something. Other than that, big or small, devs don’t seem to care that much about GDPR.

I figure to do my best to comply with the GDPR stuff, so my apps don’t get pulled or banned from the app stores.  So I am using the newest daily build of corona and I am not doing any analytics for now - because I am not sure it is worth potential GDPR issues if I use analytics.

For ads I am using Appodeal, and somewhere here on the forums I found a module that I am using that posts a message from Appodeal explaining what they do and such, and asks user to accept or decline. This appodeal message only shows on first run of the app, because I save the choice user makes and use that to init the ad manager on subsequent start ups…  so at least my user only needs to be bothered with that distraction’ once - first time they run the app.

I am releasing that app today on Google Play so we will see if that is sufficient to be GDPR compliant. I think it is.

Hi, here is a list of plugins my apps are using and I would like to know which ones are GDPR compliant if user does not give consent:

[“plugin.admob”] -> with hasUserConsent=false

[“plugin.tenjin”] -> with hasUserConsent=false

[“plugin.facebook.v4a”] -> used to call the publishInstall function so I guess no?

[“plugin.flurry.analytics”] -> used to log events so I guess no?

[“plugin.facebookAnalytics”] -> used to log events too  so I guess no?

[“plugin.OneSignal”] -> used to send push notifications so I guess no

[“plugin.google.iap.v3”] -> OK?

[“CoronaProvider.native.popup.social”] -> OK?

[“plugin.iCloud”] -> OK?

[“plugin.notifications”] ->OK?

[“CoronaProvider.gameNetwork.apple”] -> ???

[“plugin.gpgs”] -> ???

Seriously what a mess…

[“plugin.admob”] -> with hasUserConsent=false

According to the admob documentation even with the “hasUserConsent” flag as false you still need to ask consent before showing ads.

What? So if the user does not give consent, I can’t show ads? This can’t be?! xD

You need to understand what a global “no consent” means. That means 100% of your customers are going to see lower value non-targeted ads, even in countries that GDPR doesn’t impact.  If multiple developers take this “easy” route, it will have a huge impact on the overall eCPM value of AdMob ads. Google needs as many people to get consent as possible.

I know setting up a consent dialog is a bit of work. I know adding items to a settings screen and tracking the users choices is also a bit of work, but it’s your income and it’s the income of your upstream providers and it’s an impact all the way up the supply chain.

As for your other questions, GDPR is about giving users the choice for when their personal data is used. Game networking like GPGS and In-App purchases simply can’t work with out personally identifiable data. There isn’t a way to say “No Consent” that makes any sense to someone trying to buy something in your app.  Of course, you have to give the user the option to consent to these features, but you don’t need any plugin-side features. Simply do not initialize the plugin, don’t call any of it’s API’s and hide UI elements like a Leaderboard button if they don’t consent. 

As for the notifications plugin, there isn’t any data collection with local notifications. However push notifications won’t work without a device ID so again, if the user doesn’t give you consent, don’t call the register device API. You would also not initialize OneSignal.

The social popup itself shouldn’t be collecting any data, and if the user chooses to click on a button that’s offered by it, the app that’s being selected would have it’s own responsibility to manage it’s on GDPR.

Rob

I’m not really worried about the extra work but about the fact that agramonte is saying that even if I set hasUserConsent=false, I still have to get the user consent to display ads with admob, so basically I get a popup which looks like this:

Do you consent sharing personnal data (to get ads)?

YES NO

Let’s be honnest, who gonna press yes, once they realise pressing no will remove ads for free? xD

In my head it was:

-admod with hasUserConsent=false -> non targeted ads (low ecpm)

-admob with hasUserConsent=true -> targeted ads (better income)

But at least if a user refuse giving consent, he still get not targeted ads.

Am I wrong?

Also, I’m worried about analytics. Basically, if users don’t give consent, we can’t track them anymore to see which of the different user acquisition campaigns are efficient. (facebook publish install function or tenjin plugin). Also, as not 100% of users will give their consent, we’ll need more users to get significant metrics, so possibly more cost if you are paying user acquisition.

FWIW, I use google analytics (via REST API so I can opt out), I also use Vungle latest SDK and I automatically opt users out from targeted ads.  Therefore i need no poxy “opt in” consent.

End result, no change on ad revenue (although ads for me is value added).

Don’t stress the details, if your ad network demands a crappy user opt in then maybe re-evaluate your ad network?  

@david.ciaudo, I don’t know if there is another case to that but as far as I know, not giving consent to an ad network means non-targeted ads.

Another article on GDPR: https://medium.com/droidsonroids/what-does-gdpr-mean-for-mobile-app-owners-12-use-cases-e047500772e3

I can understand AdMob not wanting you to just blanket choose non-targeted ads. If income is important to you, you should not want to do this either.

If you just choose to set hasUserConsent to false for everyone, that means your US customers, your EU customer and your other worldwide customers are not going to get more valuable ads. That means 100% of your customers are going to get diminished value ads. Since there isn’t a good way to determine if your user is in the EU or not, you can’t limit this decision to only those customers.

If you present your dialog to your users in the right way, you’re going to get people to opt in that you would otherwise be loosing. It’s better on you to get as many of your users to opt it. Now think about this from Google’s perspective. They have perhaps hundreds of thousands of developers using their SDK. They make more money from targeted ads. If you and every other developer just choose to skip giving users a choice, you’re not only hurting your bottom line but hurting theirs. I can see why they are enforcing this.

You want to ask the users to opt in to ads that are more interesting to them, something that seems desirable instead of saying “we are going to track you and take your personal information”.  

Rob

I guess Corona needs to be GDPR compliant at some point as well as the ad networks and other plugins that collect data. According to the additional links in the article you provided, that seems to be the case.

I’ll bring it up to our team. I believe our privacy policy and privacy policy for App developers covers what we capture.

https://coronalabs.com/privacy-policy/

Rob

@Rob, I believe the OP was about Corona built apps and what the framework sends over the internet.

I can see the sim has 5 different network connections… what are these exactly?

I can only assume our compiled apps are constantly reporting to you too.

I understand @sgs, there is a link off of that privacy policy page for app developers. Here is that specific link:

Are we compliant with GDPR today? I have no idea. I’ve brought it up with the team who knows more about our analytics model than I do.

Rob

Ah I missed the link!

I notice this bit in the privacy policy page for app developers

Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.

Can we have access to this data then please?  I am sure we would all like that detail.

@sgs, I don’t know if the changes were made recently but that seems like there should be an analytics tool in place like it was introduced before.

WHAT PERSONAL INFORMATION DOES CORONA LABS COLLECT?

We collect the following types of information from you when you use one of our Developer’s Apps: the bundle id or package name of the app, your IP address (including country of origin), device operating system (including version), unique device identifier identifier (“identifierForVendor” for iOS and tvOS or an Android code that uniquely identifies the device) not associated with any other personally identifiable information, and the current time each time you launch an App.

Cookies/SessionIDs – Although the Services do not place cookies on your device when you use an App, each time you launch an App, we assign a unique session ID (a “Session ID”) to that launch of the App which we associate with the other information that we collect during your use of the App during that launch session. We do not associate Session IDs with Personal Information.

So this raises the question of how do we access this valuable data that, supposedly,  “_ is made available to the Developer of that App”_?