I’m trying to find out from the team. Patience please.
Also interested in this. It’s hard to find good info on GDPR and what it means for mobile apps using ads SDKs, analytics etc. Seems no one really knows basically…
@Chribbe, I’m not an expert but for ads and analytics SDKs, developers are probably not considered as the “data collectors” but more of “data viewers”. In the end, ads and analytics companies store all that data and probably, they will be the ones that need to compy with GDPR and not us. On the other hand, if you embed your own analytics system or collecting data of any kind, you’ll probably need to offer a new privacy policy that is in lines with GDPR.
Well, we can hope… But i’m not sure that will work out. Take a look at Googles new policy here for example, which i guess applies to Admob ads:
https://www.google.com/about/company/consentstaging.html
For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client , the following duties apply for end users in the European Economic Area.
You must obtain end users’ legally valid consent to:
- the use of cookies or other local storage where legally required; and
- the collection, sharing, and use of personal data for personalization of ads or other services
Personally, I am more interested in
Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.
And yes, AFAIK, we are responsible for the 3rd party platforms we integrate into our apps. Just ensure your privacy policy is watertight and you specifically write about the plugins you use and what data they gather. Most are only IP which is fine. GDPR is more about personally identifiable information - name, age, location, email, etc.
I note Corona is totally avoiding my request for app stats (something I remember we used to have) and that we should be good devs and “just be patient”. If I promised something to my players and they didn’t get it I would be lynched in reviews!
From what i’ve read both IP and deviceIds are considered personal data by GDPR? And - even with a “watertight” privacy policy you would still need to collect end users consent, and store the date and info to be able to show that you’ve actually have the consent from the end user. But yea,it seems very unclear at the moment.
Generally a public privacy policy will state (words to this effect) “that by playing our games you agree to…” and then you include all the legal jargon required to indemnify you.
As long as your privacy policy is publically available on the app stores I believe, legally, you are covered.
If you demand email addresses, etc. then that is a different convo.
But still unanswered are
i) what all those network connections are from corona simulator (and by default our apps too)? I have profiled running corona apps and can see the same behaviour in compiled apps.
ii) where are the developer analytics you promise?
From the ad Networks that have GDPR already enabled I have noticed the following: after x amount of impressions (usually one or 2) the next interstitial or banner ad instead of being an ad will be a requesting permission dialog “ad” (for no better way to call it). The few times I have seen it is so awkward that I click no, but I still continue to receive ads (probably cheaper ads).
I was going to ask the question about Appodeal. Would each network have to show some sort of consent capturing dialog box or would you have a way to pass that the consent was acquired for all networks once? Interesting enough Appodeal already shows one consent capturing dialog box from Ogury if you enable it (or at least I assume so).
@agramonte, so now we need to ask for permission to show ads or is it just for SDKs’ targeting abilities?
@Chribbe, some publishers will clear that out soon before us but I guess we’ll need to include links to the SDKs’ privacy policies that we use, in the privacy policy link that we upload to the stores. Since it would be hard to always follow those pages if they’ve changed, this should be the logical way to go.
According to Admob, it is expected that the app not only asks for consent but also store the consent. Admob has plans to help in the future by showing consent free ads but initially expects the publisher record and store the consent.
You can read more here:
Here is an example of some consent UI that I have found:
I don’t have a choice since I have a bunch of users in Spain. So either I turn off my games in Spain or deal with this before May.
Adrian
It seems that it’s about targeting and I’m more than OK with that, I support the approach. Hope this becomes an industry standart worldwide in the near future. I don’t like the fact that ad companies are collecting data in the background silently.
Looking at the screenshots, it seems that it’s a feature that SDK’s are going to implement and we’ll probably make adjustments from their UI if we need to.
Here is Flurry’s state on GDPR. They seem to be tossing the ball to the developer.
I imagine a lot will “offload this responsibility to dev” and that sucks.
Personally, I use Google Analytics REST API (and not any plugins) so I control the data being sent so I have always anonymised that.
Does that mean there is nothing much to do for the developer that’s just collecting event data to analyse player behavior or are we legally responsible for SDKs’ behavior because we chose to integrate one?
Most of them are claiming they are “processors”. So either you do what SGS is doing use rest api and anonymized or you have to capture, store and then provide a mechanism for the user to remove consent.
This is from flurry you just linked.
Q: Do I need to update the Flurry SDK in my app for this?
A: In a processor role, Flurry assumes that the personal data that is sent to us has all the proper legal bases for its use in an Analytics capacity. What this means is that any Flurry SDK can be used to send personal data to Flurry as long as you have gained the proper legal basis to do so, whether via consent from the user, or another basis.
Here is the definition of personal data. I highlighted the important items for me. From most of what I have read “personal data” includes location (even if obtained from wifi), name (from game services for example), any Id (doesn’t matter if you generate it or not, if Google, Apple and/or corona provided it from an api).
Those types of personal data require explicit consent from the user and the ability for the user to remove consent. It isn’t enough anymore to have a privacy document somewhere stating that you are using the advertising id for ads, the vendor id to keep track of leaderboards or some random Id to keep track of achievements.
https://gdpr-info.eu/chapter-4/
Rec.32
Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.
Rec.26; Art.4(1)
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So we will all be asking for permissions from now on, right at the beginning of the game / app etc. This is more strict than just writing “This site collects cookies” stuff.
“Directly or indirectly identifiable” is another strong term. For example, if I want to get initials from the player to submit on the leaderboard, does it make this data fall into this section? Also, when the Game Center and Game Services ids are falling into that category, that will make every single developer that integrates GPGS or Game Center responsible for even the basic stuff. I hope that using the GPGS id does not mean “collecting” in the eyes of EU.
I’m pretty confused at this point and I guess I’ll wait out a little before releasing the game we’re working on to see how other apps and games handle that stuff.
By the way, any updates on the Corona side for the data @sgs mentioned before?
@bgmadclown… I’m getting the feeling that this is a question that is “too difficult” to answer. And by that I mean Corona like to shout about providing devs with statistical data but they actually have zero ability to deliver this.
Typical marketing hyperbole unfortunately… hopefully I will be proved wrong?
10 days later and still no answer says it all really.