@agramonte Google Analytics doesn’t so I recommend using that instead. I cannot comment on the plugin as I go direct to Google Analytics so therefore I control what is sent.
@SGS, if Google Analytics store the REST request IP addresses, don’t you still need a way to address that in your privacy policy to avoid violating GDPR?
Anonymizing IPs is necessary, but not enough. You can’t have a unique ID per user, not even a random number, because that now qualifies as PII.
We are considering sharing a smaller number of random IDs (‘buckets’) among a large group of users in order to learn usage trends while not being able to pinpoint any one user’s behavior. We will be missing out on some measurements e.g. anything involving uniques, while still being able to see overall figures.
Anyone have comments on this approach? How big should a bucket be to consider the data non PII?
Any ID what you can track and go back see what that person did is personal data and requires explicit consent from that user. That includes ip, both ad id and vender id from apple as well as any generated Id you create. This is from the regulation document. Name, Id number, location data or…
Rec.26; Art.4(1)
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
I think maybe the hype (and threat of massive fines) somewhat clouds the judgement. We are not Facebook and we do not sell our players data. As long as we stick to the general principles I think we are fine.
I imagine they will take a top down approach and go for the bigger fish first. We are minnows and we can feel safe in our little rock pool.
Lets see how the big games handle things… If they generally pop a message about opting in then we should follow.
I agree that we won’t be sued first and we have some time to see what others do. I am fairly sure that AdColony will be one of the first to be sued since they claim that their data collection is essential. From their FAQ.
AdColony will not request nor require consent from a user in order to display advertisements. We believe that our legitimate interest is appropriate given the value we bring to sustaining a healthy ecosystem amongst users, advertisers, and publishers after having conducted a legitimate interest assessment.
What I find so interesting about this mess is what aggregators like Appodeal will do. Apparently AdColony doesn’t want a consent, but for example, Chartboost requires a consent. So what in the world would Appodeal do?
Chartboost is a “Controller” with regard to the personal data that we process of European data subjects. Chartboost relies on its publishers to get consent for Chartboost to process such data.
I use deviceid as a unique identifier. As this is device level it does not (I hope) classify as PII as it doesn’t technically identify a person and cannot be used to track a user across devices.
I also have FB integration and Google sign in but these are opt in.
For ads I only use Vungle (again these are also opt in) and they have confirmed they will be GDPR compliant http://vungle.com/gdpr-faq/.
So I am going with the above + a clear privacy policy which explains all this will be good enough.
That only leaves Corona harvesting PII as the problem.
If Corona continues to collect any PII data (including any kind of unique identifier per user), then Corona developers must show a consent popup at app start, detailing what data is collected, what it is used for, and for how long it is stored. As this data is sent to Corona servers, we developers don’t know the answers to these questions, so we can not reasonably present this popup to users.
If a user does not consent to this popup, then we are obliged, under GDPR, to still allow the user access to the app - we can not quit the app if they don’t consent. This means Corona would need to accept that the user does not want their data collected, and not collect it.
I propose that Corona allows app developers to decide whether or not Corona collects our users’ data, rather than deferring to our end-users for the decision.
We would be happy to pay an annual subscription to Corona in exchange for this guarantee.
I concur with @SGS that a device and a person are two different things. As long as the app has collected no personal information, all I know is that a “device” connected, etc. It gives me no personally identifiable information about the device owner that I can associate with that user.
Not sure why people think DeviceID is okay to use. GDPR clearly states its classified as an identifier because it allows you to track a user’s actions.
IP, DeviceID, Username, or Real Name are all identifiers that must be consented to, have the ability to be deleted, and ability to opt-out completely.
I’m not clear on how a device identifier that has no relationship to any information “to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” falls in to that category. But that’s just my opinion. I’m certainly not a lawyer.
I agree that seeing how the bigger publishers go about it will be telling.
I agree it will be interesting to see how big publishers handle it, and you would likely never get in trouble if you used Device ID. But everything I’ve read points to device ID being equally sensitive as an IP address and that is personal data.
The important quote is here: “The GDPR makes clear that the concept of personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly. This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data.”
I agree kbradford from all I have read about the law it is clear deviceId, a random number or even a username is considered personal data. I know a lot of people don’t like to hear that because it makes things extremely complicated, but I have not seen anything written that would contradict that.
You can always go the adcolony route and say that yes you are collecting personal data but that it is essential for the users of your app. I think you have a stronger footing with that argument than adcolony will ever have.
