GDPR Compliance

Chribbe · April 24, 2018, 6:27am

@Corona: We really need some info on this now - We’re working on getting our games ready for the deadline in 30 days, and we need to build out new versions of all of them and getting them live on the stores before that. So we urgently need to know about the data/stats Corona is collecting through our games and that Corona is complying with all responsibilities that comes with doing this so that we can plan for it and add it to a consent dialog, or preferably just make sure Corona is not collecting any user info.

@SGS Agree with others here - from what i understand deviceID is definitely requiring consent (And for pretty good reasons as well - you’re likely the only one using a device and it’s also likely that many services you are signed up for has connected your name and other personal info to your device id already). Maybe you could just save a randomly generated number instead on first startup that you would store locally on the phone. It would be unique just for one install of your game and you can’t do any cross stats of users between apps - but should be good enough for stats etc.

anon63346430 · April 24, 2018, 12:38pm

@Chribbe if deviceID is counted as PII then any random number would too as this would have to be unique and therefore identify a particular user.

My games only save to my servers when players reach level 10 (saves filling up the DB with non-serious players) so If I was to show consent then i could time it with a “would you like your game backed up…” style message. This should be a positive for the player rather than a “we are tracking you…” style message.

But the issue is Corona logging data.

Curiously, my FB app asked for permissions for this and the only options were “accept their terms” or “delete Facebook”.

agramonte · April 24, 2018, 3:44pm

@SGS that is a great idea. For people who play once or twice their is no need to show or store anything.

rob · April 24, 2018, 6:47pm

Our team is trying to determine the data that we are collecting. We are working on this as fast as we can.

Rob

perflubron · April 26, 2018, 10:46am

Regarding Google Analytics, and what identifier is safe to use: After reading a lot about GDPR recently I have come to the conclusion that a random UUID per app cannot possibly be considered personally identifiable information.

My approach for GA is thus:

Anonymize the IP
Generate a UUID on first launch of the app, and use it for GA tracking

This means if user Bob has 3 of my apps then he will have 3 UUIDs. My stats (such as MAU) per-app will be correct, but for the portfolio as a whole the number will be inflated a bit.

agramonte · April 26, 2018, 1:20pm

@perflubron your assumption is not correct. It is written in the document in Article 4 under the definition of personal data: generated ids are personal data. Again as I have stated before the likelihood of anybody coming after you because you are using a GUID to track nothing really traceable is really small.

perflubron · April 26, 2018, 2:25pm

@agramonte I’ll agree to disagree (given anonymous IP combined with a generated ID for each app, and that generated ID only lives on the user’s device). Could you link to your source?

I read about pseudonymous data here, perhaps that is what you think affects me (https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/)??) The difference in my case is that I’m not taking a real ID and then separating it from the data. I’m sending the data on an anonymous ID in the first place.

But I’m no lawyer.

Anyway, I was inspired to write up my overall approach for GDPR compliance in a Medium store: https://medium.com/@perhaglund/how-i-hope-to-make-my-apps-compliant-with-eu-gdpr-and-gdpr-k-e37578fa6ecd

agramonte · April 26, 2018, 3:04pm

Article 4 definition:

https://gdpr-info.eu/art-4-gdpr/

Interpretation from a law firm. How is your GUID number any different than a generated cookie?

https://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think

Another law firm in the UK with a list of personal data (your id falls into that category);

https://cybercounsel.co.uk/pd/

(MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well- defined group of people

perflubron · April 26, 2018, 3:24pm

My ID is only readable by the app where it was generated. No other app knows about that ID - unlike a cookie. There is no data in the app associated with that ID - unlike a cookie, which holds data. The ID is not persistent - unlike a MAC address. Really there is no way it could be used to identify an individual. It would be like a user having a different device for each app they use, and never browsing the web from any of those devices. And, to continue the analogy, they destroy the device when they want to stop using the app.

anon63346430 · April 26, 2018, 3:52pm

@per so are cookies (only readable by the source). It is when a third party cookie, say fB, is dropped that it can be used to track you around the internet by the third party.

I stand by an internal ID (deviceID or similar) doesn’t identify the person but the device and therefore is basically harmless in this respective. An entire family might share an iPad for example. I think it is unwise to worry about this unnecessarily… after all I doubt any of us are misusing our customers data are we?

Also to be noted is “no-one is going to be coming for you” and if they did they would be totally taking a top-down approach.

The massive fines are in respect to data breaches of personal data and as I am not storing anything personal any potential breach would simply consist of game data - i.e. some integers, doubles and the odd string or two.

agramonte · April 26, 2018, 4:19pm

@per cookies don’t need data and are associated only with the device or browser they are running. they are still considered personal data. Look at idfv on Apple devices. Again it is an Id generated per device per vendor. You install your app and re-install it on another device and that id is different. Again considered personal data.

I agree with @sgs 100% here. The law is not after us. I don’t think we intend any malice or gains from this data. If your scheme is permitted it would allow big companies to use the exact scheme to continue to what they do today. That you are not doing it or don’t plan on selling or provide service based on that data does not change the fact that the law still defines it as personal data. The intent of the collection does not make it permissible.

Chribbe · April 26, 2018, 5:20pm

It’s not the same thing though as the device ids and cookies etc are the same between different services and apps. Let’s say the device id of a famous politician is posted online after a security leak. Then everyone who stored that device id would be able to connect it to that person and whatever weird stuff that politician did would get out. With a locally random generated id just used by your app (like @perflubron described) this couldn’t happen.

Oh btw, I remember when OpenFeint leaked identities of a few million device ids back in 2011.

https://corte.si/posts/security/openfeint-udid-deanonymization/index.html

agramonte · April 26, 2018, 5:28pm

No. IDFV is not the same even between vendor much less on the same device.

Declaration

var identifierForVendor: UUID? { get }

Discussion

The value of this property is the same for apps that come from the same vendor running on the same device. A different value is returned for apps on the same device that come from different vendors, and for apps on different devices regardless of vendor.

Again the intent is not a part of the definition or what you think or don’t think it is used for. A username is considered personal data. Agramonte that I use to log into these forums is on the list of personal data and needs to be protected as such. If Agramonte is leaked what possibly could you use with that? It isn’t my last name. How exactly can you track me with Agramonte? The law defines personal data separate from intent.

agramonte · April 26, 2018, 5:34pm

Regardless of the law, I think very few of us need to worry about it. How it is going to go down is exactly what @sgs said. At first, they will go after Google, Apple, Facebook and other large vendors: “these apps are not asking for consent”. Then we will be applied pressure from the vendors where we will have to send in the consent. They probably institute some random audit of our apps or as part of the review, they will reject an app that doesn’t ask for consent. Somebody will create a service where we can capture consent for a fee or for free if we are indy.

You deviceId, hand crafted id or IDVF (which I plan to use) will never be bothered with. I even doubt that they will come after Corona for whatever crappy data they are capturing.

chris_raz · April 28, 2018, 2:08am

In an ideal world the apple and google or which ever venders app stores should take care of this. A simple check box in the developer consoles stating that our apps use services which may collect p.i. if enabled, a simple popup asking for consent from the user before downloading, ‘like the download over wifi popup’, Then we should and the app stores would have access to this data, 2 birds with one stone. Would make life so much more simple for everyone involved.

anon63346430 · April 28, 2018, 12:27pm

@chris, genius idea but it’s never gonna happen.

Chribbe · April 30, 2018, 8:22am

Agreed I don’t think “they” (as in the platform owners or big corporations etc) will go after smaller devs.

But you still have to respond to GDPR requests from users. If I as a EU user of your game would email you a GDPR request asking about what data you’re storing and if i can see it / opt out. How would you respond? There’s a 30 day limit in GDPR to respond to these user requests.

Also if corona is gathering device ids I think there’s a risk Google Play and/or App Store might do something about it - similar to crashlytics in march

https://www.reddit.com/r/androiddev/comments/868ie7/google_play_violation_about_disclosure_of_crash/

Corona: Any updates on this now? It’s time for us to start building out new version of our apps (if we have to), to make sure they are all approved and live before 25 may.

Btw, Unity updated the GDPR section on how they are planning to get consent for analytics and ads a couple of days ago https://unity3d.com/legal/gdpr

agramonte · April 30, 2018, 11:28am

Thank you for the rededit link. I guess I’ll remove Crashalytics. Both the Crash Traces and the id for vender are collected and considered personal data and since Google owns them and can check if you are asking for consent they can kick you out of the Google store at any time.

Crashlytics Personal Data collected:

Installation UUID - iOS and Android.

Crash traces
How data helps provide the service:

Helping a customer associate crash data with specific instances of their app.
Retention:

Crash traces and their associated identifiers are kept for 90 day
Answers Personal Data collected:

Mobile ad IDs

Installation UUID

Android IDs

IP Addresses
How data helps provide the service:

Provides customers with analytics information based on segmented device data. IP addresses are used to provide geolocation information to customers.
Retention:

Answers retains identifier data for 180 days.

anon63346430 · April 30, 2018, 12:33pm

In some ways GDPR is great - stop large companies profiting from personal data without the customers approval.

But in other ways it royally sucks for us indies

kbradford · May 1, 2018, 5:31pm

Is there any update from Corona Labs? Are any ETA on when we should hear? This law goes into effect this month, if we need to make changes to our apps we need to know ASAP.