@Corona, we all want an opt out for data collection or at the very least completely anonymised data collection. SImply remove the id element as I said before and everyone will be happy (and you keep your stats/monitoring).
I honestly can’t understand why you won’t action this?
18 days left. If I’m having to update 20+ apps I need to know right now. How is this going down to the deadline?
We are working on it. We understand how important this is and we will certainly let you know when we have actionable information for you.
Rob
I see how some said some random id would be considered as personal data. But it just doesn’t fit in the definition.
https://gdpr-info.eu/art-4-gdpr/
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Yes an online identifier, but what kind of online identifier? You can’t you identify anyone’s "physical, physiological, genetic, mental, economic, cultural or social identity" with that data. If you, however, collect other data and if they make personal data together when combined, then everything you bring to create personal data is considered personal data.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Examples of data not considered personal data
- a company registration number;
- an email address such as info@company.com;
- anonymised data.
Obviously, you can’t figure out if they are using their name and surname or something identifiable in their email address so you must treat all of them as personal data in my opinion. But as you can see, not even a vague email address is considered personal data here as well as a company registration number.
For me, I create some random id on my server and send it to the client. How is it a personal data for example? Also on the same page:
It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
So when we enter a meeting, a hotel, a conference for example and they give us a visitor card, would that card, alone, considered as personal data?
My suggestion would be starting your game and try to make a profile of yourself from that entry in your database. Can you figure out a where that entry (you) lives, how the entry thinks or what kind of mood the entry is in (_physiological, _mental) ? Can you track down the person? If the government tells you that person is a criminal and needs to be tracked down and you have no other choice but to comply with government, do you have the capacity to do that or give any useful information about that entry?
Information such as “The user has 3 apples in the game and its random number is sf3ounfq.” is not something you can identify a person or that persons characteristics.
By the way, my implementation will be a static popup at the beginning. If they give consent to the list I display they will be able to continue, if not, the app will be waiting for their consent. When they change their mind, there will be an option to delete their information and place them at the start of the game again. I hope that would cover all of my requirements. I am still looking into it.
Admob now has a page up describing an SDK for requesting consent from European users
https://developers.google.com/admob/android/eu-consent
The Google consent-form is something that I would expect full support for in the Corona Admob plugin. It would simplify things a lot, with ready-to-use translations, a standardized interface that users will learn to recognize, and if I understand it correctly, user-level consent management. So that if user Bob gives consent in app A, then when Bob starts app B he won’t need to give consent again (although it might only work if apps A and B come from the same publisher?).
At a minimum, if I have to collect my own consent, I’ll at least need to be able to forward consent to Admob to turn off personalized ads:
Forward consent without the Consent SDK
The default behavior of the Google Mobile Ads SDK is to serve personalized ads. If a user has consented to receive only non-personalized ads, you can configure an AdRequest object with the following code to specify that only non-personalized ads should be returned:
Bundle extras = new Bundle();
extras.putString(“npa”, “1”);
AdRequest request = new AdRequest.Builder()
.addNetworkExtrasBundle(AdMobAdapter.class, extras)
.build();
@a.o.altomruk, I am in no way a lawyer nore am I a GDPR expert, but from my research the GDPR is intentionally vague on personal identifiers, but my understanding is that if you collect an IDFV or iP address and store them even though you collect no other relatable data, it’s still considered personal data because if your site is compromised by a hacker and they have personal data from another site, they can now figure out who your users are by matching those two data sets.
@everyone, in case you missed it, Appodeal posted a new blog post a couple of days ago:
https://blog.appodeal.com/blog/2018/05/08/appodeal-gdpr-guide/
This is worth a read and provides some excellent advice for app developers on how to manage getting permission. We are continuing to work on how Corona and GDPR data are managed, ways to control consent to those plugins that support it, updating our privacy policies and provide a similar guide for Corona developers. But this post can get you thinking about how to setup consent requests and manage them on your settings screen.
In short, you need to present users in the EU with a consent form on app startup that says you’re using ads (you probably should list services) and collect a simple yes or no on the consent. If they don’t consent, then offer them to buy the app out right or disallow usage or just let them use it for free. The settings screen should allow them to later change their mind. If they later deny access to a given ad service then simply don’t initialize that plugin if the plugin doesn’t have a consent API. The Appodeal blog kind of covers this if that helps you get started on designing your permission dialogs.
Rob
Hey Rob, I agree with you completely! If I would collect an IDFV or IP address, those are enough to be considered as personal data. You could even make a complaint based on IP. What I meant was just some random ID that I generated myself and is just subject to my own database. They cannot match some random hash string for example with the data from another site. Even If I would serve my database publicly (obviously never gonna happen (:), no-one could identify anyone with any data they can collect. A very simplified version of what I am saying is “{id:abc432, ammo:3, hp:10}”. If ID here was IP address or IDFV then yes it would count as personal.
By the way, those who don’t comply with GDPR will pay a maximum of 20 mil euros or %4 of last years total annual turnover. Whichever is higher. They are obviously not after indie developers. I didn’t know it was possible to make more than 500 mil euros in a year :lol: Though let’s not forget that it is something users want anyway. GDPR or not GDPR, we (as users) deserve to be anonymous where we want and when we want and we could be able to remove information about our personal data from the places we don’t want. This will be our usual practice with the next apps of ours and it will be easy to just implement a consent dialog and make the game as minimum personal data harvester as possible.
How is a random number not equal to “an identification number,”? It fits the definition. Under your definition idfv would not be a personal data, but it is.
I have said a couple of times in the forum that intent is not part of the law, but I like your analogy if you get a government request of your data could you identify that person. I think the real question is not if you can identify a person, but can they identify the behaviors and pattern of that person (even if you can’t identify the individual).
Let say I am JCPenny. I can create a game. It doesn’t even have to be JCPenny branded. I can create a uniqueId for each individual. I will have information about when and how each individual plays the game, when they click on an ad, what type of ads they click on, what kind of colors they like (by providing options for themes), and other random things about that individual based solely on game behavior. I can then use that data to target that individual with advertising for individual products that I am selling as JCPenny. I can then sell that customer intelligence as a service to other potential companies.
I can create a news app. Give users options. Let them like news stories. Then using that unique random id and app behavior push advertorials or paid news based on that unique behavior of that individual.
Of course, you are not doing this. Neither am I. But GDPR is really not for the indy developers.
The point of GDPR is not to stop people identifying patterns of behaviour and tailoring user experience and/or advertising based on that. Otherwise Facebook is finished.
It is to stop companies storing information they do not need, and for the data they do need in the usual course of business ensure they have permission and keep it as safe as possible. For example the insurance company I work for has to store very sensitive information. GDPR does not stop us doing this, otherwise we could not be an insurance company. it just means we have to ensure only those who absolutely need to can see/edit sensitive data.
@nick_sherman is right. You can store whatever you like. You just have to disclose it and probably in some cases, justify it. “We need to collect your device’s 'ID for Advertising” to deliver ads to you. This is how we can let you play this game for free." GDPR is about disclosure and granting control to your users to decide if they want to allow it or not.
Rob
I agree 100% with you Rob and Nick. Consent is required for an insurance company. You have to agree to store your personal information. And yes Facebook has to request consent to store and track users in EU.
All I was trying to say is that because you create a super-wammy unique id it doesn’t exempt you from the responsibility of GDPR: encrypting the data, consent or essential business justification to store data, encryption of data and other requirements.
Hey folks! To address some of your concerns, starting from 3286 Corona built apps would not send any user information to server.
In other words: no more idfv/fa/android/whatever sending. If you don’t have any plugins, your app should be compliant to privacy requirements of GDPR. No private data - no handling, tracking or disclosures. I’m not legal council but that what I understood from listening to one.
We will address issue of already collected data before the G day.
I know this is not all what you wanted me to day, but I hope this will show that we’re actively working on the issues presented by this regulation and listening to what you have to tell. Stay tuned to press releases, info on plugins updates. We will deal with GDPR in appropriate matter.
Generally - have fun & profit developing games; lets not forget why we’re here 
Great news and thank you vlad. Your hard work is always appreciated!
@corona This is wonderful news - thanks Corona. And thanks everyone else for all your contributions to this very interesting discussion.
@agramonte That I agree. If you were to store that kind of information that would create a physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In that case, that ID would be personal data too. As I have said you are collecting a set of data to create a _physiological _or _mental _identity so all the data related to that identity is now part of personal data. And it is not about intent. It is the actions. Even if you are not going to sell or use the data, with the types of data you are storing , you are profiling an identity.
With the news app, if we were to store what kind of news they read etc. then yes ID again would be a personal data. And If we have some kind of chat mechanism then again any identifier of that ‘chatter’ would be personal data again.
@vlads Thank you!
Thank you so much Corona for finally supporting GDPR and thanks to all those who push this so hard to get resolved quickly.
I have to update almost 35 games and time is very less. I think i need to work hard but can someone please tell me what i have to do exactly now. Do i only need to take builds and update it on store. I am using Admob, Chartboost, Flurry, Facebook, firebase, gpgs for leaderboards and kochava. Please tell me do i need to add some kind of consent form or i need to remove these plugins and push all live.
I think when corona says in latest build we are not collecting any data then it means we are all set to launch and safe with plugins too but i just want to confirm once.
Thanks in Advance,
@sahil19.sindh We are not set with plugins unfortunately. Those plugins share personal or non-personal data with those companies. Chartboost plugin needs an update for example. They launched a new SDK but I think we are not using the new plugin at the moment? The difference with the new plugin is that you can pass a parameter and when Chartboost receives that parameter, they will delete all of the data related to that user (as this is users’ right to remove all the data that are related to them). We need this kind of update for all the necessary plugins. But some didn’t release, some Corona didn’t update yet. Till this is resolved, I will be doing this manually. When my users request data erasure, I will get the necessary information from them to identify and pass this request to my “data processors”. It is hard but necessary.
In short;
Am I missing anything?