It seems that it’s about targeting and I’m more than OK with that, I support the approach. Hope this becomes an industry standart worldwide in the near future. I don’t like the fact that ad companies are collecting data in the background silently.
Looking at the screenshots, it seems that it’s a feature that SDK’s are going to implement and we’ll probably make adjustments from their UI if we need to.
Here is Flurry’s state on GDPR. They seem to be tossing the ball to the developer.
I imagine a lot will “offload this responsibility to dev” and that sucks.
Personally, I use Google Analytics REST API (and not any plugins) so I control the data being sent so I have always anonymised that.
Does that mean there is nothing much to do for the developer that’s just collecting event data to analyse player behavior or are we legally responsible for SDKs’ behavior because we chose to integrate one?
Most of them are claiming they are “processors”. So either you do what SGS is doing use rest api and anonymized or you have to capture, store and then provide a mechanism for the user to remove consent.
This is from flurry you just linked.
Q: Do I need to update the Flurry SDK in my app for this?
A: In a processor role, Flurry assumes that the personal data that is sent to us has all the proper legal bases for its use in an Analytics capacity. What this means is that any Flurry SDK can be used to send personal data to Flurry as long as you have gained the proper legal basis to do so, whether via consent from the user, or another basis.
Here is the definition of personal data. I highlighted the important items for me. From most of what I have read “personal data” includes location (even if obtained from wifi), name (from game services for example), any Id (doesn’t matter if you generate it or not, if Google, Apple and/or corona provided it from an api).
Those types of personal data require explicit consent from the user and the ability for the user to remove consent. It isn’t enough anymore to have a privacy document somewhere stating that you are using the advertising id for ads, the vendor id to keep track of leaderboards or some random Id to keep track of achievements.
https://gdpr-info.eu/chapter-4/
Rec.32
Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.
Rec.26; Art.4(1)
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So we will all be asking for permissions from now on, right at the beginning of the game / app etc. This is more strict than just writing “This site collects cookies” stuff.
“Directly or indirectly identifiable” is another strong term. For example, if I want to get initials from the player to submit on the leaderboard, does it make this data fall into this section? Also, when the Game Center and Game Services ids are falling into that category, that will make every single developer that integrates GPGS or Game Center responsible for even the basic stuff. I hope that using the GPGS id does not mean “collecting” in the eyes of EU.
I’m pretty confused at this point and I guess I’ll wait out a little before releasing the game we’re working on to see how other apps and games handle that stuff.
By the way, any updates on the Corona side for the data @sgs mentioned before?
@bgmadclown… I’m getting the feeling that this is a question that is “too difficult” to answer. And by that I mean Corona like to shout about providing devs with statistical data but they actually have zero ability to deliver this.
Typical marketing hyperbole unfortunately… hopefully I will be proved wrong?
10 days later and still no answer says it all really.
According to the privacy policy, a chunk of data is being collected and said to be provided to the developers (by the way, this makes them the “processor” according to GDPR) but we don’t know where this data is and how it’s used. This may cause some problems in the near future when GDPR kicks in.
Hey all, I’m trying to get an answer on this. Please be patient.
Rob
I don’t have an answer yet. I’m pressing the team to find out, but they are incredibly busy right now.
Rob
A 20 million euros fine would probably sharpen their focus. There will be people out there looking to test and profit from the system from day one, it needs to be taken seriously and ready to go on May 25th.
I hope they are busy with GDPR compliance or as nick_sherman says, things can go sideways.
Following this. We can remove analytics and ad networks plugins if need to be GDPR compliant, but if Corona is doing something natively we need to know what and how to turn it off. I don’t want to have to put a disclaimer at the load of every app saying we collect information.
Yes, especially since user must be able to opt-out.
@Rob we need the official stance on this sooner rather than later. Time is marching on this for sure. This post was opened March 21st if an answer takes much longer then we will be at the deadline and that leaves zero time for us to plan a strategy, code it, test it and roll it out.
Therefore, either give us full access to the information you collect or stop collecting it immediately.
I am sure you are only too aware of the recent backlash on hidden data collection based on poor practises by Facebook.
This is a legal requirement for any apps selling into the EU and not something up for debate.
I know it’s a legal issue but the answer about those statistics should be simple. If you say “we’re providing our developers with usage statistics”, we should be able to see it somewhere.
I can’t help but think that the privacy policy is dated back to Corona Analytics days and the person responsible for that just forgot to remove references to it.
The fact this thread has been going for nearly a month with no new info is disconcerting. From how I understand GDPR, if Corona is sending user info to a remote server and developers don’t have the ability to stop it, then every single Corona app ever made is in violation of GDPR. Basically no Corona apps could be sold in Europe without breaking the law.
Corona needs to provide developers a way to simply stop this collection. We have 20+ apps and if we have to rebuild and resubmit every app before the deadline then Corona needs to address this ASAP. Ideally we will be able to stop it remotely without the need for a rebuild, but that may be hoping for too much.
I think if Corona does not fix this ontime, I think in the google play console and maybe apple, there will be an option asking whether your app is GDPR compliant. We may have to not release our apps in Europe until we are compliant.