GDPR Compliance

What I find so interesting about this mess is what aggregators like Appodeal will do. Apparently AdColony doesn’t want a consent, but for example, Chartboost requires a consent. So what in the world would Appodeal do? 

Chartboost is a “Controller” with regard to the personal data that we process of European data subjects. Chartboost relies on its publishers to get consent for Chartboost to process such data.

I use deviceid as a unique identifier.  As this is device level it does not (I hope) classify as PII as it doesn’t technically identify a person and cannot be used to track a user across devices.

I also have FB integration and Google sign in but these are opt in.

For ads I only use Vungle (again these are also opt in) and they have confirmed they will be GDPR compliant http://vungle.com/gdpr-faq/.

So I am going with the above + a clear privacy policy which explains all this will be good enough.

That only leaves Corona harvesting PII as the problem.

@vlads

If Corona continues to collect any PII data (including any kind of unique identifier per user), then Corona developers must show a consent popup at app start, detailing what data is collected, what it is used for, and for how long it is stored.  As this data is sent to Corona servers, we developers don’t know the answers to these questions, so we can not reasonably present this popup to users. 

If a user does not consent to this popup, then we are obliged, under GDPR, to still allow the user access to the app - we can not quit the app if they don’t consent. This means Corona would need to accept that the user does not want their data collected, and not collect it. 

I propose that Corona allows app developers to decide whether or not Corona collects our users’ data, rather than deferring to our end-users for the decision.

We would be happy to pay an annual subscription to Corona in exchange for this guarantee.

I concur with @SGS that a device and a person are two different things. As long as the app has collected no personal information, all I know is that a “device” connected, etc. It gives me no personally identifiable information about the device owner that I can associate with that user.

-dev

Not sure why people think DeviceID is okay to use.  GDPR clearly states its classified as an identifier because it allows you to track a user’s actions.

IP, DeviceID, Username, or Real Name are all identifiers that must be consented to, have the ability to be deleted, and ability to opt-out completely.

Hi,

I’m not clear on how a device identifier that has no relationship to any information “to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” falls in to that category. But that’s just my opinion. I’m certainly not a lawyer.

I agree that seeing how the bigger publishers go about it will be telling.

-dev

I agree it will be interesting to see how big publishers handle it, and you would likely never get in trouble if you used Device ID.  But everything I’ve read points to device ID being equally sensitive as an IP address and that is personal data.

Check this article out, it provides good data about what is generally considered personal data: http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think/

The important quote is here: “The GDPR makes clear that the concept of personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly.  This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data.”

I agree kbradford from all I have read about the law it is clear deviceId, a random number or even a username is considered personal data. I know a lot of people don’t like to hear that because it makes things extremely complicated, but I have not seen anything written that would contradict that.

You can always go the adcolony route and say that yes you are collecting personal data but that it is essential for the users of your app. I think you have a stronger footing with that argument than adcolony will ever have. 

@Corona: We really need some info on this now - We’re working on getting our games ready for the deadline in 30 days, and we need to build out new versions of all of them and getting them live on the stores before that. So we urgently need to know about the data/stats Corona is collecting through our games and that Corona is complying with all responsibilities that comes with doing this so that we can plan for it and add it to a consent dialog, or preferably just make sure Corona is not collecting any user info. 

@SGS Agree with others here - from what i understand deviceID is definitely requiring consent (And for pretty good reasons as well - you’re likely the only one using a device and it’s also likely that many services you are signed up for has connected your name and other personal info to your device id already). Maybe you could just save a randomly generated number instead on first startup that you would store locally on the phone. It would be unique just for one install of your game and you can’t do any cross stats of users between apps - but should be good enough for stats etc.

@Chribbe if deviceID is counted as PII then any random number would too as this would have to be unique and therefore identify a particular user.

My games only save to my servers when players reach level 10 (saves filling up the DB with non-serious players) so If I was to show consent then i could time it with a “would you like your game backed up…” style message.  This should be a positive for the player rather than a “we are tracking you…” style message.

But the issue is Corona logging data.

Curiously, my FB app asked for permissions for this and the only options were “accept their terms” or “delete Facebook”.

@SGS that is a great idea. For people who play once or twice their is no need to show or store anything.

Our team is trying to determine the data that we are collecting. We are working on this as fast as we can.

Rob

Regarding Google Analytics, and what identifier is safe to use: After reading a lot about GDPR recently I have come to the conclusion that a random UUID  per app cannot possibly be considered personally identifiable information. 

My approach for GA is thus:

  • Anonymize the IP

  • Generate a UUID on first launch of the app, and use it for GA tracking

This means if user Bob has 3 of my apps then he will have 3 UUIDs. My stats (such as MAU) per-app will be correct, but for the portfolio as a whole the number will be inflated a bit.

@perflubron your assumption is not correct. It is written in the document in Article 4 under the definition of personal data: generated ids are personal data. Again as I have stated before the likelihood of anybody coming after you because you are using a GUID to track nothing really traceable is really small.

@agramonte I’ll agree to disagree :slight_smile: (given anonymous IP combined with a generated ID for each app, and that generated ID only lives on the user’s device). Could you link to your source?

I read about pseudonymous data here, perhaps that is what you think affects me (https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/)??) The difference in my case is that I’m not taking a real ID and then separating it from the data. I’m sending the data on an anonymous ID in the first place.

But I’m no lawyer. 

Anyway, I was inspired to write up my overall approach for GDPR compliance in a Medium store: https://medium.com/@perhaglund/how-i-hope-to-make-my-apps-compliant-with-eu-gdpr-and-gdpr-k-e37578fa6ecd

Article 4 definition:

https://gdpr-info.eu/art-4-gdpr/

Interpretation from a law firm. How is your GUID number any different than a generated cookie? 

https://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think

Another law firm in the UK with a list of personal data (your id falls into that category);

https://cybercounsel.co.uk/pd/

(MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well- defined group of people

My ID is only readable by the app where it was generated. No other app knows about that ID - unlike a cookie. There is no data in the app associated with that ID - unlike a cookie, which holds data. The ID is not persistent - unlike a MAC address. Really there is no way it could be used to identify an individual. It would be like a user having a different device for each app they use, and never browsing the web from any of those devices. And, to continue the analogy, they destroy the device when they want to stop using the app.

@per so are cookies (only readable by the source).  It is when a third party cookie, say fB, is dropped that it can be used to track you around the internet by the third party.

I stand by an internal ID (deviceID or similar) doesn’t identify the person but the device and therefore is basically harmless in this respective.  An entire family might share an iPad for example.  I think it is unwise to worry about this unnecessarily… after all I doubt any of us are misusing our customers data are we?

Also to be noted is “no-one is going to be coming for you” and if they did they would be totally taking a top-down approach. 

The massive fines are in respect to data breaches of personal data and as I am not storing anything personal any potential breach would simply consist of game data - i.e. some integers, doubles and the odd string or two.

@per cookies don’t need data and are associated only with the device or browser they are running. they are still considered personal data. Look at idfv on Apple devices. Again it is an Id generated per device per vendor. You install your app and re-install it on another device and that id is different. Again considered personal data.

I agree with @sgs 100% here. The law is not after us. I don’t think we intend any malice or gains from this data. If your scheme is permitted it would allow big companies to use the exact scheme to continue to what they do today. That you are not doing it or don’t plan on selling or provide service based on that data does not change the fact that the law still defines it as personal data. The intent of the collection does not make it permissible. 

It’s not the same thing though as the device ids and cookies etc are the same between different services and apps. Let’s say the device id of a famous politician is posted online after a security leak. Then everyone who stored that device id would be able to connect it to that person and whatever weird stuff that politician did would get out. With a locally random generated id just used by your app (like @perflubron described) this couldn’t happen.

Oh btw, I remember when OpenFeint leaked identities of a few million device ids back in 2011. 

https://corte.si/posts/security/openfeint-udid-deanonymization/index.html