GDPR Compliance

This is why I provided example of IP address: it is used to establish any network connection. It is private identifiable data, but as long as it isn’t stored it is OK to send it. Also, some data a necessary to be sent to calculate simple stats, like how many different users app has or how many times on average users start the app daily. This is important to us to understand 1. how corona is used 2. to keep checks  on our monetization partners (ad networks corona developers choose to use).

We do actively work to make sure data is stored and handled in accordance with GDPR.

Well you must collect some form of unique identifier in order to calculate how often a user starts the app daily. Developers need to know what that is so they can add it to their consent notice.

I would think there would be a distinction between:

  1. A developer collecting deviceID or similar to analyse user behaviour in order to improve the user experience in their app, or to be able to restore purchases/progress.

  2. A developer collecting deviceID or similar on behalf of the company who made the engine they use so they can analyse the performance/popularity of the engine and their advertising partners.

Number 2 is a lot more difficult to justify to an end user because it doesn’t benefit them and their use of the app.

@Vlad (and as per nick_sherman)

if we are unable to stop you (Corona Labs) from collecting data via “the tool” (Corona API), then what we (the dev) need from you (Corona Labs) is a public statement/policy re GDPR that we can refer them (the users) to.

so that we (the devs) could (at the very least) post a “redirected policy” something like:

"This app was constructed with a tool named Corona SDK, developed by Corona Labs, which collects usage data on its own according to the following policy:  http://www.coronalabs.com/gdprpolicy"

that public policy page must formally support your statement:  “We do actively work to make sure data is stored and handled in accordance with GDPR.”  because we (the devs) have no control over it otherwise, and that won’t fly.

@davebollinger we are working with our lawyers to draft that new privacy policy.

Rob

Surely if the id element is removed then Corona gets its stats and “we” pass no PII?

Just to make sure noone misses that: https://coronalabs.com/blog/2018/05/02/corona-and-gdpr/

So @corona

Appodeal updated the privacy policy a couple of days ago and makes it clear that we need to get consent from users to use the SDK. We’re working on figuring out if and how we can do this now. As a temp solution we’re thinking of disabling appodeal (and all ads) for EU users for now. We really need to know if Corona will keep gathering device id stats (please don’t or at least give us a way to turn it off) ASAP or risk not getting all our apps updated and live in time. 

@corona 

We make apps for kids with Corona, and we don’t monetize with ads. We are 100% IAPs. We don’t need your advertising SDKs. Can you give us an option to opt-out of all data collection within build.settings? We have already removed all other plugins that transmit or collect data.

We need to release 35 Corona apps to various app stores within 18 days. The sooner we get help from you, the sooner we can get past this and get on with making games.

@Corona, we all want an opt out for data collection or at the very least completely anonymised data collection.  SImply remove the id element as I said before and everyone will be happy (and you keep your stats/monitoring).

I honestly can’t understand why you won’t action this?

18 days left.  If I’m having to update 20+ apps I need to know right now.  How is this going down to the deadline?

An update on how some companies handle GDPR:

https://twitter.com/mikko/status/992379231479967745

We are working on it. We understand how important this is and we will certainly let you know when we have actionable information for you.

Rob

I see how some said some random id would be considered as personal data. But it just doesn’t fit in the definition.

https://gdpr-info.eu/art-4-gdpr/
 

who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Yes an online identifier, but what kind of online identifier? You can’t you identify anyone’s "physical, physiological, genetic, mental, economic, cultural or social identity" with that data. If you, however, collect other data and if they make personal data together when combined, then everything you bring to create personal data is considered personal data.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
 

Examples of data not considered personal data

  • a company registration number;
  • an email address such as info@company.com;
  • anonymised data.

Obviously, you can’t figure out if they are using their name and surname or something identifiable in their email address so you must treat all of them as personal data in my opinion. But as you can see, not even a vague email address is considered personal data here as well as a company registration number.

For me, I create some random id on my server and send it to the client. How is it a personal data for example? Also on the same page:

 

 It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

So when we enter a meeting, a hotel, a conference for example and they give us a visitor card, would that card, alone, considered as personal data?

My suggestion would be starting your game and try to make a profile of yourself from that entry in your database. Can you figure out a where that entry (you) lives, how the entry thinks or what kind of mood the entry is in (_physiological, _mental) ? Can you track down the person? If the government tells you that person is a criminal and needs to be tracked down and you have no other choice but to comply with government, do you have the capacity to do that or give any useful information about that entry?

Information such as “The user has 3 apples in the game and its random number is sf3ounfq.” is not something you can identify a person or that persons characteristics.

By the way, my implementation will be a static popup at the beginning. If they give consent to the list I display they will be able to continue, if not, the app will be waiting for their consent. When they change their mind, there will be an option to delete their information and place them at the start of the game again. I hope that would cover all of my requirements. I am still looking into it.

Admob now has a page up describing an SDK for requesting consent from European users

https://developers.google.com/admob/android/eu-consent

The Google consent-form is something that I would expect full support for in the Corona Admob plugin. It would simplify things a lot, with ready-to-use translations, a standardized interface that users will learn to recognize, and if I understand it correctly, user-level consent management. So that if user Bob gives consent in app A, then when Bob starts app B he won’t need to give consent again (although it might only work if apps A and B come from the same publisher?).

At a minimum, if I have to collect my own consent, I’ll at least need to be able to forward consent to Admob to turn off personalized ads:

Forward consent without the Consent SDK

The default behavior of the Google Mobile Ads SDK is to serve personalized ads. If a user has consented to receive only non-personalized ads, you can configure an AdRequest object with the following code to specify that only non-personalized ads should be returned:

 

 

Bundle extras = new Bundle();
extras.putString(“npa”, “1”);

AdRequest request = new AdRequest.Builder()
        .addNetworkExtrasBundle(AdMobAdapter.class, extras)
        .build();

@a.o.altomruk, I am in no way a lawyer nore am I a GDPR expert, but from my research the GDPR is intentionally vague on personal identifiers, but my understanding is that if you collect an IDFV or iP address and store them even though you collect no other relatable data, it’s still considered personal data because if your site is compromised by a hacker and they have personal data from another site, they can now figure out who your users are by matching those two data sets.  

@everyone, in case you missed it, Appodeal posted a new blog post a couple of days ago:

https://blog.appodeal.com/blog/2018/05/08/appodeal-gdpr-guide/

This is worth a read and provides some excellent advice for app developers on how to manage getting permission. We are continuing to work on how Corona and GDPR data are managed, ways to control consent to those plugins that support it, updating our privacy policies and provide a similar guide for Corona developers. But this post can get you thinking about how to setup consent requests and manage them on your settings screen. 

In short, you need to present users in the EU with a consent form on app startup that says you’re using ads (you probably should list services) and collect a simple yes or no on the consent.  If they don’t consent, then offer them to buy the app out right or disallow usage or just let them use it for free.  The settings screen should allow them to later change their mind. If they later deny access to a given ad service then simply don’t initialize that plugin if the plugin doesn’t have a consent API. The Appodeal blog kind of covers this if that helps you get started on designing your permission dialogs.

Rob

Hey Rob, I agree with you completely! If I would collect an IDFV or IP address, those are enough to be considered as personal data. You could even make a complaint based on IP. What I meant was just some random ID that I generated myself and is just subject to my own database. They cannot match some random hash string for example with the data from another site. Even If I would serve my database  publicly (obviously never gonna happen (:), no-one could identify anyone with any data they can collect. A very simplified version of what I am saying is “{id:abc432, ammo:3, hp:10}”. If ID here was IP address or IDFV then yes it would count as personal.

By the way, those who don’t comply with GDPR will pay a maximum of 20 mil euros or %4 of last years total annual turnover. Whichever is higher.  They are obviously not after indie developers. I didn’t know it was possible to make more than 500 mil euros in a year  :lol:  Though let’s not forget that it is something users want anyway. GDPR or not GDPR, we (as users) deserve to be anonymous where we want and when we want and we could be able to remove information about our personal data from the places we don’t want. This will be our usual practice with the next apps of ours and it will be easy to just implement a consent dialog and make the game as minimum personal data harvester as possible.

@a.o.altomruk

How is a random number not equal to “an identification number,”? It fits the definition. Under your definition idfv would not be a personal data, but it is.

I have said a couple of times in the forum that intent is not part of the law, but I like your analogy if you get a government request of your data could you identify that person. I think the real question is not if you can identify a person, but can they identify the behaviors and pattern of that person (even if you can’t identify the individual).

Let say I am JCPenny. I can create a game. It doesn’t even have to be JCPenny branded. I can create a uniqueId for each individual. I will have information about when and how each individual plays the game, when they click on an ad, what type of ads they click on, what kind of colors they like (by providing options for themes), and other random things about that individual based solely on game behavior. I can then use that data to target that individual with advertising for individual products that I am selling as JCPenny. I can then sell that customer intelligence as a service to other potential companies.

I can create a news app. Give users options. Let them like news stories. Then using that unique random id and app behavior push advertorials or paid news based on that unique behavior of that individual.

Of course, you are not doing this. Neither am I. But GDPR is really not for the indy developers.

The point of GDPR is not to stop people identifying patterns of behaviour and tailoring user experience and/or advertising based on that. Otherwise Facebook is finished.

It is to stop companies storing information they do not need, and for the data they do need in the usual course of business ensure they have permission and keep it as safe as possible. For example the insurance company I work for has to store very sensitive information. GDPR does not stop us doing this, otherwise we could not be an insurance company. it just means we have to ensure only those who absolutely need to can see/edit sensitive data.

@nick_sherman is right. You can store whatever you like. You just have to disclose it and probably in some cases, justify it.  “We need to collect your device’s 'ID for Advertising” to deliver ads to you. This is how we can let you play this game for free." GDPR is about disclosure and granting control to your users to decide if they want to allow it or not.

Rob