GDPR Compliance

I agree 100% with you Rob and Nick. Consent is required for an insurance company. You have to agree to store your personal information. And yes Facebook has to request consent to store and track users in EU.

All I was trying to say is that because you create a super-wammy unique id it doesn’t exempt you from the responsibility of GDPR: encrypting the data, consent or essential business justification to store data, encryption of data and other requirements.

Hey folks! To address some of your concerns, starting from 3286 Corona built apps would not send any user information to server.

In other words: no more idfv/fa/android/whatever sending. If you don’t have any plugins, your app should be compliant to privacy requirements of GDPR. No private data - no handling, tracking or disclosures. I’m not legal council but that what I understood from listening to one.

We will address issue of already collected data before the G day.

I know this is not all what you wanted me to day, but I hope this will show that we’re actively working on the issues presented by this regulation and listening to what you have to tell. Stay tuned to press releases, info on plugins updates. We will deal with GDPR in appropriate matter.

Generally - have fun & profit developing games; lets not forget why we’re here  :wink:

Great news and thank you vlad.  Your hard work is always appreciated!

@corona This is wonderful news - thanks Corona.  And thanks everyone else for all your contributions to this very interesting discussion. 

@agramonte That I agree. If you were to store that kind of information that would create a physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  In that case, that ID would be personal data too. As I have said you are collecting a set of data to create a _physiological _or _mental _identity so all the data related to that identity is now part of personal data. And it is not about intent. It is the actions. Even if you are not going to sell or use the data, with the types of data you are storing , you are profiling an identity. 

With the news app, if we were to store what kind of news they read etc. then yes ID again would be a personal data. And If we have some kind of chat mechanism then again any identifier of that ‘chatter’ would be personal data again.

@vlads Thank you!

Thank you so much Corona for finally supporting GDPR and thanks to all those who push this so hard to get resolved quickly.

I have to update almost 35 games and time is very less. I think i need to work hard but can someone please tell me what i have to do exactly now. Do i only need to take builds and update it on store. I am using Admob, Chartboost, Flurry, Facebook, firebase, gpgs for leaderboards and kochava. Please tell me do i need to add some kind of consent form or i need to remove these plugins and push all live.

I think when corona says in latest build we are not collecting any data then it means we are all set to launch and safe with plugins too but i just want to confirm once.

Thanks in Advance,

@sahil19.sindh We are not set with plugins unfortunately. Those plugins share personal or non-personal data with those companies. Chartboost plugin needs an update for example. They launched a new SDK but I think we are not using the new plugin at the moment? The difference with the new plugin is that you can pass a parameter and when Chartboost receives that parameter, they will delete all of the data related to that user (as this is users’ right to remove all the data that are related to them). We need this kind of update for all the necessary plugins. But some didn’t release, some Corona didn’t update yet. Till this is resolved, I will be doing this manually. When my users request data erasure, I will get the necessary information from them to identify and pass this request to my “data processors”. It is hard but necessary.

In short;

  • Get their consent for the personal data your plugins may collect and you collect
  • Give them the option of withdrawing that request
  • Show them that they have the right “to be forgotten” (deleting every piece of data that is collected via your app and stored) and get ready to fulfill those requests either manually or via an automated system.
  • If you are passing personal data to your server, make sure you are using encryption and applying the necessary security practices.
  • Update your Privacy Policy and identify those 3rd-party companies
  • Dump the insecure companies you are working with
  • Minimalize your personal data collection
  • Make sure you have the legal basis to use/store each personal data you collect, (see https://gdpr-info.eu/art-6-gdpr/))

Am I missing anything?

Ok. Thanks for the information. I understand this process but in short does it mean i need to remove all the plugins from all my games including gpgs for leaderboard and Admob too until watertight Plugins are provided from Corona. Till then all revenue will be zero and no score will be updated to the GPGS Leaderboards. I have no servers of my own to collect data and also i send no data implicitly to any of these.

@sahil19.sindh I would not do that myself. Just tell them you are disclosing their advertising ID and perhaps device ID too to those advertising companies and if they give their consent, they can continue but as I’ve said you have to make sure you complete those steps (withdrawing consent, data removal etc). If you are not ready to do them all before the deadline, do as you said and disable them until you meet those requirements and then send an update.

Ok. I will do one thing. I will disable flurry, kochava, firebase, facebook, chartboost for now. I will just let gpgs for leaderboards and admob for a little bit revenue. For admob i will give a consent form as you said. If they agree they can continue but what if they said no? Also how to achieve this withdrawing concent and data removal part that you told me if i use just admob and gpgs. I am really confused with this. If i remove admob them my business will be closed, if i remove leaderboards then i will get bad reviews for update.

I don’t have any ads on any of my games but thinking about adding appodeal. Is that now gpdr compliant. Is there any consent I have to give to players? Also is the google play games leaderboard plugin thing gods compliant?

I want to make sure we are clear on this point. Corona is collecting usage metrics from end user apps. We are a data driven company and need to have this data. We however are collecting that data in a safe way that contains no personal information that would require you to ask for permission. We also collect data on plugin usage, but we also now do that in a safe way that contains no personal information. You do not need to ask for permission on this.

Now if you’re using ad and analytics plugins (and like other similar plugins that depend on some type of ID) you will still need to present a consent form to the user and get their consent. Corona can’t control what data a service’s SDK collects and sends. We just wanted to get Corona out of the way in your GDRP implementation. You will have to use daily build 3286 or later. Any older builds of Corona will not be GDPR compliant.

Your basic process should be something like:

  1. Determine if your user is in the EU and guided by GDPR (or optionally just show your dialogs to everyone)

  2. Show a consent form with a link to your privacy policy and all of the plugins you’re using that collects data and a link to their privacy policies.

  3. If the user does not provide consent, simply don’t initialize that plugin *(see note below)

  4. Provide a way, perhaps on your settings screen for your end users to change their mind. If they withdraw permission later, don’t init the plugin, if they grant permission, init the plugin.  Of course you will have to wrap your various .load() and .show() API calls with if statements based on the permissions being granted or not.

* Appodeal is in the process of releasing a version of their SDK (and we are in the process of adding that support to the Appodeal plugin) where you can still initialize the plugin and call the various ad .load() and .show() functions, but if permission is not granted for data collection, the ads will be generic and less relevant. It’s why its critical to understand what Appodeal is doing as written here: https://blog.appodeal.com/blog/2018/05/08/appodeal-gdpr-guide/

I don’t know at this time what the API call will look like to let Appodeal know if consent has been granted or not.

I also don’t know what the other ad providers are planning or how fast we can implement features supported by new SDK’s. 

Don’t be afraid to ask for consent. You’re not the only app developer having to do this. Native developers, other framework developers and more will be doing this as well. Maybe at some point the EU may back off of this. 

If ad income is critical to your app, you should consider adding an In-App purchase to continue using the app without ads so you can have an alternate revenue stream.  As for GPGS, I would think most people would grant permission for that. But it’s their call.

Rob

sahil19.sindh

The game services like game center and google play services are GDPR compliant (as far as I have read). 

  1. They request permission for every app that uses it.

  2. They state the data that they will share.

  3. The user is able to remove consent by logging out or delete the permission from the game.

The current version of Admob that the corona plugin is using is technically GDPR compliant, it just doesn’t have the hooks to turn off consent. Show a consent dialog with a button. Appodeal has an example in their latest SDK. If they don’t give you consent you can’t show the ads. if they do then show ads.

What else can you do if they don’t give you consent for ads?  

  1. Direct them to the paid version or a paid in-app purchase option.

  2. Show static internal ads for your other games until we get updated plugins.

  3. Don’t let them play the game. (I rather let them play and then re-introduce ads when we have an option).

  4. Use an ad provider that the default is no consent. Startapp is the only one so far that has confirmed to me that that is the case.

5. I would also start implementing Appodeal. They will probably update their plugin first.

To remove data have a way for the user to send you a message with their advertising id. Then forward that advertising id to Admob and request that they remove all data associated. Same for a request for data.

Another option is to stop offering your app in the countries impacted by GDPR.

Ok, we understand. So you mean if user withdraw his consent then we need to ask admob manually to remove all data related to that advertising id.
Which we are supposed to get from using plugin.advertisingId and using method .getAdvertisingaid.

Also we are safe to use gpgs for leaderboard but we just need to give a link to the privacy policy and tell users we use gpgs.

Yes, and you need to do that for all the personal data collectors that are using your apps to do it. I like how @agramonte provided multiple solutions by the way.

Is there any app in the market which has meet the GDPR compliance.i really want to test that out and see how it works. Any one if know any app please tell to others please.

The notes for 3286 state “iOS/Android: Corona built apps would not send any personal information about user”, does this mean that Mac/Win/Web still do, or that they never did in the first place?

We are collecting stats on those platforms, but we were doing so without sending IDs. We are not sending stats from HTML5 at all.

(incomplete information post removed and replaced with this one)

Rob

This? Has anyone seen any of the bigger publishers implement the consent as yet?

Also I have not read about it too much, but we need to store if the user has accepted or denied consent? what do we store if the user denies consent on our side. Some form of ID surely to associate the device to the denial of consent. Wouldn’t this be incompliant regardless as the user would deny, yet we have to store some form of pii (ID) anyway?