Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

GDPR Compliance
Started by Studycat2 Mar 20 2018 10:17 PM

- - - - -
212 replies to this topic
gdpr data privacy compliance europe
[TOPIC CONTROLS]
Page 1 of 9 1 2 3 »
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

Studycat2

[GLOBAL: userInfoPane.html]
Studycat2
  • Enthusiast

  • 72 posts
  • Corona SDK

GDPR is coming to Europe this May, meaning all developers needs to ensure their websites/apps are compliant with this new stricter data and privacy regulation:

 

https://nilehq.com/journal/gdpr-for-dummies/

 

Can somebody from Corona please let us know: if we create an app in Corona, with no external plugins, is Corona sending or storing any user data on our behalf? 

 

Thanks

Studycat

 



[TOPIC: post.html]
#2

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

I guess Corona needs to be GDPR compliant at some point as well as the ad networks and other plugins that collect data. According to the additional links in the article you provided, that seems to be the case.



[TOPIC: post.html]
#3

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,793 posts
  • Enterprise

I'll bring it up to our team. I believe our privacy policy and privacy policy for App developers covers what we capture.

 

https://coronalabs.com/privacy-policy/

 

Rob



[TOPIC: post.html]
#4

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

@Rob, I believe the OP was about Corona built apps and what the framework sends over the internet.

 

I can see the sim has 5 different network connections.... what are these exactly?

 

Image1.png

 

I can only assume our compiled apps are constantly reporting to you too.

 

 



[TOPIC: post.html]
#5

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,793 posts
  • Enterprise

I understand @sgs, there is a link off of that privacy policy page for app developers. Here is that specific link:

 

Are we compliant with GDPR today? I have no idea. I've brought it up with the team who knows more about our analytics model than I do.

 

Rob



[TOPIC: post.html]
#6

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

Ah I missed the link!

 

I notice this bit in the privacy policy page for app developers

 

Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.

 

Can we have access to this data then please?  I am sure we would all like that detail.



[TOPIC: post.html]
#7

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

@sgs, I don't know if the changes were made recently but that seems like there should be an analytics tool in place like it was introduced before.

 

 

WHAT PERSONAL INFORMATION DOES CORONA LABS COLLECT?

We collect the following types of information from you when you use one of our Developer’s Apps: the bundle id or package name of the app, your IP address (including country of origin), device operating system (including version), unique device identifier identifier (“identifierForVendor” for iOS and tvOS or an Android code that uniquely identifies the device) not associated with any other personally identifiable information, and the current time each time you launch an App.

 

Cookies/SessionIDs – Although the Services do not place cookies on your device when you use an App, each time you launch an App, we assign a unique session ID (a “Session ID”) to that launch of the App which we associate with the other information that we collect during your use of the App during that launch session. We do not associate Session IDs with Personal Information.



[TOPIC: post.html]
#8

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

So this raises the question of how do we access this valuable data that, supposedly,  "is made available to the Developer of that App"?



[TOPIC: post.html]
#9

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,793 posts
  • Enterprise

I'm trying to find out from the team. Patience please.



[TOPIC: post.html]
#10

Chribbe

[GLOBAL: userInfoPane.html]
Chribbe
  • Enthusiast

  • 73 posts
  • Corona SDK

Also interested in this. It's hard to find good info on GDPR and what it means for mobile apps using ads SDKs, analytics etc. Seems no one really knows basically... 



[TOPIC: post.html]
#11

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

@Chribbe, I'm not an expert but for ads and analytics SDKs, developers are probably not considered as the "data collectors" but more of "data viewers". In the end, ads and analytics companies store all that data and probably, they will be the ones that need to compy with GDPR and not us. On the other hand, if you embed your own analytics system or collecting data of any kind, you'll probably need to offer a new privacy policy that is in lines with GDPR.



[TOPIC: post.html]
#12

Chribbe

[GLOBAL: userInfoPane.html]
Chribbe
  • Enthusiast

  • 73 posts
  • Corona SDK

@Chribbe, I'm not an expert but for ads and analytics SDKs, developers are probably not considered as the "data collectors" but more of "data viewers". In the end, ads and analytics companies store all that data and probably, they will be the ones that need to compy with GDPR and not us. On the other hand, if you embed your own analytics system or collecting data of any kind, you'll probably need to offer a new privacy policy that is in lines with GDPR.

 

Well, we can hope... But i'm not sure that will work out. Take a look at Googles new policy here for example, which i guess applies to Admob ads:

https://www.google.com/about/company/consentstaging.html 

 

 

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services

 

 

 



[TOPIC: post.html]
#13

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

Personally, I am more interested in 

 

Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.

 

And yes, AFAIK, we are responsible for the 3rd party platforms we integrate into our apps.  Just ensure your privacy policy is watertight and you specifically write about the plugins you use and what data they gather.  Most are only IP which is fine.  GDPR is more about personally identifiable information - name, age, location, email, etc. 

 

I note Corona is totally avoiding my request for app stats (something I remember we used to have) and that we should be good devs and "just be patient".  If I promised something to my players and they didn't get it I would be lynched in reviews!



[TOPIC: post.html]
#14

Chribbe

[GLOBAL: userInfoPane.html]
Chribbe
  • Enthusiast

  • 73 posts
  • Corona SDK

Personally, I am more interested in 

 

Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.

 

And yes, AFAIK, we are responsible for the 3rd party platforms we integrate into our apps.  Just ensure your privacy policy is watertight and you specifically write about the plugins you use and what data they gather.  Most are only IP which is fine.  GDPR is more about personally identifiable information - name, age, location, email, etc. 

 

I note Corona is totally avoiding my request for app stats (something I remember we used to have) and that we should be good devs and "just be patient".  If I promised something to my players and they didn't get it I would be lynched in reviews!

 

Don't promise something to devs and then not deliver... that's just crappy bad form in my boo

 

From what i've read both IP and deviceIds are considered personal data by GDPR? And - even with a "watertight" privacy policy you would still need to collect end users consent, and store the date and info to be able to show that you've actually have the consent from the end user.  But yea,it seems very unclear at the moment.



[TOPIC: post.html]
#15

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

Generally a public privacy policy will state (words to this effect) "that by playing our games you agree to....." and then you include all the legal jargon required to indemnify you.

 

As long as your privacy policy is publically available on the app stores I believe, legally, you are covered.

 

If you demand email addresses, etc. then that is a different convo.



[TOPIC: post.html]
#16

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

But still unanswered are

 

i) what all those network connections are from corona simulator (and by default our apps too)?  I have profiled running corona apps and can see the same behaviour in compiled apps.

 

ii) where are the developer analytics you promise? 



[TOPIC: post.html]
#17

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,793 posts
  • Enterprise

@sgs I'm trying to find answers for you.

 

Rob



[TOPIC: post.html]
#18

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

From the ad Networks that have GDPR already enabled I have noticed the following: after x amount of impressions (usually one or 2) the next interstitial or banner ad instead of being an ad will be a requesting permission dialog "ad" (for no better way to call it). The few times I have seen it is so awkward that I click no, but I still continue to receive ads (probably cheaper ads).

 

I was going to ask the question about Appodeal. Would each network have to show some sort of consent capturing dialog box or would you have a way to pass that the consent was acquired for all networks once? Interesting enough Appodeal already shows one consent capturing dialog box from Ogury if you enable it (or at least I assume so).



[TOPIC: post.html]
#19

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

@agramonte, so now we need to ask for permission to show ads or is it just for SDKs' targeting abilities?

 

@Chribbe, some publishers will clear that out soon before us but I guess we'll need to include links to the SDKs' privacy policies that we use, in the privacy policy link that we upload to the stores. Since it would be hard to always follow those pages if they've changed, this should be the logical way to go.



[TOPIC: post.html]
#20

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

According to Admob, it is expected that the app not only asks for consent but also store the consent. Admob has plans to help in the future by showing consent free ads but initially expects the publisher record and store the consent.

 

You can read more here:

 

https://searchengineland.com/report-google-asks-publishers-to-manage-user-data-consent-for-ad-targeting-in-eu-gdpr-294917

 

Here is an example of some consent UI that I have found:

 

https://www.bing.com/images/search?view=detailV2&ccid=7FbkufOL&id=C8A671BDF90B0AC2B25617FF648A2D15CF94D1BE&thid=OIP.7FbkufOLxAanVT5KaN3W2AHaEK&mediaurl=https%3a%2f%2fpagefair.com%2fwp-content%2fuploads%2f2017%2f08%2fpublisher-request.001-1024x576.png&exph=576&expw=1024&q=gdpr+consent&simid=608019529910324030&selectedIndex=5&ajaxhist=0

 

I don't have a choice since I have a bunch of users in Spain. So either I turn off my games in Spain or deal with this before May.

 

Adrian



[TOPIC: post.html]
#21

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

It seems that it's about targeting and I'm more than OK with that, I support the approach. Hope this becomes an industry standart worldwide in the near future. I don't like the fact that ad companies are collecting data in the background silently.

 

Looking at the screenshots, it seems that it's a feature that SDK's are going to implement and we'll probably make adjustments from their UI if we need to.



[TOPIC: post.html]
#22

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

Here is Flurry's state on GDPR. They seem to be tossing the ball to the developer.

 

https://developer.yahoo.com/flurry/docs/analytics/gdpr/



[TOPIC: post.html]
#23

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

I imagine a lot will "offload this responsibility to dev" and that sucks.

 

Personally, I use Google Analytics REST API (and not any plugins) so I control the data being sent so I have always anonymised that. 



[TOPIC: post.html]
#24

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

Does that mean there is nothing much to do for the developer that's just collecting event data to analyse player behavior or are we legally responsible for SDKs' behavior because we chose to integrate one?



[TOPIC: post.html]
#25

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

Most of them are claiming they are "processors". So either you do what SGS is doing use rest api and anonymized or you have to capture, store and then provide a mechanism for the user to remove consent.

 

This is from flurry you just linked.

 

 

Q: Do I need to update the Flurry SDK in my app for this?

A: In a processor role, Flurry assumes that the personal data that is sent to us has all the proper legal bases for its use in an Analytics capacity. What this means is that any Flurry SDK can be used to send personal data to Flurry as long as you have gained the proper legal basis to do so, whether via consent from the user, or another basis.




[topic_controls]
Page 1 of 9 1 2 3 »
 
[/topic_controls]