Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

GDPR Compliance
Started by Studycat2 Mar 20 2018 10:17 PM

- - - - -
212 replies to this topic
gdpr data privacy compliance europe
[TOPIC CONTROLS]
Page 3 of 9 1 2 3 4 5 »
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#51

Glitch Games

[GLOBAL: userInfoPane.html]
Glitch Games
  • Contributor

  • 597 posts
  • Corona SDK

Looks like Unity are tracking quite a lot of stuff too - https://twitter.com/glassbottommeg/status/986635257242796032



[TOPIC: post.html]
#52

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

@SGS, if Google Analytics store the REST request IP addresses, don't you still need a way to address that in your privacy policy to avoid violating GDPR?



[TOPIC: post.html]
#53

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

[TOPIC: post.html]
#54

bgmadclown

[GLOBAL: userInfoPane.html]
bgmadclown
  • Contributor

  • 706 posts
  • Corona SDK

I didn't know about that. Thank you :)



[TOPIC: post.html]
#55

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

I only send session start and session end events.  I used to track more granular data but quickly ran into the free limits of Analytics. 

 

They say 10 million per month but really started complaining at around 60 million per month.



[TOPIC: post.html]
#56

Studycat

[GLOBAL: userInfoPane.html]
Studycat
  • Enthusiast

  • 94 posts
  • Corona SDK

Anonymizing IPs is necessary, but not enough. You can't have a unique ID per user, not even a random number, because that now qualifies as PII. 

 

We are considering sharing a smaller number of random IDs ('buckets') among a large group of users in order to learn usage trends while not being able to pinpoint any one user's behavior. We will be missing out on some measurements e.g. anything involving uniques, while still being able to see overall figures.

 

Anyone have comments on this approach? How big should a bucket be to consider the data non PII?



[TOPIC: post.html]
#57

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

@studycat what is the source for "You can't have a unique ID per user, not even a random number, because that now qualifies as PII"?

 

As just about everything will require some form of unique identifier?  For sure, any game with an online element will need this.

 

I don't track user activity - only on and off - so I hope I am OK.



[TOPIC: post.html]
#58

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

Any ID what you can track and go back see what that person did is personal data and requires explicit consent from that user. That includes ip, both ad id and vender id from apple as well as any generated Id you create. This is from the regulation document. Name, Id number, location data or....

 

 

 

Rec.26; Art.4(1)

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.



[TOPIC: post.html]
#59

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

I think maybe the hype (and threat of massive fines) somewhat clouds the judgement.  We are not Facebook and we do not sell our players data.  As long as we stick to the general principles I think we are fine.

 

I imagine they will take a top down approach and go for the bigger fish first.  We are minnows and we can feel safe in our little rock pool.

 

Lets see how the big games handle things.... If they generally pop a message about opting in then we should follow.



[TOPIC: post.html]
#60

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

I agree that we won't be sued first and we have some time to see what others do. I am fairly sure that AdColony will be one of the first to be sued since they claim that their data collection is essential. From their FAQ.

 

 

 

AdColony will not request nor require consent from a user in order to display advertisements. We believe that our legitimate interest is appropriate given the value we bring to sustaining a healthy ecosystem amongst users, advertisers, and publishers after having conducted a legitimate interest assessment.


[TOPIC: post.html]
#61

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

What I find so interesting about this mess is what aggregators like Appodeal will do. Apparently AdColony doesn't want a consent, but for example, Chartboost requires a consent. So what in the world would Appodeal do? 

 

 

 

Chartboost is a “Controller” with regard to the personal data that we process of European data subjects. Chartboost relies on its publishers to get consent for Chartboost to process such data.


[TOPIC: post.html]
#62

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

I use deviceid as a unique identifier.  As this is device level it does not (I hope) classify as PII as it doesn't technically identify a person and cannot be used to track a user across devices.

 

I also have FB integration and Google sign in but these are opt in.

 

For ads I only use Vungle (again these are also opt in) and they have confirmed they will be GDPR compliant http://vungle.com/gdpr-faq/.

 

So I am going with the above + a clear privacy policy which explains all this will be good enough.

 

That only leaves Corona harvesting PII as the problem.



[TOPIC: post.html]
#63

Studycat

[GLOBAL: userInfoPane.html]
Studycat
  • Enthusiast

  • 94 posts
  • Corona SDK

We're working within our team to identify data we're collecting we will publish a statement when we are ready. We will make sure that apps are compliant with GDPR from our side.

We are aware of the issue and working both on becoming GDPR compliant ourselves (Simulator & Native) and making sure Corona is not in a way of making your apps compliant.
 
So, yes, SGS, for now we can release same statement as Unity did: we're looking into it, assessing data we collecting and trying to decide if we're compliant in handling it.

 

@vlads

 

If Corona continues to collect any PII data (including any kind of unique identifier per user), then Corona developers must show a consent popup at app start, detailing what data is collected, what it is used for, and for how long it is stored.  As this data is sent to Corona servers, we developers don't know the answers to these questions, so we can not reasonably present this popup to users. 

 

If a user does not consent to this popup, then we are obliged, under GDPR, to still allow the user access to the app - we can not quit the app if they don't consent. This means Corona would need to accept that the user does not want their data collected, and not collect it. 

 

I propose that Corona allows app developers to decide whether or not Corona collects our users' data, rather than deferring to our end-users for the decision.

 

We would be happy to pay an annual subscription to Corona in exchange for this guarantee.



[TOPIC: post.html]
#64

Develephant

[GLOBAL: userInfoPane.html]
Develephant
  • Corona Geek

  • 1,450 posts
  • Corona SDK

Any ID what you can track and go back see what that person did is personal data and requires explicit consent from that user. That includes ip, both ad id and vender id from apple as well as any generated Id you create. This is from the regulation document. Name, Id number, location data or....

 

I concur with @SGS that a device and a person are two different things. As long as the app has collected no personal information, all I know is that a "device" connected, etc. It gives me no personally identifiable information about the device owner that I can associate with that user.

 

-dev



[TOPIC: post.html]
#65

kbradford

[GLOBAL: userInfoPane.html]
kbradford
  • Contributor

  • 234 posts
  • Corona SDK

Not sure why people think DeviceID is okay to use.  GDPR clearly states its classified as an identifier because it allows you to track a user's actions.

 

IP, DeviceID, Username, or Real Name are all identifiers that must be consented to, have the ability to be deleted, and ability to opt-out completely.



[TOPIC: post.html]
#66

Develephant

[GLOBAL: userInfoPane.html]
Develephant
  • Corona Geek

  • 1,450 posts
  • Corona SDK

Hi,

 

I'm not clear on how a device identifier that has no relationship to any information "to the physical, physiological, genetic, mental, economic, cultural or social identity of that person." falls in to that category. But that's just my opinion. I'm certainly not a lawyer.

 

I agree that seeing how the bigger publishers go about it will be telling.

 

-dev



[TOPIC: post.html]
#67

kbradford

[GLOBAL: userInfoPane.html]
kbradford
  • Contributor

  • 234 posts
  • Corona SDK

I agree it will be interesting to see how big publishers handle it, and you would likely never get in trouble if you used Device ID.  But everything I've read points to device ID being equally sensitive as an IP address and that is personal data.

 

Check this article out, it provides good data about what is generally considered personal data: http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think/

 

The important quote is here: "The GDPR makes clear that the concept of personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly.  This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data."



[TOPIC: post.html]
#68

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

I agree kbradford from all I have read about the law it is clear deviceId, a random number or even a username is considered personal data. I know a lot of people don't like to hear that because it makes things extremely complicated, but I have not seen anything written that would contradict that.

 

You can always go the adcolony route and say that yes you are collecting personal data but that it is essential for the users of your app. I think you have a stronger footing with that argument than adcolony will ever have. 



[TOPIC: post.html]
#69

Chribbe

[GLOBAL: userInfoPane.html]
Chribbe
  • Enthusiast

  • 73 posts
  • Corona SDK

@Corona: We really need some info on this now - We're working on getting our games ready for the deadline in 30 days, and we need to build out new versions of all of them and getting them live on the stores before that. So we urgently need to know about the data/stats Corona is collecting through our games and that Corona is complying with all responsibilities that comes with doing this so that we can plan for it and add it to a consent dialog, or preferably just make sure Corona is not collecting any user info. 

 

@SGS Agree with others here - from what i understand deviceID is definitely requiring consent (And for pretty good reasons as well - you're likely the only one using a device and it's also likely that many services you are signed up for has connected your name and other personal info to your device id already). Maybe you could just save a randomly generated number instead on first startup that you would store locally on the phone. It would be unique just for one install of your game and you can't do any cross stats of users between apps - but should be good enough for stats etc.



[TOPIC: post.html]
#70

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,108 posts
  • Corona SDK

@Chribbe if deviceID is counted as PII then any random number would too as this would have to be unique and therefore identify a particular user.

 

My games only save to my servers when players reach level 10 (saves filling up the DB with non-serious players) so If I was to show consent then i could time it with a "would you like your game backed up......" style message.  This should be a positive for the player rather than a "we are tracking you....." style message.

 

But the issue is Corona logging data.

 

Curiously, my FB app asked for permissions for this and the only options were "accept their terms" or "delete Facebook".



[TOPIC: post.html]
#71

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

@SGS that is a great idea. For people who play once or twice their is no need to show or store anything.



[TOPIC: post.html]
#72

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,793 posts
  • Enterprise

Our team is trying to determine the data that we are collecting. We are working on this as fast as we can.

 

Rob



[TOPIC: post.html]
#73

perflubron

[GLOBAL: userInfoPane.html]
perflubron
  • Contributor

  • 134 posts
  • Corona SDK

Regarding Google Analytics, and what identifier is safe to use: After reading a lot about GDPR recently I have come to the conclusion that a random UUID per app cannot possibly be considered personally identifiable information. 

 

My approach for GA is thus:

- Anonymize the IP

- Generate a UUID on first launch of the app, and use it for GA tracking

 

This means if user Bob has 3 of my apps then he will have 3 UUIDs. My stats (such as MAU) per-app will be correct, but for the portfolio as a whole the number will be inflated a bit.



[TOPIC: post.html]
#74

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,149 posts
  • Corona SDK

@perflubron your assumption is not correct. It is written in the document in Article 4 under the definition of personal data: generated ids are personal data. Again as I have stated before the likelihood of anybody coming after you because you are using a GUID to track nothing really traceable is really small.



[TOPIC: post.html]
#75

perflubron

[GLOBAL: userInfoPane.html]
perflubron
  • Contributor

  • 134 posts
  • Corona SDK

@agramonte I'll agree to disagree :) (given anonymous IP combined with a generated ID for each app, and that generated ID only lives on the user's device). Could you link to your source?

 

I read about pseudonymous data here, perhaps that is what you think affects me (https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/)? The difference in my case is that I'm not taking a real ID and then separating it from the data. I'm sending the data on an anonymous ID in the first place.

 

But I'm no lawyer. 

 

Anyway, I was inspired to write up my overall approach for GDPR compliance in a Medium store: https://medium.com/@perhaglund/how-i-hope-to-make-my-apps-compliant-with-eu-gdpr-and-gdpr-k-e37578fa6ecd




[topic_controls]
Page 3 of 9 1 2 3 4 5 »
 
[/topic_controls]