Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Are we GDPR compliant by default if we only serve ads in our apps?

Discussion in 'General Discussion' started by AxPetre, May 21, 2018.

  1. AxPetre

    AxPetre

    Joined:
    Jun 1, 2013
    Posts:
    96
    GDPR is about to be enforced from the 25th of May 2018, and owners of apps who are not compliant, risk receiving fines of up to 20,000,000 Euros or 4% of their gross income (whichever is higher?).

    But this regulation only applies to 'controllers' and 'processors' of personal user data (Article 3), and this is where it becomes questionable whether it applies to some of us at all.

    From the text of the regulation, the definitions are:

    Article 4, paragraph 7: 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes AND means of the processing of personal data;

    Article 4, paragraph 8: processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

    So, from the definitions above, it seems that if we're not collecting and storing any personal data from our users (name, IP, GAID, IDFA, etc...), but we do use ad networks which collect and store that kind of data, then we're neither controllers (because we don't determine the purpose and means of processing personal data, the ad networks do that), nor processors (because we don't process that personal data, the ad networks do that also), therefore the GDPR doesn't applies to us at all, but rather to the ad networks that we're using in our apps.

    Is the reasoning above wrong? If so, in what way?
     
  2. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    9,042
    It depends on your ad network. You may have to update your app with the latest version of their sdk. Check with your ad network provider and see if there are any steps that need to be taken.
     
  3. AxPetre

    AxPetre

    Joined:
    Jun 1, 2013
    Posts:
    96
    Thank you for your reply.

    However, I'm still not sure if it matters which ad network I use, as long as I'm not involved in determining the purpose and means of processing personal data, which I'm not, because only the ad networks do that, and I have zero access to that data and the means in which is being collected and processed by them. If an ad network is non-compliant, then that network has all the responsibility because it is considered to be at least the 'controller', and likely also the 'processor' of that data, while the app developer is neither (unless it collects personal user data on its own).

    To hold the app developer responsible for what the ad networks are doing with the user data is analogous to holding an Internet browser developer responsible for what the websites displayed in that browser are doing with the user data, which is not reasonable at all.
     
  4. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    9,042
    Sure, while true, if your provider requires an update to work properly, the result if you don’t may impact your service. And you also want to verify they are in compliance, and that things are happening thier end. If your app sends data to them, (via the skd in your app), you can be accountable, if the data is collected entirely on thier side at request then you are ok. The reality is that there are instances/conditions in which you could be accountable. You want to contact / verify it with your ad provider to ensure you’re good.
     
    AxPetre likes this.