Search Unity

  1. We are migrating the Unity Forums to Unity Discussions. On July 12, the Unity Forums will become read-only. On July 15, Unity Discussions will become read-only until July 18, when the new design and the migrated forum contents will go live. Read our full announcement for more information and let us know if you have any questions.

GDPR and CCPA region identification

Discussion in 'Unity Analytics' started by tessellation, Jul 10, 2020.

  1. tessellation

    tessellation

    Joined:
    Aug 11, 2015
    Posts:
    399
    The GDPR and CCPA data privacy laws affect citizens of the EU and residents of California. I live in Washington state and when I install and run popular games from big game companies, they don't prompt me for consent to opt-in to sharing my data. My assumption is that these companies are able to detect the region that a user has installed the app from and so they only prompt for consent when a user resides in the EU or CA.

    At the moment, I don't have a good way to detect this and Unity doesn't provide this information. Device language isn't an accurate measure of citizenship and wouldn't help at all with US state residency.

    I'm looking for advise on how to detect these users. Is it practical for Indie developers to do this? Are there SDKs or services that do this? What are you using for your games?

    Our current plan, in lieu of region detection, is to prompt for consent for all installs. I would love to hear from Unity about this: if there are plans to make this easier in the future.

    Thanks for the advise!
     
    el_Guero likes this.
  2. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
  3. tessellation

    tessellation

    Joined:
    Aug 11, 2015
    Posts:
    399
    Thanks for the reply. I don't think that's legally possible for GDPR in the case where you want to collect game analytics. In this case I believe you'd need to set "Analytics.initializeOnStartup = false" and then prompt for consent. My understanding ("I'm not a lawyer" disclaimer) is that GDPR is opt-in, whereas CCPA is opt-out. Even with CCPA, the "Do Not Sell" button needs to be really obvious, not buried in a secondary-screen.

    I was previously putting the Data Privacy button within our Options UI, but we're also using an Ad Mediator now so we need to prompt for consent because it isn't necessarily UnityAds being shown the first time.
     
    WaqasGameDev likes this.
  4. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
  5. tessellation

    tessellation

    Joined:
    Aug 11, 2015
    Posts:
    399
    An engineering contact of mine suggested services like maxmind geoip. I don't know how "indie-friendly" their plans are in terms of pricing, but my biggest legal concern would be that the state-level detection by IP is only 80% accurate. This could work for GDPR, however, since country accuracy is 99.8%.
     
    JeffDUnity3D likes this.
  6. kumade

    kumade

    Joined:
    Nov 3, 2016
    Posts:
    52
    Hey did you find any good way for an indie studio to detect if user needs to be asked about his CCPA consent?
    Great game btw! Keep up the great work!
     
  7. tessellation

    tessellation

    Joined:
    Aug 11, 2015
    Posts:
    399
    Not at the state level, since the accuracy is only 80% (at least for maxmind geoip). Right now our game asks for consent in all countries, just to be kind and fair to all users. However, if you only want to prompt for players that fall under these laws and you want to ensure compliance with the laws, you'll probably want to ask for consent for all players in the USA and EU. Country accuracy is high (99.8%) and the prices for country lookup are far cheaper. I am not an authority on this, so this is just what I learned so far with my limited research and legal knowledge on the subject.

    Thanks, I'm glad you like Tiny Bubbles!
     
  8. kumade

    kumade

    Joined:
    Nov 3, 2016
    Posts:
    52
    Thank you for the tips! Ridiculous how the entire world of developers big and small should suffer now because Californians decided to be so special :)
     
  9. WaqasGameDev

    WaqasGameDev

    Joined:
    Apr 17, 2020
    Posts:
    118
    Hi, I am also using an Ad Mediator, i.e. Admob for mediation with Unity Ads. Can you guide me how to forward CCPA consent from admob to UnityAds?
    As the case with GDPR consent forwarding, admob states at https://developers.google.com/admob/unity/mediation/unity#eu_consent_and_gdpr

    The Unity C# code linked on the Unity Ads GDPR Compliance guide is not compatible with the mediation plugin for Unity Ads. To manually pass consent to Unity Ads in the context of mediation, use the UnityAds.SetGDPRConsentMetaData() method as shown above.

    Here admob guides that how to forward consent of GDPR to UnityAds in alternate way but does not guide about CCPA consent forwarding?
    Thanks.
     
  10. el_Guero

    el_Guero

    Joined:
    Sep 15, 2017
    Posts:
    186
    Reviving this old thread since I haven't found anything else about it. I'm using MAX to monetize, but they are deprecating the geo locator that was included until now. So I have to find my own (or write my own). Has anyone a solution for this? Both GDPR and CCPA?
     
  11. RandolfKlemola

    RandolfKlemola

    Unity Technologies

    Joined:
    May 1, 2020
    Posts:
    130
    HI el_Guero,

    The latest iteration of Unity Analytics likely has more information on this when previously discussed back in 2020. Please have a look at the Data privacy and consent documentation within the Unity Analytics docs (including the links for Complying with PIPL & Complying with GDPR & CCPA).
    Best,
    Randy
     
  12. unitynoob24

    unitynoob24

    Joined:
    Dec 27, 2014
    Posts:
    398
    @tessellation I stumbled into this thread because I was super confused about all of this stuff a few days ago. My app uses unitys iap, unity ads, and unity ugs analytics(5.0). I checked out your app Tiny Bubbles, super polished - nice work!

    Wanted to ask if since I'm using the default unity ads, do I also need consent stuff for ads? - it sounds like if I'm not using the custom/developer ad stuff I don't have to handle that at all; but will need a separate one for analytics of course. I really like your approach of just giving the consent dialogue no matter what basically, looking at your app was super helpful! I think that is how I am going to implement it as well. Just wanted to double check :) I also may paraphrase your body copy if that's cool! lol
     
    tessellation likes this.
  13. tessellation

    tessellation

    Joined:
    Aug 11, 2015
    Posts:
    399
    Hey thanks @unitynoob24. So yeah I decided that consent is the "right thing to do" anyway and I figured countries and states are adding data privacy laws every month now it seems, so I don't bother checking for region and just ask for consent (and now also neutral age gate with the latest versions). This means you won't have to continually update the app and monitor worldwide privacy laws. UnityAds does handle consent if you don't, but it's simpler for the user if you ask for it yourself and then pass the results to all your SDKs since we use various analytics systems, ads, Android Performance Tracking, crash catching, email mailing lists, feedback systems, etc. All these things collect data and as you add new features, you'll already be covered by having an umbrella data-privacy system. Also if you're ever thinking about doing Google Play Families program so that user's under 13 are able to download your app from the Play Store, you'll need to have all this stuff in place.
     
    Firemaw and unitynoob24 like this.
  14. unitynoob24

    unitynoob24

    Joined:
    Dec 27, 2014
    Posts:
    398
    Perfect, thanks so much! Makes sense to me, I'd rather have a one size fits all vs having to push additional updates just to stay compliant for this sort of stuff. :)
     
    tessellation likes this.
  15. JulianNeil

    JulianNeil

    Joined:
    Jun 27, 2022
    Posts:
    115
    Hi there @tessellation. I'm wondering what you do if consent is not given? I am struggling to understand how I can monetize using ads if I'm not allowed to crimp functionality when ads are refused. According to the gdpr you're not allowed to hide functionality behind consent.

    I'm thinking of just putting functionality behind a paywall for eu users... but that leads me back to your original problem. How do I know when to use the Paywall.
     
    Last edited: Oct 1, 2023
  16. MiTschMR

    MiTschMR

    Joined:
    Aug 28, 2018
    Posts:
    529
    What I do is provide the user with a popup screen linking to my Terms of Services and Privacy Policy in how data is handled in the services and a button to confirm. If they don't consent, they are not allowed to use the app. This is how many big companies do it and, in my opinion, a legitimate way.
     
    Firemaw likes this.
  17. JulianNeil

    JulianNeil

    Joined:
    Jun 27, 2022
    Posts:
    115
    That sounds sensible to me, but apparently it hasn't satisfied the European Data Protection Board (EDPB). Consent walls like the one you've described apparently aren't compliant with GDPR. You can only prevent functionality that actually requires the permission you're getting consent for. e.g. if your users don't give you permission to store data on the device - maybe you would disable progress saving.

    I suppose the intent is to prevent companies from using privacy - i.e. user's activity data - as a commodity, but in effect it seems a bit disproportionate.

    From January 2024 to serve ads from Google's ad services publishers will have to use a google certified consent management solution conforming with TCF 2 . https://support.google.com/admanager/answer/7673898?sjid=8302715550993624366-AP . The discussions of google's recommended CMP implementation on the google admob sdk group are long - repetitive - and provide no real answers to how devs can sensibly gain consent for advertising in the EU.

    Honestly, I am baffled that there doesn't seem to be an implementable answer to this - and I'm a bit stuck as to how best to proceed.

    Is there any easy way to determine if a user is in EU ( or California, Switzerland, Brazil I suppose - all have more restrictive privacy legislation )?

    I'm getting to the point where the implementation and maintenance of consent is so onerous, that I might just put up a free limited version - with additional functionality behind a paywall. Somehow I think that would kill a game like mine (relatively simple casual word game).

    Any advice from experienced players would be appreciated.
     
    Eneko_Tellmewow likes this.
  18. Eneko_Tellmewow

    Eneko_Tellmewow

    Joined:
    Dec 2, 2020
    Posts:
    2
    I'm currently implementing Google's CMP UMP in my games (following this), but this only applies to EEC and UK. I also need something to check if a user is in California or other restrictive region.