GDPR and CCPA region identification

The GDPR and CCPA data privacy laws affect citizens of the EU and residents of California. I live in Washington state and when I install and run popular games from big game companies, they don't prompt me for consent to opt-in to sharing my data. My assumption is that these companies are able to detect the region that a user has installed the app from and so they only prompt for consent when a user resides in the EU or CA.

At the moment, I don't have a good way to detect this and Unity doesn't provide this information. Device language isn't an accurate measure of citizenship and wouldn't help at all with US state residency.

I'm looking for advise on how to detect these users. Is it practical for Indie developers to do this? Are there SDKs or services that do this? What are you using for your games?

Our current plan, in lieu of region detection, is to prompt for consent for all installs. I would love to hear from Unity about this: if there are plans to make this easier in the future.

Thanks for the advise!

 

Unity provides a Data Privacy button, you don't necessarily need to prompt but just make it available in the UI.

https://assetstore.unity.com/packages/add-ons/services/unity-data-privacy-plug-in-118922

Note that you no longer need to import the asset, you have the privacy prefab when you install the Analytics Library from Package Manager

 

Thanks for the reply. I don't think that's legally possible for GDPR in the case where you want to collect game analytics. In this case I believe you'd need to set "Analytics.initializeOnStartup = false" and then prompt for consent. My understanding ("I'm not a lawyer" disclaimer) is that GDPR is opt-in, whereas CCPA is opt-out. Even with CCPA, the "Do Not Sell" button needs to be really obvious, not buried in a secondary-screen.

I was previously putting the Data Privacy button within our Options UI, but we're also using an Ad Mediator now so we need to prompt for consent because it isn't necessarily UnityAds being shown the first time.

 

This may help too https://unity3d.com/legal/gdpr

 

An engineering contact of mine suggested services like maxmind geoip. I don't know how "indie-friendly" their plans are in terms of pricing, but my biggest legal concern would be that the state-level detection by IP is only 80% accurate. This could work for GDPR, however, since country accuracy is 99.8%.

 

Hey did you find any good way for an indie studio to detect if user needs to be asked about his CCPA consent?
Great game btw! Keep up the great work!

 

Not at the state level, since the accuracy is only 80% (at least for maxmind geoip). Right now our game asks for consent in all countries, just to be kind and fair to all users. However, if you only want to prompt for players that fall under these laws and you want to ensure compliance with the laws, you'll probably want to ask for consent for all players in the USA and EU. Country accuracy is high (99.8%) and the prices for country lookup are far cheaper. I am not an authority on this, so this is just what I learned so far with my limited research and legal knowledge on the subject.

Thanks, I'm glad you like Tiny Bubbles!

 

Thank you for the tips! Ridiculous how the entire world of developers big and small should suffer now because Californians decided to be so special

 

Hi, I am also using an Ad Mediator, i.e. Admob for mediation with Unity Ads. Can you guide me how to forward CCPA consent from admob to UnityAds?
As the case with GDPR consent forwarding, admob states at https://developers.google.com/admob/unity/mediation/unity#eu_consent_and_gdpr

The Unity C# code linked on the Unity Ads GDPR Compliance guide is not compatible with the mediation plugin for Unity Ads. To manually pass consent to Unity Ads in the context of mediation, use the UnityAds.SetGDPRConsentMetaData() method as shown above.

Here admob guides that how to forward consent of GDPR to UnityAds in alternate way but does not guide about CCPA consent forwarding?
Thanks.

 

Reviving this old thread since I haven't found anything else about it. I'm using MAX to monetize, but they are deprecating the geo locator that was included until now. So I have to find my own (or write my own). Has anyone a solution for this? Both GDPR and CCPA?

 

@tessellation I stumbled into this thread because I was super confused about all of this stuff a few days ago. My app uses unitys iap, unity ads, and unity ugs analytics(5.0). I checked out your app Tiny Bubbles, super polished - nice work!

Wanted to ask if since I'm using the default unity ads, do I also need consent stuff for ads? - it sounds like if I'm not using the custom/developer ad stuff I don't have to handle that at all; but will need a separate one for analytics of course. I really like your approach of just giving the consent dialogue no matter what basically, looking at your app was super helpful! I think that is how I am going to implement it as well. Just wanted to double check I also may paraphrase your body copy if that's cool! lol

 

Hey thanks @unitynoob24. So yeah I decided that consent is the "right thing to do" anyway and I figured countries and states are adding data privacy laws every month now it seems, so I don't bother checking for region and just ask for consent (and now also neutral age gate with the latest versions). This means you won't have to continually update the app and monitor worldwide privacy laws. UnityAds does handle consent if you don't, but it's simpler for the user if you ask for it yourself and then pass the results to all your SDKs since we use various analytics systems, ads, Android Performance Tracking, crash catching, email mailing lists, feedback systems, etc. All these things collect data and as you add new features, you'll already be covered by having an umbrella data-privacy system. Also if you're ever thinking about doing Google Play Families program so that user's under 13 are able to download your app from the Play Store, you'll need to have all this stuff in place.

 

Perfect, thanks so much! Makes sense to me, I'd rather have a one size fits all vs having to push additional updates just to stay compliant for this sort of stuff.

 

Hi there @tessellation. I'm wondering what you do if consent is not given? I am struggling to understand how I can monetize using ads if I'm not allowed to crimp functionality when ads are refused. According to the gdpr you're not allowed to hide functionality behind consent.

I'm thinking of just putting functionality behind a paywall for eu users... but that leads me back to your original problem. How do I know when to use the Paywall.

 

What I do is provide the user with a popup screen linking to my Terms of Services and Privacy Policy in how data is handled in the services and a button to confirm. If they don't consent, they are not allowed to use the app. This is how many big companies do it and, in my opinion, a legitimate way.

 

That sounds sensible to me, but apparently it hasn't satisfied the European Data Protection Board (EDPB). Consent walls like the one you've described apparently aren't compliant with GDPR. You can only prevent functionality that actually requires the permission you're getting consent for. e.g. if your users don't give you permission to store data on the device - maybe you would disable progress saving.

I suppose the intent is to prevent companies from using privacy - i.e. user's activity data - as a commodity, but in effect it seems a bit disproportionate.

From January 2024 to serve ads from Google's ad services publishers will have to use a google certified consent management solution conforming with TCF 2 . https://support.google.com/admanager/answer/7673898?sjid=8302715550993624366-AP . The discussions of google's recommended CMP implementation on the google admob sdk group are long - repetitive - and provide no real answers to how devs can sensibly gain consent for advertising in the EU.

Honestly, I am baffled that there doesn't seem to be an implementable answer to this - and I'm a bit stuck as to how best to proceed.

Is there any easy way to determine if a user is in EU ( or California, Switzerland, Brazil I suppose - all have more restrictive privacy legislation )?

I'm getting to the point where the implementation and maintenance of consent is so onerous, that I might just put up a free limited version - with additional functionality behind a paywall. Somehow I think that would kill a game like mine (relatively simple casual word game).

Any advice from experienced players would be appreciated.

 

I'm currently implementing Google's CMP UMP in my games (following this), but this only applies to EEC and UK. I also need something to check if a user is in California or other restrictive region.