Search Unity

GDPR Consent Storage

Discussion in 'Unity Ads' started by MoribitoMT, May 9, 2018.

  1. MoribitoMT

    MoribitoMT

    Joined:
    Jun 1, 2013
    Posts:
    294
    This all GDPR mess confuses me.

    I am keep seeing the consent taken from users should be stored in application own servers. How to handle this ? If I use 3 different ad companies such as Unity Ads, AdMob, AdColony etc.. should I store each consent in kind of a server ?

    Regards.
     
    chribbe likes this.
  2. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi,

    On mobile now, will provide full answer later. We will have opt-out feature in Unity Ads SDK, allowing users to opt out from us collecting personal data, first time an ad is shown on device,

    For the situation you are describing with mediators, we are working on a solution which will allow you game developers to ask users for consent. We will share more information soon.

    /Rasmus
     
    chribbe and MoribitoMT like this.
  3. MoribitoMT

    MoribitoMT

    Joined:
    Jun 1, 2013
    Posts:
    294
    Hi, thank you for clarification. In Google AdMob Website says

    "What records do I need to keep?
    Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent."

    Unity will store consent choices and dates in their servers ? Even if user delete the app / game ?
     
  4. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Thanks a lot for info. In any case you should follow the guidelines for integrating Google Admob.

    We implement and apply GDPR regulations based on advice from our legal department at Unity. Our goal and approach is to make it as easy as possible for game developers to integrate Ads SDK into your games, meaning that we implement the functionality to let users decide how we can use their personal data when displaying ads.

    Other ad networks likely has different approaches, and you should follow their guidelines when integrating.

    Hope it answers your question, in any case thanks for the information.

    /Rasmus
     
    technicat and MoribitoMT like this.
  5. MoribitoMT

    MoribitoMT

    Joined:
    Jun 1, 2013
    Posts:
    294
    Thank you.
    My other question is consent options.

    AdMob will have 3 options now:
    1. Personalized ad consent
    2. Non-Personalized ad consent
    3. Ad free ( which ridicilous option )

    Will Unity Ads have such an option like 'Ad Free", According to GDPR mess you have to have this option, and cannot close app / game if user chooses this option.
     
  6. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi,

    Please see the sections on opt-out in https://unity3d.com/legal/gdpr. We will provide opt-out option in the endscreen after the ad has been shown, allowing the user to opt out from "behavioral targeting"; we will not be having an "add free" option.

    EDIT: We will provide more information for publishers beginning of next week. Please stay tuned

    /Rasmus
     
    Last edited: May 11, 2018
  7. MoribitoMT

    MoribitoMT

    Joined:
    Jun 1, 2013
    Posts:
    294
    What will happen to outside of EU ? Will they see consent dialog ?
    What happens if I disable my games in EU from app stores ? Should I show consent still ?
     
  8. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi, our GDPR related information for publishers is now available on https://unityads.unity3d.com/help/legal/gdpr

    Please note that we don't ask for consent, but an option for users to opt-out of behavioral targeting, as described on the Publisher GDPR info page.

    And yes we will show the same UI for all users. Technically it's not trivial to reliably detect if a person is citizen of EU, and as we don't want to collect more information than necessary for displaying ads.

    I'm not a lawyer, but seems there are different services offering to detect and block users from EU. Google for "gdpr block eu users" to get some inspiration.

    /Rasmus
     
  9. chribbe

    chribbe

    Joined:
    Dec 14, 2016
    Posts:
    6
    Wait here - so who's gonna ask for consent then?

    For real? Can't tell if this is meant seriously or as a joke :eek:
     
    zworp likes this.
  10. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    In short, we are taking a different approach than e.g. Google here. We don't store any other data about the user, than what is needed for showing ads. I.e. we don't store gender, age, products bought on internet etc. Basically we serve ads, while still respecting users privacy - remember, we're not evil :)

    The instructions from our legal team at Unity is that we don't need user consent, but ofc giving users option to opt out from collecting any personal identifiable data (e.g. IP address and device id), similar to what we already have on game level for COPPA.

    If you as publisher want to implement consent in your game, e.g. since you are integrating other networks who requires consent, you can follow the instructions on https://unityads.unity3d.com/help/legal/gdpr, and implement your own UI. But user consent is not required for using Ads SDK in relation to GDPR, we will show UI in the end cards to allow users to opt-out of data collection, showing information about how to get and delete data collected for the user (or rather the device, again as we don't store "human" information, only information related to the device showing the ad)

    Hope it answers your question. If you have more detailed legal question, you are ofc welcome to contact our legal team at gdpr@unity3d.com

    Best regards,
    Rasmus

    PS. No, I don't think blocking EU users is a joke, but personally I hope GDPR (and recent public data breaches) will mean that companies will actually start to respect peoples privacy, allowing users to have data deleted etc. Probably also users should realize that if a service is free, then you are paying with your information, but that's a completely different topic...
     
    hippocoder, zworp and chribbe like this.
  11. WolveX

    WolveX

    Joined:
    May 31, 2016
    Posts:
    24
    As I understand we should clearly show the user a message to ask for consent to use personal data, if the player didn't see the consent (as a pop us message or something like that) and he did not opt-out form collecting IP address and device id, will that be GDPR compliant?

    because in the end you are collecting his personal data without a direct-clear approval from him, right?
     
    Last edited: May 14, 2018
  12. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hold on, I'll get someone from our legal team to provide an answer.

    /Rasmus
     
    WolveX, zworp and chribbe like this.
  13. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Still waiting for legal to get back. Until then, please see https://unity3d.com/legal/gdpr:
    Unity Ads SDK has the necessary opt-out mechanism for users to opt out of behavioral ads targeting. However we're still working with legal to make the GDPR information page more precise on this particular subject.

    Please keep posting questions here on the topic, especially if above isn't sufficient.

    Thanks,
    Rasmus
     
  14. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Ok, so I have talked with with legal, and information about our GDPR strategy will go out to publishers via e-mail within few days.

    In short, we want to make it as easy as possible for publishers to integrate Ads SDK, so you can focus on building games instead of server side functionality to collect GDPR consent etc, and as said we have a different approach than some other ad networks. However given the subject, legal prefers to be part of the communication. Hope you understand.

    Please refer to information in the mentioned e-mail sent from our legal team, and direct question related to GDPR to gdpr@unity3d.com

    Thanks,
    Rasmus
     
    chribbe, MoribitoMT and WolveX like this.
  15. MoribitoMT

    MoribitoMT

    Joined:
    Jun 1, 2013
    Posts:
    294
    Ok,

    I think I understood the approach to Unity Ads.

    What about apps only uses Unity In App Purchases, Unity automatically integrates Unity Analytics when IAP enabled ? How do we get consent for IAP / Analytics while there is no Unity Ads ?
     
    pep_dj likes this.
  16. technicat

    technicat

    Joined:
    Nov 22, 2006
    Posts:
    1,277
    There is a plugin for that. Check out this thread in the Unity Analytics forum

    https://forum.unity.com/threads/uni...g-in-available-now-in-the-asset-store.532484/
     
  17. marcopesce

    marcopesce

    Joined:
    Dec 11, 2015
    Posts:
    40
    I still cannot see any consent request on Ads. When will this will appear on games? Tomorrow? Is it possible to have a preview of how it will work?
     
  18. marcopesce

    marcopesce

    Joined:
    Dec 11, 2015
    Posts:
    40
    Ok, now it's visible, but on "minigame" ads the consent shows only if you click on the "i" mini button.
     
  19. Shayke

    Shayke

    Joined:
    Dec 8, 2017
    Posts:
    339
    What is this GDPR that i see lately?
    I can take data from user by asking them right?
    And then what?I get money for this?
     
  20. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    14,380
    It's a new regulation from the EU (European Union) that lets citizens decide whether an entity is allowed to have access to their personal data. If you're developing games that require personal information from users within countries that are part of the EU then it's important you go read up on the law now. It goes into effect today (May 25th, 2018).

    https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
    https://ec.europa.eu/info/law/law-topic/data-protection_en
     
    Last edited: May 25, 2018
    technicat likes this.
  21. Zwilnik

    Zwilnik

    Joined:
    Jul 22, 2014
    Posts:
    62
    If we're using the built in Unity Ads extension option in services, does that automatically including the new version (with GDPR compliance) or do we have to bolt on the asset store version?
     
  22. marcopesce

    marcopesce

    Joined:
    Dec 11, 2015
    Posts:
    40
    from what I saw, you don’t even need to update your app: I use the builth in version.
     
  23. bart_the_13th

    bart_the_13th

    Joined:
    Jan 16, 2012
    Posts:
    440
    I'm using ads sdk 2.0.8, but I don't see any “ℹ” icon in my ads app? is it because I'm not living in europe?

    [EDIT]
    nevermind.... it's not an "i" icon... but hand holding a shield icon I guess...


    [EDIT again]
    wait... the hand holding a shield icon is the "Data Privacy" icon... still missing "i" icon I guess...
     
    Last edited: May 31, 2018
  24. xeonx1990

    xeonx1990

    Joined:
    Apr 7, 2018
    Posts:
    2
    hi i want to know if its legal to use a dialog alert like this to obtain consent from players after all the user has the choice to accept or close the app
     

    Attached Files:

    wajdi1987 likes this.
  25. Simon-O

    Simon-O

    Joined:
    Jan 22, 2014
    Posts:
    23

    Why are legal sending out emails rather than making the information public? You're collecting uniquely identifiable information (the GPDR explicitly mentions IP Addresses) and you've got absolutely no legal basis for doing so without opt-in consent.

    I'd love to see the justification your lawyers have come up with, but unfortunately, they haven't shared it here...
     
    Last edited: Jul 7, 2018
  26. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi @Simon-O,

    Thanks for your questions and interest in our GDPR solution.

    Please see section "Unity Ads and Unity Analytics -> Why does Unity provide an opt-out option?" on https://unity3d.com/legal/gdpr. Our legal team has described our approach for GDPR compliance on that page. If you have additional questions related to your game, about our GDPR solutions at Unity, please contact our legal team at gdpr@unity3d.com

    If you e.g. integrate other ad networks who requires opt-in in your game, you can send "gdpr.consent" flag to Unity Ads SDK, see https://unityads.unity3d.com/help/legal/gdpr

    /Rasmus
     
  27. Simon-O

    Simon-O

    Joined:
    Jan 22, 2014
    Posts:
    23
    Yeah, that's a ridiculous argument....

    > Why does Unity provide an opt-out option? Is this opt-out consent?
    > The opt-out option that players see in the Privacy dashboard is not related to consent, but rather the right players have to object to data collection. It gives them the ability to object to our targeting, as called for in the GDPR. Because we have legitimate interests as a legal basis for our data processing, we do not require consent.

    You have no legitimate interest to process personally identifiable information of people who are not your customers and have no business relationship with you.

    I look forward to seeing what you do when thousands of small developers start getting fined for using your platform.
     
  28. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi @Simon-O,

    Again, thanks for your questions about our GDRP guidelines for using Unity Ads, and I do understand your concern as a game/developer about the possible implications of GDPR.

    Given I'm not in our legal team I cannot really comment on your statements, other than our approach at Unity is to show ads while still respecting users privacy, i.e. only collecting relevant data for showing ads, and deleting "personal" device-specific data as soon as it no longer makes sense to use for ads targeting (in practice by aggregating data, so we no longer are storing any device-specific data, but only aggregated data e.g. per game, country, etc).

    I will forward your questions/comments to our legal team.

    Thanks,
    Rasmus
     
    Last edited: Jul 22, 2018
  29. MetalDonut

    MetalDonut

    Joined:
    Feb 7, 2016
    Posts:
    52
    I'd love to know how other small devs are handling GDPR. I find it very confusing. It seems like Unity have solved for just Unity Ads (what about analytics?), but if we're using other ad networks do we now have to prompt players at the start of each game asking them if they want to opt-in for personalized ads??

    And if so, under GDPR we have to show that we delete their data after a certain amount of time (up to 2 years which we must declare). But, I'm not even storing any data, but now I have to store their ad preferences myself??

    And what are devs doing about localization of GDPR messaging? Assume you can't have it only in English for players in France, Germany, Italy etc. ?

    Would love to know how others are handling this. I wish there was a simple plugin for small devs that would take care of all of this for us. :-(
     
  30. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi @MetalDonut,

    Information about GDPR for Unity Analytics is available at https://docs.unity3d.com/Manual/UnityAnalyticsDataPrivacy.html, where you can also find link to the "Unity Data Privacy Plug-in" asset store package.

    Can't you just store it on device only then (e.g. using https://docs.unity3d.com/ScriptReference/PlayerPrefs.html)? And if user deletes/re-installs game, just ask for consent again?

    /Rasmus
     
    Last edited: Jul 24, 2018
  31. MetalDonut

    MetalDonut

    Joined:
    Feb 7, 2016
    Posts:
    52
    Thanks for the info. It looks like Unity cover GDPR by popping the first ad to be an opt-out option and assuming responsibility. Does this still work if I'm mediating Unity via AdMob?

    I'm thinking of just having my own popup at the start of the game and if a player opts out then to send the respective call to each ad network. Admob have provided a function to send the opt in/opt out status (bool) to each provider. I don't store any data so I don't think I should hold the preferences of opt-out but rather pass it on (however I will store the preference locally so I can show it in my settings tab and allow them to change it anytime). I'm also planning to link to each ad networks privacy policy in my settings tab.

    I don't know how to deal with languages. For now I'm putting it all in English. Maybe if my game scales I'll have to address that separately.

    Interested to know if anything here sounds wrong/off? There really isn't clear direction for devs as each situation seems so unique. Thx
     
    AlenBrk likes this.
  32. rasmus-unity

    rasmus-unity

    Unity Technologies

    Joined:
    Aug 15, 2014
    Posts:
    1,168
    Hi @Simon-O ,

    Reply from our legal team is that legitimate interest and business relationship is not the same thing, see the different articles "6.1(b) - business relationship" and "6.1(f) - legitimate interest" at https://gdpr-info.eu/art-6-gdpr/
    If you still have questions related to this, please contact gdpr@unity3d.com, as they can give you direct answer on your questions then.

    In any case, I hope you have managed to find a solution which works for you, and I do understand that you want to be on safe side here.

    Thanks,
    Rasmus
     
    technicat likes this.
  33. AlenBrk

    AlenBrk

    Joined:
    Feb 17, 2014
    Posts:
    32
    I am also thinking about this way to do it.
    Saw it already in some VOODOO and KETCHAPP games.