GDPR - What to do when EU citizen wants their personal data removed?

I started asking about GDPR in December last year and it seems to be very very difficult to get answers to questions in understandable manner. It feels like when you ask about color of grass you get answers about the length of the trees. Maybe this is way too complex issue. Maybe I'm a really poor at asking questions

For this reason I try ask only ONE question in this thread. Maybe I get an answer.

(For other questions, please see thread by @wwcolter at https://forum.unity.com/threads/unity-analytics-and-gdpr.513112/ )

Assuming the following is true:
Unity is collecting personally identifiable user information (e.g. IP address, advertising identifier etc) via because my game uses Unity IAP.

Examples of personal data:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Here is my question:

"EU citizen emails me and wishes to use their "right to be forgotten" - what exactly should I (the developer) do?"

I expect Unity's answer to be something along lines "you go to web interface and delete analytics records of that person by clicking button next to IP filter..." or "please forward the requester's message to Joe at [email address here] and Joe gets back to you in 3 business days."

I would really hope to get answer from somebody who understands English and can write back in English. And that person should hopefully answer to the question above and not something like "we are gpdr compliant" nor "here's link to our gdpr faq" nor "our legal team is working on this" nor "we will provide plugin where you can opt-out data collection".

Thank you.

 

https://unity3d.com/legal/gdpr

That should answer your questions.

 

Unfortunately it doesn't

 

Have to agree with @zombiegorilla that the FAQ answers the question. Basically it's all handled through APIs.

Unity Analytics.

Unity Ads.

 

@Ryiah @zombiegorilla

How does that answer the question posted? If a user emails a developer on may 25th asking for complete erasure of all data that has been collected in the app. What would you as a developer (and responsible in this case) answer?
Maybe -

"Thanks for your email. There is a plugin I can not integrate because it doesn't exist that gives you the ability to opt out"

or maybe, if you're using unity ads

"Thanks for your email! Just keep playing the game and let it collect some more of your data - and then when you see an ad please quickly press the info button and then choose to opt out. "

 

With the information currently provided, I would respond saying to open the game in question, navigate to where the privacy settings are exposed to the user (eg Options -> Privacy), and click "Remove personal data from server".

I recommend you start prototyping the menus for privacy now ahead of the release of the APIs.

As mentioned there will be an API provided prior to that date. If you feel like they can't provide an API fast enough what makes you think they can provide a webpage just as quickly? They definitely won't be able to handle a manual process.

It's clearly stated that opting out will result in the system no longer using their information to select targeted ads. What isn't clearly stated is what exactly this will mean but I'd hope that it would mean the data is cleared off their servers.

 

This. That essentially what we have done already, we have added a blocking popup that shows on launch that notifies the player that the TOS has changed and the need to accept to continue playing. We can trigger it at anytime for all users, (so it can be useful for future if needed). We’ll trigger it when the changes go live. For ads and such (we don’t use unity’s ads). We’ve just added an opt out option in the settings. So if a user were to email us out of the blue like that we just direct them to launch the game and opt out.

 

For a moment there I thought you were gonna suggest to implement a function that just pretends to delete the data, waits a bit, and then tells them the data was deleted ^_^.

 

As @Chrippe mentioned the "deletion" part was not stated clearly enough in the FAQ.

I got response from the Unity GDPR team. (emphasis mine)

"What does the developer do for right of erasure requests? The short answer is nothing. Unity will soon release an updated plugin for Analytics and an updated SDK for Unity Ads. Within these, the user will have the option to opt-out, or delete, their personal information. This request will go directly to us. So, as long as you implement the latest updates, no other action will be needed when a request comes in. Look for the updates late this week or early next week."

This answers to my question.

 

Thanks for the clarification. It seems I completely misunderstood the question being asked.

 

It also sounds like in the latest information they provided that it won’t be a separate plugin that will have to be installed, it will be directly integrated into the ads/analytics sdk. Which will be nice for the developer, just update and you are good to go.

 

How about apps uses only InAppPurchases, which auto enables Unity Analytics ? How do we get consent for using IAPs ?

 

Basically you put up confirmation dialog when the game launches, that has a link to the TOS/Privacy Policy that explains what you are tracking, and that to play, they have to click a button saying they Accept the terms.

 

What if user wants no data collection ? Like non-personalised ads? So we cannot use IAP anymore?

 

Unity's already explained how advertisements will be handled. You can see the relevant section in my first post in this thread or check the link below, but basically there will be an option to disable personalized ads on the ad itself.

https://unity3d.com/legal/gdpr

 

I am asking for InAppPurchases only, without ads. IAP aldo uses analytics, does IAP have its own dialog ?

 

Users will be able to opt out of analytics. Make sure you have updated and use current sdk/plugin when it is released.