Unity Analytics and GDPR

The enforcement date for the General Data Protection Regulation (GDPR) is May 25th. Have there been any announcements from the Unity Analytics team regarding GDPR compliance?

Specifically, we are looking for information regarding:

1. What personal information is collected? Anonymized user id, IP address, etc.
2. Breach notification policy
3. Right to access policy
4. Right to be forgotten rules
5. Data portability
6. Privacy by design
7. Data protection officers

While COPPA affects developers that have apps geared towards children, GDPR affects any developer that has EU users, regardless of age. Additionally, each country in the EU is able to choose an Age of Consent (anywhere between 13 and 16) similar to COPPA's 13. Will there be a new checkbox denoting if a game is targeting children under the age of 16 for the EU?

Thanks,
Colter

 

Unity has informed us that they "are currently working up a statement that explains [their] current work with regards to GDPR."

 

@wwcolter: Thank you for posting the question. I too look forward to hearing about this as the GDPR affects every single developer who collects info (ip, device id, email, name, any personal data or data that can be combined to link to) from EU citizens needs to comply to the regulation.

 

@wwcolter have you by any chance received any more details? The last thing I heard was on Feb 2:

"Our legal teams are currently working on documentation and FAQs to help you with this process."
​

 

Thanks for the response. @ap-unity

One of the requirements of GDPR is "right to be forgotten", and since you state that "Unity will be GDPR" compliant, here's few detailed questions regarding "right to be forgotten" aspect:

1. Since Unity Analytics collects data that can be considered personal (and used to identify individual) such as user IP and unique device IDs, what is the process of helping person to get forgotten when I get such request?
2. Is there going to be dashboard in Unity Analytics where I can submit removal tickets? ("remove information by this IP/AnonID")
3. Is there going to be possibility to obfuscate region identified by IP (let's say instead of "City of Oulu, Puuppola district" it would say "Northern Finland")
4. Will Unity be using Google's and Apple's anonym device ID's that allows users to reset those tokens (so that user can easily get forgotten simply via her phone settings)
5. Is Unity Analytics going to change collecting so that these identifiers are not collected?
6. If so, does this mean I need up update my APKs? If APK update is required when will this possibility be available?
   
7. Not responsibility of Unity Analytics, but I would be interested if I should switch Unity Ads to some other provider, or how exactly will I be compliant if I continue using Unity Ads.

To me "Unity will be GDPR compliant" sounds that Unity is getting bunch of lawyers to protect Unity's court (Which of course makes sense

I'm interested how these points are handled and developed in practical level. Where the buttons will be. How the data collecting and erasing will be handled.

It's now February.

May is not that far away. And if I need to update engine and APK's and get players to update their devices, that's easily 1-2 months before it's done.

I like what Unity does and respect your responses, unfortunately to me this answer sounds like I should not use Unity IAP nor Unity ads nor Unity Analytics for example when porting my game to IOS.

Thanks.

 

You can use a Unity Remote Settings variable that you set to true when the Update is online (or use a number as version number). If the game is started this value is checked and if it's true you can display a message which forces the player to update. So you can ensure all games running have the new (legal) version of your game.

To do this you have to build in this function before, of course. If you do this now there is enough time for everyone to update.

 

Currently I do not know if Remote Settings (or Unity Analytics) is GDPR compliant, if I will be GDPR compliant by using the system. I do not know how the "privacy by design" for example is done.

I look forward to hearing answers to questions I posted last Tuesday, and how exactly I will be GDPR compliant (see 7 points posted by @wwcolter in the first post) by continuing to use Unity Analytics (and other services such as IAP services, performance services - both awesome tools). .

 

@sandbaydev I haven't heard anything back from my contacts at Unity and I don't think they will respond until they have their legal team's final decisions in place. As you know, this isn't trivial. I hope we hear back in time to implement changes on our side before the deadline.

 

It's been now month since that comment.

@ap-unity or @wwcolter Have you heard any news when their statement could be available?

 

i use google analytics now. stan assets if you search for anonymous in the code and set aid=1 it should enable ip anonymisation. in the policy i say exactly what i track. scene-changes and game progress .... all i could come up with for now

 

We still haven't heard anything @sandbaydev

 

@sandbaydev @Nama222 @mogwhy You can see Unity's official response here: https://unity3d.com/legal/gdpr

 

I love the FAQ section on that link... Basically tells you nothing on every question asked. Even Unity doesn't know what to do

Well I'm glad my product i've been doing is by all means a MVP and didn't take too much of my time

 

Any news / updates from Unity on this? It's getting close to may 25 and I think most devs need some time to update our games if there's something we need to do. Especially thinking about Unity Analytics and Unity Ads.


@ap-unity

 

Ooops, I missed this thread and posted there, asking why users aren't allowed to Opt-Out of their device in analytics (right to be forgotten)
https://forum.unity.com/threads/why-does-unity-analytics-not-provide-a-user-opt-out.524979/

I just got an email from Flurry about their GDPR stuff:
https://developer.yahoo.com/flurry/docs/analytics/gdpr/

"With Flurry Analytics in the role of Processor with regards to the data covered by GDPR, it is your responsibility to respond to Data Subject Rights (DSR) requests from your users. This documentation describes the usage of the APIs that Flurry makes available for supporting these DSR requests you receive."

https://developer.yahoo.com/flurry/docs/analytics/gdpr/dsr/

If this is the level analytics providers have to go to, and Unity isn't ready, is everyone going to have to remove Unity Analytics/Ads from their games before the May deadline?

 

From MixPanel analytics in December 2017:

"The GDPR empowers “data subjects,” the individuals from whom the data has been collected, to control who has their data. Today, we already provide rich data export functionality and the ability to delete customer data. However, to further build on these features for GDPR, we will be automating our data deletion and export capabilities, which will better allow us to support any requests our customers may receive from data subjects. These forthcoming product releases to automate the deletion and export process will help keep our customers GDPR compliant by ensuring we are only processing data for identified, appropriate data subjects."

https://mixpanel.com/blog/2017/12/21/gdpr-mixpanel-readiness/

https://mixpanel.app.box.com/s/ofdei5m6f46prtp2b9zm7zh6drsw2zh9

 

Are you still working on GDPR statement?
I'm not quite sure this article answers all of my questions: https://unity3d.com/legal/gdpr

1) Does unity have a GDPR certificate? How can I check it?
2) Is it possible for a developer to remove player data that are stored by Unity Analytics when a player requests to do so?

 

I literally emailed them an hour ago asking the same question!
Let's hope the GDPR team responds to one of us at least. If I receive a reply via email before seeing a reply on this forum, I'll post their response here.

 

So Google Analytics just sent an email with some more information on re GDPR:

"Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data."

"Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly."

"Updated EU User Consent Policy Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google's EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA. Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy."

 

GameAnalytics (another service) also just posted their FAQ
https://gameanalytics.com/gdpr-faq

"For players the game developers must ask for consent when the game opens, before any data has been sent to us (or to other data controllers and processors). The consent they ask for from their players must include that their data will be used for analytics and marketing purposes. Most game developers should also have publicly available privacy policies and terms of service that can be reviewed by users."

Thats quite a big one to do, lots of games will need updating and I imagine most users will press no if presented with this.

 

Unless they want cloud save games or multiplayer experiences, then they have no choice but to accept all data collection!

 

Given that Unity are not responding, does anyone know of a reliable way to detect if a user is in the EU? We can then disable features for them until we can make them compliment in future? Or will we need to release an EU version of the app without Unity Analytics and Ads etc?

 

So I can safely leave Unity Ads and Analytics in place? Or will there be some implementation that is required that means even if you have something compliant by the 25th, we may not be able to roll that out to our players by the 25th? That's what we are trying to figure out. I understand you can't offer legal advice to through a forum but we need clarity in terms of what we need to do to ensure we are not fined 20M euros. I'm sure you can understand our concern.

 

It's 36 days until GDPR.
Feels great that you have an intention to have a plan!

 

I received an email reply from Unity on Unity Analytics and GDPR. I won't post it verbatim but they've assured me that there will be an API update (before May 25th) that will allow us to display data collected and provide a way for users to opt-out and delete their data.

My current plan is to strip out Unity Analytics before May 25th. I don't feel confident we can properly implement all the UI flows necessary for handling user privacy, presenting data while having an effective tutorial/first experience. Once the SDK update is available I will re-evaluate.

 

This is something every developer using these tools would want, perhaps they are working on a web-view style default user interface for this stuff? Hopefully that'll get us past compliance and then we can work on making it better from there... All hope until we see what they come up with.

 

News on this would be great.

I'll have to turn off Google Analytics in my products right now as a precaution to make sure we're ready for the date.

 

Thank you for the update @marc_tanenbaum. I know you guys are working hard on getting something in place that will meet the GDPR requirements while also avoiding any interruptions for us developers. This is all greatly appreciated and I cannot wait to see what the team's solution is. Now that we are one month away from needing to be in compliance with GDPR, it would be nice to know what we (as developers) should be expecting to need to do:

• Will we need to be planning to implement our own in-game UI elements (prompts, screens/pages, settings, etc) to allow our users to opt-out of data collection (as well as delete all the already collected data)?
• Will all of the required GDPR options/dialogues be somehow handled by Unity Analytics (possibly through an in-game web browser window?) to ensure that all games with Unity Analytics across the board will be compliant and navigatable in the same way?
• Are you able to provide us with any additional hints as to what we should be expecting?

 

We have at least 25 games that use Unity Analytics by virtue of In App Purchases and advertising. Some of our more recent games have been made by freelancers, and some are made by individuals we are acting as a publisher for. Some aren't even made in Unity but use Unity Ads (Gamemaker).

https://itunes.apple.com/us/developer/nitrome/id568079484

I'm struggling to understand how we are going to update ALL of these apps by 25th May.

We would also be very grateful for any information that may help us cope.

 

Thank you for posting @Cecilie and @matthewpruitt . The unity Ads system seems to handle this nicely. I think that's clever solution.

But I don't use Unity Ads. I use only Analytics (forced, because I use IAP

I'd have some questions:

1) After user opt-out, will it be possible to gather ANONYMIZED DATA via CUSTOM EVENTS?
What I want is to ANONYMIZE the user's data and use CUSTOM EVENTS so that no individual can be recognized (ip address, device info, or such). I don't want data collection to stop. I want only Unity data collection to stop.

2) Is it possible me to use your plugin so that it automatically disables Unity's *personal* data collection on CODE level (or via EDITOR)?
I'd hate to show graphical user interface.

Optimal solution for me would be that I could disable personal data collection from Unity editor for a build.

Or... to have code like:

Code (CSharp):

1. //AnalyticsInitializationBehavior...
2.  
3. void Start() {
4.    Unity.Analytics.DisablePersonalDataCollection();
5. }

This way I don't need to show "useless" information to every single user. I see no point letting Unity (or myself for that matter) to collect data about my game players. Their phone belongs to them. I should be only interested about gameplay-related events.

3) Bonus question: How does "COPPA enabled" projects differ from non-COPPA products in terms of GDPR?
I thought COPPA already affects the data collection?

 

Hello,

Thank you very much for working on this and for updating us.

We are in the same boat as sandbaydev, so I just wanted to second his question / concerns. We have a Unity project that uses IAP and are thus forced to use Analytics. We would also very much want anonymity for the data. Another but less desirable option would be to allow IAP without collecting any analytics.

Asking for consent is very complex for us, as our games are designed to be used by kids. We have no desire to collect personal data, we just want to allow parents to unlock the full game if they liked it, and if possible collect usage data to balance the games.

Thanks

 

Thank you for the update! Great to see that Unity is building tools for this and taking responsibility instead of just pushing it onto the devs alone.

I have one question -

Many F2P games uses a monetization model where players can buy an IAP to remove ads. From the info in the link I get the impression that consent/opt out is handled when an ad is shown. How does this work for users that paid to remove ads?

 

Not ideal depending on the game, but you could mark the game as being for kids in the editor?

https://docs.unity3d.com/Manual/UnityAnalyticsCOPPA.html

"In order to provide analytics for your games, Unity Analytics generates an anonymized user ID for each user in your game. We do not use any of these IDs generated from Child Apps to track users across apps built by other developers or to map users between different services, devices, or browsers on the same computer. In addition to these IDs, Unity Analytics also collects the following personal information from Child App users: IP address, identifiers for advertisers (IDFA is only collected if Unity Ads is also enabled) and device identifiers (IDFV, Android device ID or IMEI if Android device ID is unavailable)."

Although... "Also, if you’ve enabled Unity Ads in a Child App, Unity may use information about a user collected by Unity Analytics from that Child App to serve contextual advertising within that Child App."

I thought COPPA didn't allow you contextual based advertising? Anyway, slightly off top

 

Thanks!

What about handling user data requests, something they can do under GDPR (not just opt-out)

 

Is there a way to temporary turn off the Analytics at start & Enable it after some certain event? I'm aware of the

Analytics.enabled

value however this won't help in sending of Core Events like the 'appStart' event.
Is there a way to possibly delay all the events before they are being sent? The idea is to only send events after the user has accepted our native GDPR popup.

 

Considering Unity Analytics for a premium game on Steam (no ads, no IAPs, just analytics), as a developer would I be legally obligated to provide the user with the ability to opt-out of analytics?

 

The following is not "legal advice". It's "to best of my knowledge, with limited information". Please consult lawyers regarding the following.

Let's see what Unity replies. if Unity Analytics allows anonymized data collection, then to best of my knowledge there is no need for additional opt-out/asking for consent. (Unless of course you specifically collect personal information).

At the moment this is open question. @wwcolter posted good list of questions on January 17th, and I'm waiting for exact Unity's replies. Their FAQ is slightly blurry and not responding to everything.

We have also asked for possibility to automatically opt-out (code level/editor) from collecting data such as devices but let's see when or if we get an answer.

People also wished for separating in-app purchases & analytics. I would not use Unity Analytics, but I must because I'm using in-app purchases.

Please notice that opt-out alone is not enough. Players also must be able to use their "right to be forgotten": meaning, each (european citizen) is entitled for asking their data to be removed as easily as it has been collected (within reason: for example if there's billing information, it's understandable to keep log of purchases).

It takes weeks before IOS updates can pass, so my prediction is that there will be hellofahurry for everybody

But... let's wait and see. People have had 2 years to prepare for this EU ruling to occur.

 

Yes I'm amazed GDPR is 23 days away and Unity doesn't have this sorted yet

 

As pointed out to me on Twitter, marking a game as for kids in the Unity editor might make it COPPA compliant, but not GDPR, due to :

"In addition to these IDs, Unity Analytics also collects the following personal information from Child App users: IP address, identifiers for advertisers (IDFA is only collected if Unity Ads is also enabled) and device identifiers (IDFV, Android device ID or IMEI if Android device ID is unavailable).""

Its my understanding that unless you anonymize this data, then all users must ask consent as its PII.

Still not much clearer at this point.

 

Agreed Chris - just to clarify, when you say "unless you anonymize this data", you're talking about Unity right? I don't think developers could anonymize this themselves.

 

I'm currently in the process of building a new version of all our apps that doesn't include Unity Analytics (except for our app with IAP, see above). The goal is to not collect any personal information.

Does anybody know if I should also disable Performance Reporting services? Do we know if they collect any personal data as defined by GDPR, like IP addresses or identifiers?

 

We are using Unity IAP which requires Unity Analytics to be enabled. Is there a way to delay the sending of certain core events? That way we don't send any data until the user accepts our privacy policy popup.

 

Hi,
I am also trying to understand how to make my game GDPR-compliant.

As far as I understood from reading about it - if there is no age gate in the game and some kids are playing it then it must be GDPR-K compliant.

I read Unity's GDPR page, but what about GDPR-K? Will enabling COPPA in analytics will make the game also GDPR-K compliant?

 

Hi mmvlad,

Unfortunately, Unity Analytics (UA) gathers personal information like IP addresses by default, even when COPPA mode is enabled. Unity has not yet addressed if it will make it possible to have a completely anonymized data collection through UA, without gathering any personal information.

You can also try to ask for consent from parents, which is not an option for us.

 

Any movement on Unity Analytics (UA) GDPR compliance? With little more than two weeks remaining, I'm afraid I'm going to be forced to disable UA (for now) and upload another build today. I have the feeling the App Store is about to be slammed with developers resubmitting GDPR compliant apps.

I emailed GDPR@unity3d.com about GDPR compliance with UA, and Unity built apps in general, last week. I have heard nothing back as of today.