Search Unity

  1. Going to #UniteBerlin? Bring a buddy & get 25% off the 2nd ticket! More info here.
    Dismiss Notice
  2. Famed game designer and creator of The Sims, SimCIty, and Spore is looking for a 3D artist to join their team. Join the challenge.
    Dismiss Notice
  3. Unity 2017.4 has arrived! Read about it here.
    Dismiss Notice
  4. ARCore is out of developer preview! Read about it here.
    Dismiss Notice
  5. Magic Leap’s Lumin SDK Technical Preview for Unity lets you get started creating content for Magic Leap One™. Find more information on our blog!
    Dismiss Notice
  6. We've opened a new World Building sub-forum to faciltate all your world building discussions! Drop in and ask any ProBuilder, ProGrids, or PolyBrush questions.
    Dismiss Notice
  7. Want to see the most recent patch releases? Take a peek at the patch release page.
    Dismiss Notice

Unity Analytics and GDPR

Discussion in 'Unity Analytics' started by wwcolter, Jan 17, 2018.

  1. wwcolter

    wwcolter

    Joined:
    Nov 4, 2016
    Posts:
    17
    The enforcement date for the General Data Protection Regulation (GDPR) is May 25th. Have there been any announcements from the Unity Analytics team regarding GDPR compliance?

    Specifically, we are looking for information regarding:
    1. What personal information is collected? Anonymized user id, IP address, etc.
    2. Breach notification policy
    3. Right to access policy
    4. Right to be forgotten rules
    5. Data portability
    6. Privacy by design
    7. Data protection officers
    While COPPA affects developers that have apps geared towards children, GDPR affects any developer that has EU users, regardless of age. Additionally, each country in the EU is able to choose an Age of Consent (anywhere between 13 and 16) similar to COPPA's 13. Will there be a new checkbox denoting if a game is targeting children under the age of 16 for the EU?

    Thanks,
    Colter
     
    Last edited: Jan 22, 2018
    Arkade, sandbaydev and mogwhy like this.
  2. wwcolter

    wwcolter

    Joined:
    Nov 4, 2016
    Posts:
    17
    Unity has informed us that they "are currently working up a statement that explains [their] current work with regards to GDPR."
     
    Last edited: Jan 22, 2018
    sandbaydev likes this.
  3. sandbaydev

    sandbaydev

    Joined:
    Aug 9, 2013
    Posts:
    51
    @wwcolter: Thank you for posting the question. I too look forward to hearing about this as the GDPR affects every single developer who collects info (ip, device id, email, name, any personal data or data that can be combined to link to) from EU citizens needs to comply to the regulation.
     
    wwcolter likes this.
  4. sandbaydev

    sandbaydev

    Joined:
    Aug 9, 2013
    Posts:
    51
    @wwcolter have you by any chance received any more details? The last thing I heard was on Feb 2:

    "Our legal teams are currently working on documentation and FAQs to help you with this process."
     
  5. ap-unity

    ap-unity

    Unity Technologies

    Joined:
    Aug 3, 2016
    Posts:
    861
    We are trying to make sure all replies concerning GDPR (and frankly any legal question) are accurate. The downside is that responses may be slower than normal.

    Here is the latest response I have from our legal team:

    "We're actively working with inside and outside counsel to understand our obligations and approach with respect to GDPR. We're committed to having a more comprehensive position soon and we will be compliant by the May 25th deadline."
     
    sandbaydev likes this.
  6. sandbaydev

    sandbaydev

    Joined:
    Aug 9, 2013
    Posts:
    51
    Thanks for the response. @ap-unity

    One of the requirements of GDPR is "right to be forgotten", and since you state that "Unity will be GDPR" compliant, here's few detailed questions regarding "right to be forgotten" aspect:
    1. Since Unity Analytics collects data that can be considered personal (and used to identify individual) such as user IP and unique device IDs, what is the process of helping person to get forgotten when I get such request?
    2. Is there going to be dashboard in Unity Analytics where I can submit removal tickets? ("remove information by this IP/AnonID")
    3. Is there going to be possibility to obfuscate region identified by IP (let's say instead of "City of Oulu, Puuppola district" it would say "Northern Finland")
    4. Will Unity be using Google's and Apple's anonym device ID's that allows users to reset those tokens (so that user can easily get forgotten simply via her phone settings)
    5. Is Unity Analytics going to change collecting so that these identifiers are not collected?
    6. If so, does this mean I need up update my APKs? If APK update is required when will this possibility be available?
    7. Not responsibility of Unity Analytics, but I would be interested if I should switch Unity Ads to some other provider, or how exactly will I be compliant if I continue using Unity Ads.
    To me "Unity will be GDPR compliant" sounds that Unity is getting bunch of lawyers to protect Unity's court (Which of course makes sense :)

    I'm interested how these points are handled and developed in practical level. Where the buttons will be. How the data collecting and erasing will be handled.

    It's now February.

    May is not that far away. And if I need to update engine and APK's and get players to update their devices, that's easily 1-2 months before it's done.

    I like what Unity does and respect your responses, unfortunately to me this answer sounds like I should not use Unity IAP nor Unity ads nor Unity Analytics for example when porting my game to IOS.

    Thanks.
     
  7. Nama222

    Nama222

    Joined:
    Jul 25, 2017
    Posts:
    3
    You can use a Unity Remote Settings variable that you set to true when the Update is online (or use a number as version number). If the game is started this value is checked and if it's true you can display a message which forces the player to update. So you can ensure all games running have the new (legal) version of your game.

    To do this you have to build in this function before, of course. If you do this now there is enough time for everyone to update.
     
  8. sandbaydev

    sandbaydev

    Joined:
    Aug 9, 2013
    Posts:
    51
    Currently I do not know if Remote Settings (or Unity Analytics) is GDPR compliant, if I will be GDPR compliant by using the system. I do not know how the "privacy by design" for example is done.

    I look forward to hearing answers to questions I posted last Tuesday, and how exactly I will be GDPR compliant (see 7 points posted by @wwcolter in the first post) by continuing to use Unity Analytics (and other services such as IAP services, performance services - both awesome tools). .
     
  9. wwcolter

    wwcolter

    Joined:
    Nov 4, 2016
    Posts:
    17
    @sandbaydev I haven't heard anything back from my contacts at Unity and I don't think they will respond until they have their legal team's final decisions in place. As you know, this isn't trivial. I hope we hear back in time to implement changes on our side before the deadline.
     
    sandbaydev likes this.
  10. sandbaydev

    sandbaydev

    Joined:
    Aug 9, 2013
    Posts:
    51
    It's been now month since that comment.

    @ap-unity or @wwcolter Have you heard any news when their statement could be available?
     
  11. mogwhy

    mogwhy

    Joined:
    Nov 20, 2014
    Posts:
    36
    i use google analytics now. stan assets if you search for anonymous in the code and set aid=1 it should enable ip anonymisation. in the policy i say exactly what i track. scene-changes and game progress .... all i could come up with for now
     
    sandbaydev likes this.
  12. wwcolter

    wwcolter

    Joined:
    Nov 4, 2016
    Posts:
    17
    sandbaydev likes this.
  13. wwcolter

    wwcolter

    Joined:
    Nov 4, 2016
    Posts:
    17
    sandbaydev and Nama222 like this.
  14. duisti

    duisti

    Joined:
    Nov 29, 2017
    Posts:
    47
    I love the FAQ section on that link... Basically tells you nothing on every question asked. Even Unity doesn't know what to do :)

    Well I'm glad my product i've been doing is by all means a MVP and didn't take too much of my time :D
     
  15. chribbe

    chribbe

    Joined:
    Dec 14, 2016
    Posts:
    2
    Any news / updates from Unity on this? It's getting close to may 25 and I think most devs need some time to update our games if there's something we need to do. Especially thinking about Unity Analytics and Unity Ads.


    @ap-unity
     
    Antony-Blackett likes this.
  16. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    212
    Ooops, I missed this thread and posted there, asking why users aren't allowed to Opt-Out of their device in analytics (right to be forgotten)
    https://forum.unity.com/threads/why-does-unity-analytics-not-provide-a-user-opt-out.524979/

    I just got an email from Flurry about their GDPR stuff:
    https://developer.yahoo.com/flurry/docs/analytics/gdpr/

    "With Flurry Analytics in the role of Processor with regards to the data covered by GDPR, it is your responsibility to respond to Data Subject Rights (DSR) requests from your users. This documentation describes the usage of the APIs that Flurry makes available for supporting these DSR requests you receive."

    https://developer.yahoo.com/flurry/docs/analytics/gdpr/dsr/

    If this is the level analytics providers have to go to, and Unity isn't ready, is everyone going to have to remove Unity Analytics/Ads from their games before the May deadline?
     
  17. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    212
    From MixPanel analytics in December 2017:

    "The GDPR empowers “data subjects,” the individuals from whom the data has been collected, to control who has their data. Today, we already provide rich data export functionality and the ability to delete customer data. However, to further build on these features for GDPR, we will be automating our data deletion and export capabilities, which will better allow us to support any requests our customers may receive from data subjects. These forthcoming product releases to automate the deletion and export process will help keep our customers GDPR compliant by ensuring we are only processing data for identified, appropriate data subjects."

    https://mixpanel.com/blog/2017/12/21/gdpr-mixpanel-readiness/

    https://mixpanel.app.box.com/s/ofdei5m6f46prtp2b9zm7zh6drsw2zh9
     
  18. ykleban

    ykleban

    Joined:
    Feb 22, 2017
    Posts:
    12
    Are you still working on GDPR statement?
    I'm not quite sure this article answers all of my questions: https://unity3d.com/legal/gdpr

    1) Does unity have a GDPR certificate? How can I check it?
    2) Is it possible for a developer to remove player data that are stored by Unity Analytics when a player requests to do so?
     
    Shawn_Flanagan likes this.
  19. Shawn_Flanagan

    Shawn_Flanagan

    Joined:
    Jan 28, 2014
    Posts:
    5
    I literally emailed them an hour ago asking the same question! :)
    Let's hope the GDPR team responds to one of us at least. If I receive a reply via email before seeing a reply on this forum, I'll post their response here.
     
    Antony-Blackett likes this.
  20. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    212
    So Google Analytics just sent an email with some more information on re GDPR:

    "Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data."

    "Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly."

    "Updated EU User Consent Policy Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google's EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA. Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy."
     
  21. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    212
    GameAnalytics (another service) also just posted their FAQ
    https://gameanalytics.com/gdpr-faq

    "For players the game developers must ask for consent when the game opens, before any data has been sent to us (or to other data controllers and processors). The consent they ask for from their players must include that their data will be used for analytics and marketing purposes. Most game developers should also have publicly available privacy policies and terms of service that can be reviewed by users."

    Thats quite a big one to do, lots of games will need updating and I imagine most users will press no if presented with this.
     
    Shawn_Flanagan likes this.
  22. Antony-Blackett

    Antony-Blackett

    Joined:
    Feb 15, 2011
    Posts:
    845
    Unless they want cloud save games or multiplayer experiences, then they have no choice but to accept all data collection!
     
  23. Antony-Blackett

    Antony-Blackett

    Joined:
    Feb 15, 2011
    Posts:
    845
    Given that Unity are not responding, does anyone know of a reliable way to detect if a user is in the EU? We can then disable features for them until we can make them compliment in future? Or will we need to release an EU version of the app without Unity Analytics and Ads etc?
     
  24. marc_tanenbaum

    marc_tanenbaum

    Unity Technologies

    Joined:
    Oct 22, 2014
    Posts:
    313
    As @ap-unity said above, responses on this topic are necessarily slower than on, say, technical questions. I'm sorry about that...it's not that we're not listening. GDPR is a complex topic with lots of legal implications, so unfortunately we can't simply issue opinions or advice as we would on non-legal matters.

    We have a team dedicated to implementing a solution that will cover our customers across all our services, and we plan for it to be in place in time for May 25.
     
  25. Antony-Blackett

    Antony-Blackett

    Joined:
    Feb 15, 2011
    Posts:
    845
    So I can safely leave Unity Ads and Analytics in place? Or will there be some implementation that is required that means even if you have something compliant by the 25th, we may not be able to roll that out to our players by the 25th? That's what we are trying to figure out. I understand you can't offer legal advice to through a forum but we need clarity in terms of what we need to do to ensure we are not fined 20M euros. I'm sure you can understand our concern.
     
  26. marc_tanenbaum

    marc_tanenbaum

    Unity Technologies

    Joined:
    Oct 22, 2014
    Posts:
    313
    100%.

    It is our intention to have a plan in place that will allow you to maintain Unity services uninterrupted. It is also our plan to have any required changes in place in time for you to take necessary action.
     
    chribbe and Antony-Blackett like this.
  27. chribbe

    chribbe

    Joined:
    Dec 14, 2016
    Posts:
    2
    It's 36 days until GDPR.
    Feels great that you have an intention to have a plan!
     
  28. ysalmi

    ysalmi

    Joined:
    Jan 25, 2013
    Posts:
    18
    I received an email reply from Unity on Unity Analytics and GDPR. I won't post it verbatim but they've assured me that there will be an API update (before May 25th) that will allow us to display data collected and provide a way for users to opt-out and delete their data.

    My current plan is to strip out Unity Analytics before May 25th. I don't feel confident we can properly implement all the UI flows necessary for handling user privacy, presenting data while having an effective tutorial/first experience. Once the SDK update is available I will re-evaluate.
     
    Antony-Blackett likes this.
  29. Antony-Blackett

    Antony-Blackett

    Joined:
    Feb 15, 2011
    Posts:
    845
    This is something every developer using these tools would want, perhaps they are working on a web-view style default user interface for this stuff? Hopefully that'll get us past compliance and then we can work on making it better from there... All hope until we see what they come up with.