- Will you update your terms in relation to GDPR?
- What is GDPR?
- When does GDPR go into effect?
- What kind of data does GameAnalytics collect?
- What is personal data?
- What is our status under GDPR?
- Are we allowed to collect this data?
- How do we get consent to collect this data?
- Why do we need consent for marketing purposes from players?
- How do we verify that we have consent?
- What about individuals under the age of 16?
- Do we store records of consent?
- What happens when a game developer fails their audit?
- Can we transfer personal data outside of EU territories?
- Do we have any restrictions on data retention?
- When will we remove data?
- How can you prepare for GDPR?
Will you update your terms in relation to GDPR?
Continuing to use GameAnalytics constitutes acceptance of these updated policies.
What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
When does GDPR go into effect?
May 25th 2018.
GameAnalytics will be compliant with GDPR on this date – our internal work, as well as work with legal counsel to put this in place has been ongoing since the end of 2017.
What kind of data does GameAnalytics collect?
We collect personal data from two categories of individuals:
- Game developers – our users who track the performance of their game(s) with GameAnalytics
- Players – the players of games tracked with GameAnalytics
What is personal data?
According to GDPR, personal data is:
“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”
This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.
The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.
What is our status under GDPR?
Because we both store, process, and enable game developers to use the data we collect (i.e. via segmentation, A/B tests, etc.) we are both a data processor and a data controller under GDPR.
Are we allowed to collect this data?
Yes, as long as the user (game developer or player) has consented to their data being collected and used for analytics and marketing purposes.
How do we get consent to collect this data?
The way we obtain consent differs by the type of audience.
- For players the game developers must ask for consent when the game opens, before any data has been sent to us (or to other data controllers and processors). The consent they ask for from their players must include that their data will be used for analytics and marketing purposes. Most game developers should also have publicly available privacy policies and terms of service that can be reviewed by users.
Under GDPR, consent is: “Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data”.
Why do we need consent for marketing purposes from players?
Consent for marketing purposes is essential to power some GameAnalytics features – such as Segments, A/B testing, and the Command Center. While we do not know if a segment, experiment, or config will be used for marketing purposes, their intended use cases are for game developers to alter their games in ways that can market in-app purchases to their users, or enable them to show ads to their users, which are all marketing activities.
How do we verify that we have consent?
- For players we will audit game developers on a regular basis. The exact process of the audit will be put in place and its goal will be to determine if the game developer has made sufficient effort to ensure that the data collected is obtained with consent.
What about individuals under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services. Here is an example from the draft guidance on consent, for how this could be implemented:
“[Example 17] An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps: Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent: Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian. Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility. Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber. If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps.”
Do we store records of consent?
- For game developers – we will store a record of consent in our user DB and management system.
- For players – we will not do so when GDPR comes into effect, but we may decide to do so at a later date, through an SDK and/or API. However, due to the slow adoption of SDKs and to the lifecycle of games (i.e. end of life games in particular), SDK-collected consent will not be initially sufficiently accurate for us to either blacklist or suspend a game developer. Any such decisions will be made as a result of an audit only.
What happens when a game developer fails their audit?
If a game developer is selected for an audit and we find that they do not collect consent, we will provide a term of 30 days for them to remediate the situation, before blacklisting them. At the end of the 30 days we will check in with the developer to see if appropriate measures have been implemented. If the game developer requests an extension of term, this can be provided (dependant on review), up to a total of 30 days.
Can we transfer personal data outside of EU territories?
Yes, if appropriate safe guards are in place. Our data resides in AWS which is part of the EU-US Privacy Shield. The Privacy Shield “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.”
Do we have any restrictions on data retention?
According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.
“You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Your company/organisation must also ensure that the data held is accurate and kept up-to-date.”
When will we remove data?
For player data the retention period will be at most 24 months – we will start to remove raw game events older than 24 months in preparation for GDPR.
The removal of raw data older than 24 months will start April 23rd 2018.
For game developer’s data – the interval may vary depending on whether the account is still active.
How can you prepare for GDPR?
GDPR will require consent from all European users. This consent should in most cases be collected inside your game’s user interface. You can at this time prepare by developing UI for collecting said consent when your game is first launche