Last updated: 23rd May, 2023
Where can I find the most updated GameAnalytics’ terms?
- Terms and Conditions
- EU Data Processing Addendum
- Developer Policy
- EU Privacy Notice
- Privacy and Data Protection Addendum For Mainland China
- China PIPL Privacy Notice
What is Personal Data?
According to the EU General Data Protection Regulation 2016/679 (GDPR), “Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”
This means that not only personally identifiable information like the user’s name, email address, or device ID (IDFA, IDFV, GAID, etc) is personal data, but any data we can associate with a person, even if we cannot identify that person in the real world.
Any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is Personal Data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.
What is GameAnalytics’ status under GDPR?
- GameAnalytics acts as a Data Processor under the meaning of Art. 28 GDPR, when providing analytics services.
- As a Data Processor, GameAnalytics handles Personal Data on behalf of the Game Developer, which acts as a Data Controller.
- The analytics services provided by GameAnalytics involve the collection, analysis, and reporting of data from the Game.
- GameAnalytics will process the personal data obtained through the analytics services solely for the purposes instructed by the Game Developer.
- The types of personal data processed may include gameplay patterns, in-game purchases, and other relevant metrics.
- GameAnalytics will process the personal data in accordance with the Game Developer’s instructions and will not use the data for any other purposes than what was agreed in the GameAnalytics Terms and Conditions.
- GameAnalytics will implement appropriate security measures to ensure the confidentiality and integrity of the personal data processed during the analytics services.
- GameAnalytics will not disclose the personal data to any third parties unless specifically authorized by the Game Developer or required by law.
- GameAnalytics will assist the Game Developer in fulfilling its obligations regarding data protection, such as responding to data subject requests or notifying data breaches, as required by applicable privacy laws.
- GameAnalytics will retain the personal data obtained through the analytics services for the duration specified by the Game Developer or as otherwise agreed upon.
- Upon the Game Developer’s request or termination of the analytics services, GameAnalytics will securely delete or return all personal data in its possession, unless retention is necessary for legal and regulatory compliance or technical constraints.
- GameAnalytics will cooperate with the Game Developer and relevant authorities in case of any inquiries or investigations related to its analytics services.
- For any privacy-related concerns or inquiries, the Game Developer can contact GameAnalytics’ Privacy & Compliance Team at firstname.lastname@example.org.
What kind of data does GameAnalytics collect?
We collect personal data from two categories of individuals:
- Game developers – GameAnalytics’ clients who track the performance of their game(s) with GameAnalytics;
- Game players – the actual players (end-users) of games tracked with GameAnalytics’ SDKs. Please find additional information HERE.
What are game developers’ disclosure obligations?
Game developers must provide an in-app disclosure of data access, collection, use, and sharing. The in-app disclosure:
- Must be within the app itself, not only in the app description or on a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the data being accessed or collected;
- Must explain how the data will be used and/or shared;
- Cannot be included with other disclosures unrelated to players personal data collection.
Is GameAnalytics allowed to collect and process this game data on behalf of the Game Developer?
Yes, as long as:
- game players (end-users) consented to their data being collected and used for analytics, marketing and/or advertising purposes.
How do game developers get consent to collect this data?
Game developers must ask game players (end-users) for their freely given, specific, informed and unambiguous consent when the game opens and before any data has been sent to GameAnalytics. Game developers must also have a publicly available privacy notice and terms & conditions that can be reviewed by game players (end-users).
In-app disclosure must accompany and immediately precede a request for player consent. Game developers must not access, collect or share any personal data until the player consents.
Under GDPR, obtaining valid consent for processing personal data is crucial when using an SDK for analytics purposes in mobile game apps.
Here are some best practices to follow when asking for consent:
- Use clear and simple language: Make sure the language you use is easy to understand and avoid using legal jargon or complex terms. Use concise and straightforward sentences that explain what data will be collected, how it will be used, and who it will be shared with.
- Offer a genuine choice: Consent must be freely given, which means that players should be able to opt-in or opt-out of data processing without any negative consequences. Provide players with a clear option to opt-in or opt-out of analytics tracking when they first launch the app.
- Provide a separate consent request: Make sure that the request for consent is separate from other terms and conditions. Players should be able to easily understand what they are consenting to, and you should avoid using pre-ticked checkboxes or other techniques that may make it difficult for them to understand what they are agreeing to.
- Allow granular consent: Players should be able to choose which types of data they want to share. Provide players with a clear list of the data that you will collect, and allow them to select which data they are willing to share.
- Make it easy to withdraw consent: Players should be able to withdraw their consent at any time, and you should provide clear instructions on how to do so. Make sure that players can easily access the opt-out option in the app’s settings.
- Provide information on the data controller: You should provide clear information on who is the data controller and how to contact them if the player has any questions or concerns.
- Document consent: Keep a record of the consent obtained, including when and how it was obtained, and the information provided to the player at the time of consent.
- The app’s request for consent:
- Must present the consent dialog clearly and unambiguously;
- Must require affirmative user action (e.g., tap to accept, tick a check-box);
- Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
- Must not use auto-dismissing or expiring messages as a means of obtaining user consent.
How does GameAnalytics verify that game players have consented?
GameAnalytics will audit game developers on a regular basis. The audit process will determine if the game developer has made sufficient effort to ensure that the data collected is obtained and processed in compliance with the applicable data protection laws.
What about individuals under the age of 16?
Parental consent is required to process the personal data of children under the age of 16 for online services.
Example: An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The game developer shall follow these steps:
- Step 1: game developers must determine if the game player is under or over the age of 16 (or alternative age of digital consent).
- Step 2: If the game developer determines that the player is under the age of digital consent or the players state that they are under the age of digital consent, the game developer must inform the player that a parent or guardian needs to consent or authorise the processing before the service is provided to the player. The player is requested to disclose the email address of a parent or guardian.
- Step 3: the game developer contacts the parent or guardian and obtains their consent via email for processing and takes reasonable steps to confirm that the adult has parental responsibility.
- Step 4: in case of complaints, the game developer must take additional steps to verify the age of the player.
Targeting Children/Kids Notification
At GameAnalytics, we request that game developers inform us promptly if their game is designed to target children or kids, as per applicable privacy laws. This notification is crucial for us to comply with data protection regulations and implement measures to protect the privacy of children.
Game developers are responsible for providing clear and timely communication about their game’s intended audience, specifically indicating if it is intended for children or kids. This information helps us adapt our data processing practices and implement necessary safeguards to protect the privacy and data of young users.
Compliance with regulations such as the Children’s Online Privacy Protection Act (COPPA) in the United States or the General Data Protection Regulation (GDPR) in the European Union is essential when handling personal information of children.
We strongly encourage game developers to prioritize providing accurate and timely information to ensure the highest standards of data protection and privacy compliance.
Does GameAnalytics store records of consent?
- For game developers – we will store a record of consent in our game developers database and management systems.
- For game players – consent collection and storage is under the sole responsibility of each game developer.
What happens when a game developer fails their audit?
If a game developer is selected for an audit and GameAnalytics determines that they do not collect consent, GameAnalytics will provide a term of 30 days for them to remediate, before blacklisting the game. At the end of the 30 days, GameAnalytics will check in with the game developer to determine if appropriate measures have been implemented.
Can personal data be transferred outside of EU territories?
Yes, but only if appropriate safeguards are in place. GameAnalytics data resides in AWS and GCP. GameAnalytics rely on the EU Standard Contractual Clauses (SCC) (also known as EU Model Clauses) to transfer data to its vendors located in third-countries, since the SCCs provide specific guarantees around transfers of personal data for in-scope services. The EU Model Clauses are used in agreements between service providers (such as AWS) and GameAnalytics to ensure that any personal data leaving the EEA will be transferred in compliance with the applicable privacy laws.
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Framework for transfers of personal data from the EU to the United States. However, the EU Model Clauses continue to provide a valid mechanism for the transfer of personal data from the EU and EEA, as well as from Switzerland and the United Kingdom.
Are there any restrictions on data retention?
According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.
GDPR specifies: “You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Chinese PIPL compliance
PIPL is an acronym for the Personal Information Protection Law (PIPL), a data privacy law passed by China’s National People’s Congress to protect the data privacy of natural persons based in the People’s Republic of China (hereinafter “China”).
PIPL came into effect on November 1, 2021 and requires players in China to affirmatively consent (“Opt-In”) to have their personal information transferred and processed outside of China. Game developers must ensure their game is using a consent solution to comply with PIPL. Only data from game players who have consented to both ads personalization and to have their personal information transferred outside of China can be processed lawfully.
Please reach out to our Privacy & Compliance Team at email@example.com