A guide to GDPR requirements for mobile game developers
AppSecTest's Julian Evans simplifies GDPR for game studios, and details the rules they need to follow and why
Mobile game developers and QA testers spend vast amounts of time conducting research and rigorous testing to gain a picture of whether a game will succeed in what is a competitive market.
With the launch of the General Data Protection Regulation (GDPR) back in May 2018, compliance with the regulations added yet another layer of testing and research. But what does GDPR mean? And why do developers and QA testers need to care about it?
Essentially, game studios are required under GDPR to know what user-data they and their partners are collecting and why.
Knowing what your partners collect through software developer kits can be hit and miss
Understanding what user-data is being collected by the first-party (i.e. game developer) isn't that much of a problem for game studios (as they will have access to their own source code).
However, knowing what your partners collect through software developer kits (SDKs) can be hit and miss and can lead to inaccurate reporting of what data is being collected and shared, and for what purpose.
This has now become even more important, given Apple is about to launch iOS 14.5 which introduces a new feature called App Tracking Transparency (ATT). Game studios will need to make sure their iOS games ask users for permission to use the Identifier for Advertisers (IDFA) when tracking across different apps and websites.
So firstly, let's simplify the GDPR for game studios, as the legal jargon can be difficult to interpret.
Rules you need to follow and why
GDPR lists 99 Articles and Recitals. Not all of them apply to mobile game development and publishing.
Here are the main Articles you should pay attention to, when building and publishing your mobile game. It's all about providing your player community with transparency while also complying with the GDPR:
- Under the GDPR, it's important to understand that you must comply with Articles 7 & 8, with a focus on children's consent (those under the age of 16). This could be achieved by adding an in-game consent notice and or a data privacy label.
- Building data protection into the mobile game design aligns with Articles 5 & 25. This can be time-consuming and costly but your developer and QA teams should develop granular data control, so players know what is being collected and why. This can be highlighted in a privacy policy or in-game consent notice.
- Factor in a user's right to access the data collected about them under Article 15. This should reside in your privacy policy, which informs players they have the right to obtain a copy of their personal information that is undergoing processing by you or your third-party partners.
Your developer and QA teams should develop granular data control, so players know what is being collected and why
- Privacy policies should be transparent when it comes to informing players of their right to erase player information under Article 17 (Right to be Forgotten), which includes mobile game usage data and diagnostics.
- The user and device-identifying data your partners collect should be stored encrypted on the device and your servers. This falls under Article 32, Security of Processing and includes any app logs, such as crash and analytics reports which might identify a user or their device.
- What happens in the event one of your partners is a victim of a security breach? This might be a server-side data breach, which under Articles 33 & 34, means you will have to to consider security issues that might come from disclosure, access to data, loss of sensitive personal data, and other linked information, such as financial data.
- Lastly, and critically, you will have to consider privacy issues in the event of a data breach, which also falls under Article 5. Your partners should securely handle any player data they might collect, including considering whether or not they need to collect certain data types i.e. location or specific usage data from your mobile game.
GDPR-compliant tips for developers and publishers
At this point, you should have a better understanding of the legal requirements for mobile games. Now it's time to put them into practice.
So how, exactly, do you make an app GDPR-compliant and also comply with Apple's iOS 14.5 release? Here are some useful tips.
● For both Android and iOS
- Develop an account-based personalised tool when signing up players. Players will be able to drill down into data they have consented to be collected and why, which should also help developers improve the gaming experience as well as offer in-game rewards for sharing their data or registering an account.
- Make sure you have the latest third-party SDKs installed in your game when reviewing the code that will collect user and device-identifying data.
- Read the third-party SDK vendors' privacy policy and documentation to understand if the SDK offers end-user consent when used by EU citizens.
Game studios should be thinking about being completely transparent and building trust
- Obtain end-user consent if you and your partners are collecting information such as email address, telephone number, physical address, device location, purchase information that can be linked to a player, advertising ID, network ID such as International Mobile Equipment Identity (IMEI) or International Mobile Subscriber identity (IMSI) and analytics and Crashlytics device logging data that can also be linked to a user or device.
- Check the SDK documentation, as some third-party SDKs can flag when a user is located in the EU and provides the option to disable data collection. Don't forget to check you are not using deprecated SDK code.
● For Android only
- Under the Google EU User Consent Policy, make sure that your players in the European Union are aware of what personal and device-identifying data you collect and why.
● For iOS only
- Using probabilistic matching data -- which cross-references iOS device IP addresses against the information you hold on your own users to identify and track them -- will not work. In the last two weeks, Apple started sending out letters to companies who were using this feature and telling them to remove any code that supports this functionality (see next point).
- Adding a consent notice option when you open the game because a user's device has disabled advertising tracking (IDFA) will provide clear and transparent information about the data types you collect and why. This will also help educate users that Ad SDKs, in particular, add to the gaming experience.
Privacy has started to appear in the mainstream media, mostly in the last 12 months. This has predominantly been led by Apple, who believe privacy is a fundamental human right.
Last year Apple announced Privacy Labels, which will display the types of data collected by apps on their App Store.
Apple is also about to launch the App Tracking Transparency (ATT) in iOS 14.5 later this month, which is predicted to affect the install rates of games and revenue for studios and third-party partners.
Game studios should be thinking about being completely transparent and building trust, which can be used to build medium-long term player retention value and increase revenue.
One thing is certain. GDPR and Privacy are now deeply embedded in everyone's mindset and here to stay.
Julian Evans is CEO of AppSecTest, UK-based developer of ASAnalyzer, a solution that helps publishers manage mobile game data quality, identify new privacy controls and drive better user interactions. Founded by Julian Evans, Matthew Johnston (COO), Adam Jennings (CTO) and Jake Kiermasz (solutions architect) in May 2018, AppSecTest is now a Keywords Ventures company.