Possible GDPR violation for your app - email received!
Hi, I’ve received an email/report today indicating possible GDPR compliance issues with some of my games.
The games are setup following the Gamesalad GDPR guide (using a custom GDPR form in the first scene which then sets the variable 'privateDataConsentForAds' to 0 or 1 depending on the users choice).
The report seems to indicate that the games are sharing the Android Advertising ID with advertising networks before any GDPR selection has been made (when the 'privateDataConsentForAds' is still set to -1).
The games are using the Ironsource ad network and were published fairly recently using the RC.
@adent42 - is this something we need to worry about? Something that needs fixing?
*** The email/report has come from CISPA (Helmholtz Center for Information Security), a German Science Institute. I’ve checked them out and it seems legit.
Comments
@DigiChain iOs or Android (helps me track stuff down faster). Thanks!
It's Android - but I don't think they are analysing iOS so may be an iOS problem too. They've analysed a number of my apps and they all have been flagged with the same issue.
@adent42 - I'll PM you a link to the reports. They give more detail on how the apps were tested.
I realise this is an old thread - but I've just received another couple of reports from CISPA (Helmholtz Center for Information Security) regarding GDPR violations of Gamesalad apps on the Google Play store. Both apps are setup in the same way as the apps described above, they were last updated on the Google Play store in August 2020.
@adent42 - did you ever look into this further? I sent you the reports and portfolio links of the apps when this was first reported. Has there been any updates to fix this since these apps were published (August 2020)?
CISPA is not enforcing GDPR compliance. They send those e-mails out all the time and these e-mails appear to be a part of a research project. They also send them to other games with different engines. You can safely ignore them if you don't want to participate.
That being said if you send me a link to your app, I can try it with Charles and see what it is sending. I suspect it is just the Google Advertising ID. In which case, Google and the EU had a battle regarding this id for years and there is really nothing that you can do on your end.
@DigiChain it also dropped off my radar (that or I couldn't find anything wrong from our side). Could you PM me your publishing link again so I can take a look? There's also a chance you published during a period when we were leaving in some code from various ad networks.
In our older build system we removed code as needed, but that meant we missed some things. Also around the time we started GDRP compliance work, not all of the ad SDKs had completed their work to comply (or even if they said they did, they missed some things).
In our current build system, we only add what's necessary, so that should be better and you may just want to re-publish when our new RC comes out (with updated ad networks SDKs as well)
The report that CISPA has sent me indicates that the app is sending data (the Android Advertising ID) before any GDPR selection has been made by the app user. Looks like it is being sent to Unityads and supersonicads.
@adriangomez - This is one of the apps: https://play.google.com/store/apps/details?id=com.chopperkhan.stickmangamer&hl=en_GB&gl=US
If you could take a look and see what it is sending that would be really helpful!
@adent42 - I'll PM you the publishing link for the newly reported games. Thanks!
I think I found a possible issue. I have updated the manifest for the next release to prevent sending ad information until the ad system is initialized (Android starts sending data on startup otherwise).
This will be in the next RC.
Ok thanks. Is it only android that is sending data on startup, or will iOS apps need updating too?
Android, it's an Admob specific thing.
I'll double check iOS when we get to it though.
@adent42 Are you sure it's Admob specific? - These apps are using the Ironsource ad network (though Admob is being mediated through Ironsource). They also seem to be transmitting data to unityads.com and supersonicads.com.
I only see 2 requests before or during the limitAdTracking dialog box. One is from unityads. I don't see any sort of tracking information here.
eventType=load&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZyI6IjhsSXhUS01hOU8rTVcvekY5Qm1ITUVpSUxaZThVUUJZTnBRU0w4UVB1N3dwQzNoVGcyOXZndUhoRkVuYkUrTnVHZGZwUFE9PSIsImFwcCI6MTc2LCJhcHBMZXZlbENvcHBhIjpmYWxzZSwiYXR0IjowLCJhdWMiOjY1LCJhdWkiOjIzNiwiYXpwIjoiYjI4ZDQ5NTUtMTQyNi00N2Y3LWI2MGMtYTA1YWY0ZGNiMzM2IiwiY2FsY3VsYXRlZENvcHBhIjpmYWxzZSwiY29uc2VudCI6ZmFsc2UsImNvbnRleHR1YWxPbmx5IjpmYWxzZSwiY3BpIjo3NCwiY3JlYXRlZCI6MTYwOTE5NzE1NjAwMCwiZGx0IjowLCJkdCI6MCwiZXR0IjpbMjE0NzQ4Mzc1Miw0MTU1XSwiZXhwIjoxNjUxMTEwMTEzLCJpYXAiOjQ0LCJpYXQiOjE2NDk5MDA1MTMsImlnIjoiN3NvRnZQTmhDQXRkOUd3dTdkS3dYVUU4SzZrK3ArcW5pV0hFc0VDR2pvb2hGUUVtUm1BMEZsbXZSeC9oRFBVMFlRY083dz09IiwiaW5zdGFsbGF0aW9uSWQiOiI4YmI3Y2ZiNi01MmZjLTQ2NzAtOTEzYS0xNjRkZmJmY2NkNGQiLCJpc3MiOiJhZHMtc2RrLWNvbmZpZ3VyYXRpb24udW5pdHlhZHMudW5pdHkzZC5jb20iLCJsZWdhbFRlcnJpdG9yeSI6MCwibHR2IjoxNDIsIm1peGVkIjpmYWxzZSwicHJvIjo5MiwicHJveGllZCI6ZmFsc2UsInN1YiI6IjNsNzVZV05VTjVsMjM0NWJFUjdzMWdBRHdBQy9CVEl0bTJxVWU0YjFQME5lS0J4Sk9tc2ZkdEl5L0RTWVlqUmk5VlRmd2c9PSIsInRndCI6MjAwLCJ4cHIiOjE1MH0.kHSaY7KXAvZhWlRZH_TDWG-M3gIAbl7euhZF6LmhjK0&abGroup=1&gameId=3736287&campaignId=005472656d6f7220416e6472&adUnitId=Android_Interstitial&coppa=false&optOutEnabled=false&frameworkName=&frameworkVersion=&platform=android&sdkVersion=3420&seatId=&country=US&lv5s=true&osv=5.0.2&oor=false&le=true&limitAdTracking=false
The second is from ironsource (supersonicads is their old name) and it is a bit more problematic since the gaid is being sent.
{
"userIdType": "GAID",
"userId": "07efb030-6271-44e0-8b40-204e714b38ae",
"appKey": "d12883a5",
"connectionType": "wifi",
"isLimitAdTrackingEnabled": false,
"gmtMinutesOffset": -240,
"sessionId": "8c38cdca-ce90-4d3e-82b7-ccfa14a00473",
"bundleId": "com.chopperkhan.stickmangamer",
"jb": "false",
"internalFreeMemory": 15970,
"advertisingIdType": "GAID",
"appVersion": "1.7",
"sdkVersion": "6.16.1",
"deviceOEM": "LGE",
"osVersion": "21(5.0.2)",
"deviceModel": "LG-D801",
"advertisingId": "07efb030-6271-44e0-8b40-204e714b38ae",
"language": "en",
"deviceOS": "Android",
"externalFreeMemory": 15970,
"battery": 13,
"abt": "A",
"groupIdRV": "1542599",
"is_coppa": "false",
"groupIdIS": "1542601",
"groupIdBN": "1542603",
"internalTestId": "{}",
"timestamp": 1649900506352,
"adUnit": 3,
"events": [{
"provider": "Mediation",
"sessionDepth": 1,
"eventSessionId": "8c38cdca-ce90-4d3e-82b7-ccfa14a00473",
"connectionType": "wifi",
"eventId": 14,
"timestamp": 1649900503964
}, {
"provider": "Mediation",
"eventSessionId": "8c38cdca-ce90-4d3e-82b7-ccfa14a00473",
"eventId": 41,
"timestamp": 1649900504653
}]
}
So the new build should be a bit smarter about initializing IronSrc. The Admob thing was just something I read about, and accounted for that in the new build too.
Ok, thanks @adriangomez & @adent42 for looking at this!
@adent42 - So if this was related to initializing Ironsource does it mean iOS builds are also effected and will need updating too?
Yes-ish. We haven't updated IronSource on iOS yet.
Ok, I'll keep watching for that update then! Thanks
iOS is completely different. Although it might be initialized before asking for permission it won't be able to transmit the id for the advertiser because without permission iOS only provides a bunch of 0s.
Ok, thanks @adriangomez for clarifying the ios situation.