WingNews logo WingNews GitHub [2]
top | item 16755092

Ask HN: GDPR and gaming analytics

3 points| kruuuder | 8 years ago | reply

We are working on a small smartphone game, to be released later this year. The game has RPG elements, so getting the game design right means balancing a lot of numbers. Now I'm wondering how we can collect this data while being GDPR compliant.

We need to answer questions like:

  - How many enemies has the player defeated when he reached level 5? 
  - What's the win/loss ratio for his fights? 
  - In which cities are the most players?
The game doesn't have user accounts, there is no registration. I plan to collect the data by sending events like "Player $X has found 250 gold" where X is a randomly generated ID that is stored only on the device and cannot be seen by the user. The server that receives these events can tie the string of events together to answer the questions above.

Here's the challenge:

Is this personal data? I think so, as the ID of the user uniquely identifies the user.

What if a user requests a copy of the data collected about him? I'd like to say that we cannot provide it, as it has been anonymized. However, in theory it would be possible to "de-anonymize" the data by retrieving the ID from the installed app.

So are we forced offer the option to retrieve the ID from the installed app, just to make it possible to de-anonymize the data, so that a user can retrieve a copy?

Technically it looks like the collected events are personal data. But in reality, it's nothing "personal" like names, payment details, whatever online shops and social networks collect, just a log of game events. If we send this data back to the user, we would leak implementation details of the game, which we'd rather keep hidden from competitors and users.

Must the data collection be opt-in? Or can we require it? Just hoping that enough players share the game data doesn't seem viable. Without enough data, we cannot balance the game.

Is anyone else here in a similar situation? What do you do?

(Shortened cross post from reddit.com/r/gamedev)

6 comments

order
[+] nynno|8 years ago|reply
From the https://gdpr-info.eu/art-4-gdpr/: "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

The central question for you should be: is it possible to identify a natural person from the data you're processing? If it's randomly generated ID and if no-one (including you and your employees) can identify an individual from that ID (or other data you're storing/processing) then you should be on a safe side, and GDPR should not apply to you.

However, if it is possible to identify an individual from the ID (other data), then you should comply with the GDPR. In that case, you should determine a lawful basis for processing (e.g., legitimate interest, consent), possibly ask for consent, ensure that a data subject knows what his rights are (e.g., right to be informed, to rectification, data erasure, etc.)

My favorite GDPR resource is: https://ico.org.uk/for-organisations/guide-to-the-general-da... For basics, take a look here: https://www.gdprhq.io/post/how-the-new-european-general-data...

[+] kruuuder|8 years ago|reply
Thank you for your comments.

"If it's randomly generated ID and if no-one (including you and your employees) can identify an individual from that ID ..."

If this is the relevant criterion, that is, if it's practically possible to deanonymize the data, I'd be in fact on the safe side.

However, theoretically, if someone would access the device of a user and extract the user's ID (which would in practise require enormous efforts), the data could be deanonymized. I'm wondering if there's a way to clarify that.

I will check your linked resources, maybe they clarify that.

[+] kenbaylor|8 years ago|reply
Start with the basics: Personal data (PD). The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

How is the consumer (data subject) linked to the ID? aka how does a human prove ownership of the account (email address etc??) This is where your PD is.

The solution is pretty easy. You create a table where a user is mapped to an ID. Then you create the rest of the game just as normal, only using the ID.

You WILL need a privacy notice showing data subject rights and detailing what you are collecting and why, and other third parties that you share data with. Also how to contact you to enforce those rights. This should be on the website and wherever the game is (mobile app etc).

If there's a data request, you give them the mapping of their PD to your ID, and that's really it.

If they invoke their right to be forgotten, then you update that row of the table with something other than PD being mapped to the ID. Effectively, they are forgotten.

You can collect data once you tell them what data you are collecting and why, if you are relying on informed consent. They can either give it and play, or not give it and not play.

[+] kruuuder|8 years ago|reply
I understand how the GDPR can be implemented, that was not my question.

My question is if/how I can implement gaming analytics without requiring the user to opt-in (most wouldn't, but I need data to balance), and without providing implementation details on request.

If I ask Blizzard for all personal data, will they provide me all World of Warcraft event details related to my in-game character, nicely formatted in a JSON, so that it conforms to Art. 20 GDPR: "Right to data portability"? I don't think so. How will their solution look like?

[+] kwillets|8 years ago|reply
You have 30 days to respond to a data request, so the default GDPR behavior is to delete all data within 30 days.

You also mostly want stat-significant aggregations, so if you take care to keep those differentially private (only aggregate large groups etc.) you can keep that data. Just make data persistence opt-in rather than opt-out, eg delete all old files by default.

[+] usgroup|8 years ago|reply
Keep the analytics on the device. Collect them until you have a whole bunch of data. Then send it all at once.

That way you don’t need to send UID in order to know what’s related to what and thus all data is non PII.