Unity Analytics Data Privacy Plug-in Available Now in the Asset Store

Unity Analytics Data Privacy Plug-in

The Unity Manual has been updated with some additional GDPR information, including documentation about the plug-in:
https://docs.unity3d.com/Manual/UnityAnalyticsDataPrivacy.html

As mentioned on the plug-in page, if you use both Unity Ads and Analytics, the opt-out mechanism provided by Unity Ads applies to both services.

If you do not use Unity Ads, but do use other Unity Developer Services, such as Unity Analytics, IAP, Multiplayer, or Performance Reporting, then you must use the Unity Data Privacy plugin to provide the opt-out choice to your players. The plugin provides a button you can add to your game that opens a Unity web page where players can manage their privacy settings.

The plugin is available for Unity versions: 4.7 - 2018.1+.

If you have any questions, please refer to the FAQ in our GDPR statement. We will continue to update this page with more information.

If you have any specific questions about GDPR and Analytics, please contact: DPO@unity3d.com

If you have any technical issues with the plug-in, please let us know.

From http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051

Have we interpeted this wrong or is the Plugin in fact NOT compliant?

Thanks for posting. I have some specific questions…

So opt out status vars looks like this:

struct OptOutStatus

        {
            public bool optOut;
            public bool analyticsEnabled;
            public bool deviceStatsEnabled;
            public bool limitUserTracking;
            public bool performanceReportingEnabled;
        }

Fairly obvious, analytics.Enabled = Unity - Scripting API: Analytics.Analytics.enabled

deviceStatsEnabled = can only be turned off if analytics AND performance reporting is off

so it is possible to use deviceStats and performanceReporting without analytics? I’m guessing no.

Analytics.limitUserTracking = “Setting this property to true causes the Analytics service to further anonymize data by not sending SystemInfo.deviceUniqueIdentifier for game users. By default limitUserTracking is false.”

From your GDPR Faq:
“If a game developer or publisher enables Unity Ads or Unity Analytics for their game, we collect data such as device type, country, device language, in-game behavior and purchases, IP address, Apple’s Advertising Identifier (IDFA), and Google Play advertising ID.”

So using limitUserTracking will stop sending Apple IDFA and Google Play ad ID?

In your COPPA page, it says:
“In order to provide analytics for your games, Unity Analytics generates an anonymized user ID for each user in your game. We do not use any of these IDs generated from Child Apps to track users across apps built by other developers or to map users between different services, devices, or browsers on the same computer.”

So that suggests if you don’t have a child directed app, IDs are tracked across different apps and services right?

also COPPA page “In addition to these IDs, Unity Analytics also collects the following personal information from Child App users: IP address, identifiers for advertisers (IDFA is only collected if Unity Ads is also enabled) and device identifiers (IDFV, Android device ID or IMEI if Android device ID is unavailable).”

So in a child direct app, with no ads, you still collect IP Address, and device identifiers (IDFV, Android device ID or IMEI if Android device ID is unavailable) ?

Google Analytics allows you to anonymise the IP address, why doesn’t Unity Analytics provide this option? For those that still want to use analytics but provide better privacy for their users?

In the gdpr FAQ it says: “Will players be able to opt-in or opt-out of data collection at any time? Each time a Unity ad appears in a game, players will be able to access and change their privacy setting via the Info “” icon on the Unity ad.”

With the above plugin, when you open the URL, it says when you opt-out the tracking “I understand that this action cannot be undone”, so which is it? Contradicting statements there.

It would be really useful for Unity to provide clarity to the information above, as I’m very close to removing all cloud services from my apps at the moment.

Many thanks

My company is also concerned about the same issue brought up by HT-OAludden above.

Any word on this?

My company is also concerned about the same issue brought up by earlier posters.

All I want is piece of code that we can add to our apps to disable data collecting.

I can answer any technical questions about the functionality of the Analytics system or the Data Privacy plug-in. If you have any questions about Unity’s stance on GDPR, I will forward them to our legal team for a response.

Please keep an eye on our GDPR page, as we will continue to update it with more information:

You can also forward questions directly to GDPR@unity3d.com.

@HT-OAludden , @plindberg , @sandbaydev

I’ve forwarded this concern to the legal team and they are working on a response.

Cool, many thanks. Could you please answer the technical questions in my post above. The policy stuff I will email questions in.

Thanks

@coshea_1

Some clarification about the plug-in and why it might be necessary.

Not all of the flags are available in all versions of Unity. This means the behavior within the app will vary by version. For example, on the current version of Unity, the limitUserTracking flag will set the deviceid to “Unknown” for outgoing requests. On older versions of the editor, this was not possible.

Regardless of Unity version, if the player decides to opt-out with the plug-in, that preference is sent to Unity. We track these opt-out requests for each unique Application-Device-Player entity. This means that a unique player’s opt-out preference will not carry over across different Unity games. For players who have opted-out, Unity will remove personal data and identifiable information in our backend system through a mixed process of deletion and anonymization. Unity will also prevent future storage of personally identifiable information.

No, that isn’t possible.

Correction: This is possible. Both performanceReporting and analytics will turn on deviceStats, but they are independent of each other. So you can have performanceReporting and deviceStats enabled without analytics.

When analytics is disabled custom events, userinfo events and transaction events will be not be sent.

In 2018.1+, if limitUserTracking is set to true, the deviceid will be set to Unknown. Older versions will continue to send the deviceid in events; however, this data will not be stored if the player has opted out.

Edit: limitUserTracking will set deviceid to "unknown" for events since 5.6, but the deviceid is still sent for the Remote Config request until 2018.1 when that stopped.

I will double check and get you a more complete answer to this tomorrow morning.

I’m not aware of any plans anonymize the IP address. We will also be removing the IP address from our Raw Data Export files .

If you are using Unity Ads, you can use their GDPR compliance option.

If you are not using Unity Ads, but are using any other Unity service (Analytics, IAP, Performance Reporting, Multiplayer, etc.) or have a game with HW Statistics enabled, then you can use the Analytics Data Privacy plug-in. The Data Privacy plug-in from Analytics does not currently support modifying the privacy setting after a player has opted out.

Thanks for the detailed answers @ap-unity . On our end, we can’t easily ask our players to opt-out (our game is for children under 13). Are you aware of a way to keep using some services like IAP and Performance Reporting, and to disable analytics in code without asking users?

@Swah

I do hope that below is actually the answer for your question:

Or is SystemInfo.deviceUniqueIdentifier a prerequisite for IAP to operate?

Is there a way to deactivate any and all data collection completely?

@PW777

If you create a build that has all Unity Services disabled (Analytics, IAP, Ads, Performance Reporting, Multiplayer, etc.) and have “Enable Device HW Statistics” unchecked in Player Settings → Other Settings, then that build will not send any data to Unity.

@HT-OAludden , @plindberg

The GDPR page has been updated to address this concern:
https://unity3d.com/legal/gdpr

Thanks for the responsiveness @ap-unity .

To reiterate and be more precise about my previous question: Are you aware of a way to keep using some services like IAP and Performance Reporting, without collecting personal data such as IP addresses? A good way to do this would be to disable analytics in code without having to ask users.

Maybe another way to do this: can we just turn off analytics on Unity’s project webpage? I assume this is not a solution and that it would also prevent services like IAP and Performance Reporting from working?

I want to know this too. If the user opt-out, will Unity IAP work?

This is important, maybe we need to update our game and disable or hide all in-apps if the user chose to opt-out.

It’s stated at top and in the plugin readme that the plugin is unnecessary if you’re using Unity Ads. However, as I understand it, Unity Ads provides an opt-out only when a Unity Ad is shown, which means the opt-out is never shown if an ad is not shown, whether because Unity Ads fails to serve up an ad or if the game is designed so that ads are only optionally shown (run an ad to get some kind of reward) or shown very late (I have games where the ad is only shown at the end of the game) so if you quit the game you never see the ad, or if you see the ad it’s after analytics has been collecting for a long time.

So it seems to me if you need the plugin if you’re not using Unity Ads, maybe you should still use it even with Unity Ads.

I just do not understand. all we need consent parameter that can be access via code.

1. User click “Give Consent” button in Unity App / Game
2. Unity.consentGiven = true ( send pers. data ) else ( not send any data )

Everything is this simple. Any other type of implementation will raise questions and not %100 compliant with GDPR

For ads, you can do it with code:
https://unityads.unity3d.com/help/legal/gdpr

But not sure if doing that will affect analytics (it says that if you use ads you don’t need this plugin) or we will need that anyway.

But I am using Unity IAP only.