Quick Links: Download Gideros Studio | Gideros Documentation | Gideros Development Center | Gideros community chat
Gideros and GDPR? - Gideros Forum

Gideros and GDPR?

Anyone have any idea how Gideros apps may be affected by GDPR?

I was updating a few apps yesterday for other unrelated reasons, and noticed both AppLovin and Charboost SDK's are quite dated in the latest build. Both newer SDK's from them support GDPR requirements now so I will be looking at updating to those soon.

This then lead to me to think that plain apps without ads that are written in Gideros might be affected by GDPR ...I have no idea what Gideros does under the hood so to speak and therefore not sure if it complies or not TBH.

Sorry I have been gone a while :)
+1 -1 (+2 / -0 ) Share on Facebook


  • hgy29hgy29 Maintainer
    Accepted Answer
    My understanding is that GDPR is about protecting user's personal data. Gideros doesn't collect user data for its own use, so it is safe. However, if your code do collect user data, which can be name, age, etc but also user location through GPS or anything that is somewhat personal to the user then you are concerned.
    Technically a player's score is a personal data, so games with leaderboards are actually concerned.

    Likes: MobAmuse

    +1 -1 (+1 / -0 ) Share on Facebook
  • OK I don't collect anything or have any leaderboards in any apps now, paid or free.

    I do have ads via Charboost and AppLovin and will want to update both of those to their latest SDK's which support GDPR in EU region.

    SinisterSoft is going to have a look at those soon he said so that I can rebuild all my free apps with ads to the latest ads sdk's hopefully.

    AppLovin SDK is now at 8.0.1
    Chartboost SDK is now at 7.2.0

    Gideros latest build as of time of writing is still on older...

    Updating these from time to time also increases revenue from past experience, so hopefully Gideros can be updated soon to use latest ad sdk's.

    Thank you.
  • simwhisimwhi Member
    edited May 2018
    I noticed that Appodeal have just updated there SDK to be compliant with GDPR. My understanding is that users have to grant permission for their personal data to be used when serving localised ads. If permission is not granted then only non-targeted can be served. Unfortunately, Appodeal have ceased updating the Gideros plugin as of March 14th.

    Likes: MobAmuse

    +1 -1 (+1 / -0 ) Share on Facebook
  • Yes I noticed that with Appodeal recently also. I only use Chartboost and AppLovin myself directly.
  • simwhisimwhi Member
    There is also the issue of using any analytics services such as Flurry or Firebase.

    Likes: MobAmuse

    +1 -1 (+1 / -0 ) Share on Facebook
  • Yes, I don't use any of those either in my apps.
  • simwhisimwhi Member
    edited May 2018
    My understanding is that users will have to provide explicit consent when apps use 3rd party advertising SDKs.
  • simwhisimwhi Member
    Hi everyone,

    After doing some more research and talking with my business partner, we both agree that there is no way to comply with GDPR with Gideros (or other frameworks for that matter) as it currently stands.

    The issues:

    1) All ad network SDKs need to have explicit consent to either show targeted or non-targeted ads. Consent / non consent would need to be passed to the SDK as a parameter. All ad SDKs supported by Gideros will need to be updated. Here is some further information about admob as an example: https://developers.google.com/admob/android/eu-consent

    2) Apps will need to display a consent dialogue for users to opt-in to targeted ads and analytics SDKs.

    3) The opt-out options has to be the default option.

    How to comply in the short term:

    1) Disable ads in EU countries.

    2) Disable analytics in EU counties.

    3) Disable other SDKs that use personal data for EU countries.


    1) Remove ads for users in the EU.
    2) Remove analytics for users in the EU.

    Here is an interesting article:

    This is a real problem. The above information is purely our own opinions based on personal research. We'd love to hear other views and interpretations to find a solution to these issues.

    Likes: Apollo14, MobAmuse

    +1 -1 (+2 / -0 ) Share on Facebook
  • Yes I have since updated many of my Android apps this week to latest ad SDK's but even then Chartboost does not seem to comply and although AppLovin does you have to set a flag to the SDK to allow it to correct its own ads display for the EU marketplace for example.

    Grim really as the options are basically as you describe.

    I am considering removing ad versions from EU altogether if I come under pressure in due course, as most of my market is outside Europe.

    I will wait and see what everybody else does first tho including non-Gideros apps :)

    The whole thing is a farce. The ad providers should be handling the country specific stuff inside the ad sdk wrapper 100% really.

    My gut tells me this is not going to work out very well at all. How this will be policed with millions of apps alone is beyond me.

    Likes: simwhi

    +1 -1 (+1 / -0 ) Share on Facebook
  • hgy29hgy29 Maintainer
    Just to clarify, Gideros has no internal issue with GDPR, since you are not required to show ads nor to collect analytics. But to ease things a bit maybe gideros could be modded so as to enable/disable plugins at run time.
    That way the developer could prompt the user for consent before enabling ads and analytics (or anything else).

    However I bet most users will say no to ads and analytics...

    Likes: MobAmuse, simwhi

    +1 -1 (+2 / -0 ) Share on Facebook
  • Yes that is my fear that end users will simply opt to switch off ads and/or analytics if given the option to do so. That will bring about the day where it will be near pointless to release free apps into Europe altogether of course. This will not end well regards that.
  • simwhisimwhi Member
    hgy29 said:

    However I bet most users will say no to ads and analytics...

    I totally agree with this.

    As an example, Google admob are putting the responsibility on app owners / publishers to obtain user consent. By default the SDK will provide targeted ads unless specified otherwise. This breaks the GDPR laws.

    Rather than removing ads completely, we would need the admob SDK to serve non-targeted ads by default.

    Likes: MobAmuse, hgy29, antix, jdbc

    +1 -1 (+4 / -0 ) Share on Facebook
  • Hopefully AppLovin has set it to 'false' by default in this case :P


    Privacy Settings

    AppLovin SDK requires that publishers set a flag indicating whether a user located in the European Union (i.e., EU/GDPR data subject) has provided opt-in consent for the collection and use of personal data.

    For users outside the EU, this flag is not required to be set in the SDK and if set, will not impact how the ad is served to such non-EU users.

    If the user has consented, please set the following flag to true.

    AppLovinPrivacySettings.setHasUserConsent( true, context );
    If the user has not consented, please set the following flag to false.

    AppLovinPrivacySettings.setHasUserConsent( false, context );
    Additionally, if the user is known to be in an age-restricted category (i.e., under the age of 16) please set the following flag to true.

    AppLovinPrivacySettings.setIsAgeRestrictedUser( true, context );
    If you are using an approved 3rd party mediation provider (MoPub, Ironsource, etc), they will facilitate the setting of these flags via the AppLovin adapters. Contact them directly should you have questions.

    AdMob mediation requires the developer to set these flags themselves. See the AdMob integration section for details.
  • SinisterSoftSinisterSoft Maintainer
    It's not a consent for ads or not, it's a consent to store the personal data.

    The consent flag is just so that the advert providers are allowed to keep personal tracking data if the person is in the EU. For the time being just always setting that to false/no will do. The person will get ads but they will not be personalised (if they are in the EU).

    In reality you should never set it to true, so you never need consent. If you do get consent and set it to true then the whole of GDPR falls on you. You will need to have a way of erasing the data (the right to be forgotten) and also a way of returning what data you have to the user in a machine readable file. This would be a nightmare in a game.

    Likes: simwhi

    +1 -1 (+1 / -0 ) Share on Facebook
  • SinisterSoftSinisterSoft Maintainer
    So, no need for gideros to have a switch to turn plugin on/off at runtime. Just have the ads libs and analytics libs say no to consent all the time.

    Likes: antix, MobAmuse, simwhi

    +1 -1 (+3 / -0 ) Share on Facebook
  • antixantix Member
    @SinisterSoft, so the ads still get shown and the end user doesn't have to do anything right?
  • simwhisimwhi Member
    edited May 2018
    @SinisterSoft This sounds the right way to go. Who wants to be caught up in this GDPR nightmare.

    The only question I have now is that how do we easily determine if a user is located in an EU country? Is it even possible to do this? Perhaps we just opt-out for all users globally.

    Here's some potentially useful information: https://stackoverflow.com/questions/3659809/where-am-i-get-country?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

    And this link for admob consent SDK: https://developers.google.com/admob/android/eu-consent
  • hgy29hgy29 Maintainer
    @SinisterSoft, that's assuming that ads or analytics libs actually implement a consent switch

    Likes: MobAmuse, simwhi

    +1 -1 (+2 / -0 ) Share on Facebook
  • Yes I fully understand all of this now, but I think we are assuming that the various providers have supplied a switch and if they have, that it is indeed default 'false'. I bet some of them are default 'true'. Chartboost don't appear to have any switch at all on first looks and I am going to check the AppLovin sdk soon to see if I can see if it's set 'false' by default if I possibly can.

    All very grey!
    +1 -1 (+3 / -0 ) Share on Facebook
  • simwhisimwhi Member
    @hgy29 I know that Google have provided the consent SDK recently for Admob but as for the SDKs I have no idea.

    With regard to analytics, I think we can ask for consent otherwise disable it.
  • SinisterSoftSinisterSoft Maintainer
    I think most are implementing consent switches with default false. They check if the user is within the EU - they are responsible as both roles as they both store and manipulate the data - the game is simply a conduite to the data.

    In fact it's their routines and their system that stores the data, manipulates, processes it, etc - I'm wondering if technically we have any responsibility at all (for ads).

    Analytics may be a different thing as we supply some of the content - eg 'Clicked an powerup'.

    In any event, if we always set the privacy switches to 'no consent' then data for analytics and ads will be anonymised if in the EU.

    Likes: MobAmuse, simwhi, antix

    +1 -1 (+3 / -0 ) Share on Facebook
  • SinisterSoftSinisterSoft Maintainer
    Ads and Analytics providers who say they are GDPR ready and don't provide a switch must have a system of tracking user data anonymously OR they have a switch system actually in the advert itself. EG Chartboost.
  • hgy29hgy29 Maintainer
    Analytics are currently enabled at the start of the app, even if you don't log events yourself. Don't know for other analytics tools but Firebase now has a runtime switch to enable data collection. I'll add it to gideros plugin in a future version.

    About ads, that upcoming consent switch should be exposed to lua. What about a ads:allowPersonalDataCollection(true/false) kind of call ? If the actual ad provider doesn't provide a switch then gideros could decide to disable the use of that ad provider (by not loading its libs at all) depending on wether it collects personal data or not

    Likes: MobAmuse, simwhi

    +1 -1 (+2 / -0 ) Share on Facebook
  • simwhisimwhi Member
    @SinisterSoft How can we determine reliably if the user is based in an EU country?
  • Looks like it falls back to false if null input...

    public static boolean hasUserConsent(Context paramContext)
    Boolean localBoolean = ac.a(paramContext);
    if (localBoolean != null) {
    return localBoolean.booleanValue();
    return false;
  • simwhisimwhi Member
    We are currently removing ads (admob) and analytics (flurry) from all of our apps as a temporary solution. I don't like the idea of a 20 million Euro fine. It's really annoying as we do not process users' data in any way other than using analytics to gain insight into how the app is being used. We cannot identify a specific person from this data.

    From our understanding you can't assume non-consent. However, we are not 100% on this but we would rather err on the side of caution.
Sign In or Register to comment.