
Ask HN: GDPR and gaming analytics - kruuuder
We are working on a small smartphone game, to be released later this year. The game has RPG elements, so getting the game design right means balancing a lot of numbers. Now I&#x27;m wondering how we can collect this data while being GDPR compliant.<p>We need to answer questions like:<p><pre><code>  - How many enemies has the player defeated when he reached level 5? 
  - What&#x27;s the win&#x2F;loss ratio for his fights? 
  - In which cities are the most players?
</code></pre>
The game doesn&#x27;t have user accounts, there is no registration. I plan to collect the data by sending events like &quot;Player $X has found 250 gold&quot; where X is a randomly generated ID that is stored only on the device and cannot be seen by the user. The server that receives these events can tie the string of events together to answer the questions above.<p>Here&#x27;s the challenge:<p>Is this personal data? I think so, as the ID of the user uniquely identifies the user.<p>What if a user requests a copy of the data collected about him? I&#x27;d like to say that we cannot provide it, as it has been anonymized. However, in theory it would be possible to &quot;de-anonymize&quot; the data by retrieving the ID from the installed app.<p>So are we forced offer the option to retrieve the ID from the installed app, just to make it possible to de-anonymize the data, so that a user can retrieve a copy?<p>Technically it looks like the collected events are personal data. But in reality, it&#x27;s nothing &quot;personal&quot; like names, payment details, whatever online shops and social networks collect, just a log of game events. If we send this data back to the user, we would leak implementation details of the game, which we&#x27;d rather keep hidden from competitors and users.<p>Must the data collection be opt-in? Or can we require it? Just hoping that enough players  share the game data doesn&#x27;t seem viable. Without enough data, we cannot balance the game.<p>Is anyone else here in a similar situation? What do you do?<p>(Shortened cross post from reddit.com&#x2F;r&#x2F;gamedev)
======
nynno
From the [https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/):
"‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person
is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person;"

The central question for you should be: is it possible to identify a natural
person from the data you're processing? If it's randomly generated ID and if
no-one (including you and your employees) can identify an individual from that
ID (or other data you're storing/processing) then you should be on a safe
side, and GDPR should not apply to you.

However, if it is possible to identify an individual from the ID (other data),
then you should comply with the GDPR. In that case, you should determine a
lawful basis for processing (e.g., legitimate interest, consent), possibly ask
for consent, ensure that a data subject knows what his rights are (e.g., right
to be informed, to rectification, data erasure, etc.)

My favorite GDPR resource is: [https://ico.org.uk/for-organisations/guide-to-
the-general-da...](https://ico.org.uk/for-organisations/guide-to-the-general-
data-protection-regulation-gdpr) For basics, take a look here:
[https://www.gdprhq.io/post/how-the-new-european-general-
data...](https://www.gdprhq.io/post/how-the-new-european-general-data-
protection-regulations-gdpr-will-affect-your-business)

~~~
kruuuder
Thank you for your comments.

"If it's randomly generated ID and if no-one (including you and your
employees) can identify an individual from that ID ..."

If this is the relevant criterion, that is, if it's practically possible to
deanonymize the data, I'd be in fact on the safe side.

However, theoretically, if someone would access the device of a user and
extract the user's ID (which would in practise require enormous efforts), the
data could be deanonymized. I'm wondering if there's a way to clarify that.

I will check your linked resources, maybe they clarify that.

------
kenbaylor
Start with the basics: Personal data (PD). The GDPR applies to 'personal data'
meaning any information relating to an identifiable person who can be directly
or indirectly identified in particular by reference to an identifier.

How is the consumer (data subject) linked to the ID? aka how does a human
prove ownership of the account (email address etc??) This is where your PD is.

The solution is pretty easy. You create a table where a user is mapped to an
ID. Then you create the rest of the game just as normal, only using the ID.

You WILL need a privacy notice showing data subject rights and detailing what
you are collecting and why, and other third parties that you share data with.
Also how to contact you to enforce those rights. This should be on the website
and wherever the game is (mobile app etc).

If there's a data request, you give them the mapping of their PD to your ID,
and that's really it.

If they invoke their right to be forgotten, then you update that row of the
table with something other than PD being mapped to the ID. Effectively, they
are forgotten.

You can collect data once you tell them what data you are collecting and why,
if you are relying on informed consent. They can either give it and play, or
not give it and not play.

~~~
kruuuder
I understand how the GDPR can be implemented, that was not my question.

My question is if/how I can implement gaming analytics without requiring the
user to opt-in (most wouldn't, but I need data to balance), and without
providing implementation details on request.

If I ask Blizzard for all personal data, will they provide me all World of
Warcraft event details related to my in-game character, nicely formatted in a
JSON, so that it conforms to Art. 20 GDPR: "Right to data portability"? I
don't think so. How will their solution look like?

------
kwillets
You have 30 days to respond to a data request, so the default GDPR behavior is
to delete all data within 30 days.

You also mostly want stat-significant aggregations, so if you take care to
keep those differentially private (only aggregate large groups etc.) you can
keep that data. Just make data persistence opt-in rather than opt-out, eg
delete all old files by default.

------
usgroup
Keep the analytics on the device. Collect them until you have a whole bunch of
data. Then send it all at once.

That way you don’t need to send UID in order to know what’s related to what
and thus all data is non PII.

