Gaming App developers and publishers are putting more money into user acquisitions (UA) than ever before. Yet many also experience drops in YoY in the wake of Apple’s ATT, whose consent prompts can make it harder for marketers to make money on in-app advertising (IAA).
Tracking technologies are important tools for successful monetization strategies for many games. But a lot of companies struggle to reconcile their strategy with user experience and changing privacy requirements (e.g. EU’s GDPR and ePrivacy Directive, CNIL’s enforcement focus on apps.)
Meanwhile, great consent management can help you reap a range of low-hanging fruits, such as optimized opt-in rates and increased monetization, better contextual ads and building trust with premium brands.
Your Toolkit for Compliance
This toolkit provides an easy and comprehensive step-by-step guide to bring your marketing data strategy for your mobile games into alignment with the GDPR and the ePrivacy Directive. Using the checklist will also help to minimize your exposure to regulatory penalties or the risk of app store removal or data loss.
Step 1: Conduct an audit of your mobile game
- Identify all SDKs installed in your games
- Document the scope of each third-party technology: what data they access (i.e. AAID, IDFA, IP address, etc.) and why
- Make sure third-party technologies can receive and apply user consent choice (i.e. can they receive and apply GDPR consent?)
- Avoid access to persistent identifiers (e.g. IMEI and device number)
- Limit your mobile games permissions request only to the essentials to run your service
Step 2: Explain what the tracking technologies are doing and why in a comprehensive privacy policy
- Inform users about what data are collected, how and why in the privacy policy
- Check relevant data protection laws for further details
- Ensure the privacy policy is updated and is easy to find, read and understand for the average user
Step 3: Let users know you are using tracking technologies (e.g. SDKs) via a consent banner
- Show a consent banner before any SDK starts collecting data
- Ensure that you inform users and receive valid consent (check #4), especially for non-essential technologies (e.g. marketing, monetization, mediation, attribution)
- Collect consent again every time technologies in use change
- Inform users about the purpose of each SDK separately in the consent banner
Step 4: Obtain valid user consent per the GDPR
In order for consent to be valid it has to be:
- Explicit: active acceptance, e.g. ticking a box or clicking a link
- Informed: what, why, by whom, for how long
- Documented: ensure you can provide proof of consent in the case of an audit (also check #7)
- In advance: no data can be collected before opt in, e.g. SDKs cannot “fire” before the user’s consent has been passed to them
- Granular: individual consent options for each purpose must be offered – consent cannot be bundled to cover other purposes or activities
- Freely given: “Accept” and “Reject” options, e.g. button or link
- Easy to withdraw: easy access to change consent preferences in the future (also check #8)
Step 5: Enable users to access your service even if they do not consent to tracking technologies
- If a user refuses data processing, no non-essential tracking can collect data, essential tracking technologies needed for the game to function can keep operating
- Ensure users can still access your game even if they refuse the use of tracking technologies, blocking them can be a discriminatory action
Step 6: Collect and process data only after obtaining valid consent
- Ensure that SDKs are not loaded until the user has given consent
- Once you have obtained valid consent, you can collect and process personal data (e.g. AdID, IDFA) for the purposes that users have been informed about
Step 7: Document and store consent received from users
- Comply with your documentation obligation and ensure you are able to verify users’ consent in case of an audit by data protection authorities (DPA)
