Unity, GDPR and Data Privacy – FAQ
On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect in the European Economic Area (EEA). This new regulation builds on the data privacy regulations in place in the EEA since 1995. The GDPR provides specific protections for individuals in Europe on how their data may be collected, moved, stored and processed.
Last Updated: June 15, 2018
Unity is committed to the responsible collection and use of player data – and enhancing privacy safeguards. As such, if you are a developer or publisher that uses Unity Ads, Unity Analytics or any other Unity service, you can be confident that Unity is committed to GDPR compliance and can assist you with your technical implementation, including collaborating with your privacy and legal teams, so that you are aware of, and have confidence in, our GDPR implementation.
If you are a player of games made with Unity, or if you see ads in other games that are served by the Unity Ads SDK, by default we collect gameplay and device data. This data allows game developers and publishers to tune their games for player devices and to serve players with relevant advertisements about other games, movies and/or products that may interest them. These ads enable the developers and publishers to offer free-to-play games.
To clearly explain how Unity complies with the GDPR – and how this impacts developers, publishers, and players – we have provided answers to common questions below. We update this FAQ as necessary. Contact us at GDPR@unity3d.com if you have questions not covered below.
What kind of player data does Unity collect and what does Unity use it for?
If a game developer or publisher enables Unity Ads or Unity Analytics for their game, we collect data such as device type, country, device language, in-game behavior and purchases, IP address, Apple’s Advertising Identifier (IDFA), and Google Play advertising ID. This information helps developers and publishers tailor games and ads for players and their devices, such as providing ads designed for specific device types, player languages, and game preferences.
Why provide advertising at all?
A great deal of creativity and resources go into making all games. Developers and publishers can provide free-to-play games because advertising helps cover their costs. Unity tailors ad types and frequency so players have a better experience (for example, by seeing fewer but more relevant ads). This also allows advertisers to serve the most pertinent ads to players.
Does Unity collect what the GDPR refers to as “special categories” of personal information about players, such as political, religious, or sexual orientation?
No. Unity only collects gameplay and device information. Unity does not collect these special categories of personal information.
How does Unity assure GDPR compliance?
Unity Ads provides an SDK designed to help you achieve GDPR compliance (see the section below for more information), as well as the Unity Data Privacy Plug-in for customers not showing Unity ads. Additionally, Unity provides other resources to Unity game developers and publishers so they can provide players with a simple way to learn about and set their Data Privacy option. Unity also works closely with other partners to ensure they are aware of these resources.
How are players able to opt-out of data collection?
What happens if a player opts-out of data collection?
On a per-game basis, the player’s data is deleted and the player only sees random, non-targeted ads or ads based solely on contextual data.
Are players able to opt-in or opt-out of data collection at any time?
Yes. Each time a Unity ad appears in a game, players can access and change their privacy setting via the Info “ℹ” icon on the Unity ad. Depending on the game, players may see our Data Privacy icon, which also gives them access to their settings.
The Unity Data Privacy icon
As a player, how can I see the information a game has about me through Unity?
For any game that has implemented the Unity Data Privacy Plug-in, you can click or tap the link and then select “I would like to see my data.” This may take up to 24 hours to process.
Unity Ads and Unity Analytics
Is Unity classified as a processor or a controller when processing data under the GDPR?
Unity is a controller of player data that we collect via Unity Ads and Analytics.
Why does Unity provide an opt-out option? Is this opt-out consent?
The opt-out option that players see in the Privacy dashboard is not related to consent, but rather the right players have to object to data collection. It gives them the ability to object to our targeting, as called for in the GDPR. Because we have legitimate interests as a legal basis for our data processing, we do not require consent.
Most other ad platforms function only as an SDK, meaning that they gather data and profile users for the purpose of advertising. This kind of in-game advertising (without any additional purpose) requires opt-in consent as its legal basis.
Since Unity’s technology and ad platform comprise SDKs, plugins, and the Unity engine itself, our data collection and usage serve legitimate interests beyond just ads. Data such as crash reports, bug fixes, and user-user communication, etc., are of legitimate interest to our gamers and developers.
We recognize that some of our advertisers, publishers, partners, or developers might need a consent option for other data that they collect. Since we make tools for more than just ourselves, and want to support everyone with whom we work, we may be able to help. Contact your Account Manager for more information. If you do not have an Account Manager, please contact firstname.lastname@example.org.
What do I need to know about HW Stats in regards to the GDPR?
HW Stats collects certain identifiers that are unique to the device but are not used to track or profile users. The unique identifiers are pseudonymized and aggregated for statistical purposes (not related to “profiling” users). Unity processes this data on the basis of our legitimate interest. While these Unity developers do not make use of the analytics service, they should implement the Unity Data Privacy Plug-in to make it easy for their players to exercise their GDPR rights.
As a developer or publisher, do I need a new Data Processing Addendum (DPA) with Unity?
Unity Legal updated its terms by adding Controller-Controller DPAs for the GDPR. The Unity Terms and Conditions for services provide appropriate references to these addenda as well. Please note that later in 2018, Unity will send certain enterprise customers an additional DPA to reflect that organization accounts owned by them will require us to receive their instructions with regard to deletions. At this time, the accounts are not always structured as clearly belonging to the organization, and we are processing requests as a Controller while this matter is rectified. Also note that your organization administrators will be contacted by our Privacy team to assure these requests are processed in accordance with the data subject’s rights under the GDPR; however, we will work with you to assure this has minimal impact on your projects.
As a publisher, what should I do to be transparent with my players?
As a publisher, do I need to obtain consent from players about targeted advertising?
Unity provides opt-out choices for behaviorally targeted advertising from anyone who sees a Unity ad. If you are not exclusively using Unity Ads, Unity can handle this for you through your mediation partners. Contact your Account Manager for more information. If you do not have an Account Manager, please contact email@example.com.
How can I let Unity know that I have obtained consent for targeted ads from my players outside of the Unity platform?
Unity gives publishers the ability to indicate that they have obtained consent from their own systems. If you would like to let Unity know that you have obtained consent outside Unity, please contact your Account Manager. If you do not have an Account Manager, please contact firstname.lastname@example.org.
As a publisher, do I need to update my Unity Ads SDK?
If you are using Unity Ads SDK 2.0 or newer, GDPR-related changes are automatically available to you. If you are using SDK 1.5 or older, we recommend that you update the SDK; otherwise, Unity can only serve contextual ads for your players.
What does opting-out of Unity Analytics mean for a player?
Players can opt-out of Unity Analytics on a per-game basis. If a player chooses to opt-out, Unity Analytics will no longer optimize game experiences based on their in-game behaviors.
How do I make my game compliant with the GDPR?
We have created tools to help with your GDPR compliance. As such, if you made your game with Unity, we recommend you implement the Unity Data Privacy Plug-in.
How does Unity treat COPPA under the GDPR?
Unity does not combine data from COPPA apps with any other apps for targeting or insights purposes.
What data does Unity Analytics collect?
Unity Analytics collects gameplay and device information from players who play games made with Unity. The only Personally Identifiable Information (PII) collected is device ID and IP address. The other data collected includes hardware specs, usage data, in-app purchase behavior, and custom event data (if applicable).
What does the Unity Data Privacy Plug-in do?
The Unity Data Privacy Plug-in generates a link inside your game that redirects the player to a webview where they can opt-out of data collection as well as delete existing data. It also allows players to view the relevant information that has been collected about them.
How can I access and implement the Unity Data Privacy Plug-in?
What versions of Unity does the Unity Data Privacy Plug-in support?
The Unity Data Privacy Plug-in supports versions 4.7, 5.2, 5.6, 2017.1+, and 2018.1+.
When I implement the Unity Data Privacy Plug-in, do players need to update their app to see the link?
Yes. The plug-in requires a new build, which means players need to update their app.
If I have implemented the Unity Data Privacy Plug-in for one game, do I have to do so for my other games?
Yes. Players can opt-out of data collection on a game-by-game basis.
Unity Collaborate, Cloud Build, Performance Reporting, and Bug Reporting (Alpha)
In the context of Developer Services and the data it collects, is Unity a processor or controller of data?
Unity is the processor of the data and the customer (“developer”) is the controller of the data.
How does Developer Services handle PII data?
In regards to Personally Identifiable Information (PII), Developer Services maintains a Name/Public User ID in the form of project history. For example, when a developer makes a change to a project, that change is recorded and communicated to other team members. To “forget” that user, Developer Services provides functionality allowing a developer to “mask” their historical activity upon request.
What creator data is collected by Developer Services?
Developer Services collects project-related data such as project assets, code, developer activity, and credentials, as provided to Unity by the developer.
How does Developer Services use the data?
We use the data provided by the developer (who is the controller of the data) to fulfill tasks and services that the developer chooses. For example, tasks and services include:
- Project assets stored in Cloud Storage to secure files and enable Collaborate features.
- Developer activity recorded by Unity to show and manage the historical state of a project in Collaborate.
- Project credentials to access project assets and automatically create builds for the developer via Cloud Build.
How long does Developer Services retain the data?
We retain project data, including backups, for a finite period. The retention policy varies depending on the nature of the primary service processing it. A developer can manually delete data at any time via features provided by the service, or by contacting Unity at support.unity3d.com.
In addition to using data to deliver services that the developer has opted into, Unity may also use data to identify and target individual developers to further the Unity business, including requests for product feedback and exposure to marketing materials. Developers have the ability to opt-out of these communications.
What player data is collected by Developer Services?
Through reporting features – Performance Reporting, Bug Reporting (Alpha) – Developer Services collects error reports generated by an application made with Unity and information about the device it was collected on. Device information includes data that could be considered personal data (machine ID), but this information is anonymized before it is retained.
In some cases, a developer may send PII to Unity inadvertently. For example, with features provided via Bug Reporting, a player could share a screenshot that includes the player’s in-game name. Unity does not identify or data-process information collected in this fashion.
How do I inquire about a GDPR-related issue concerning Developer Services?
You can create a ticket at support.unity3d.com and your request will be acknowledged and prioritized.
Unity ID and Unity Profile
What is a Unity ID?
A Unity ID is your developer user account with Unity. Your Unity ID allows you to connect with your Unity teams and resources, and securely control access to Unity services for you and your team members.
What is a Unity Profile?
A Unity Profile is your public identity within the Unity ecosystem and community. It’s how you define who you are and how others see you. With it, you can access Unity Connect community features such as Unity Connect Groups and Messenger. Contact us at DPO@unity3d.com if you have questions about your Unity Profile.
What changes did you make to comply with the GDPR?
There are new security and privacy options accessible via the Unity ID (id.unity.com).
What privacy settings did you implement for the GDPR?
All Unity creators have access to a new privacy panel found at id.unity.com/privacy/edit. From there, you can directly access our services that have potential privacy choices for you to make via a link to the respective service’s privacy profile settings. In the future, we will migrate these options to the Unity ID privacy panel.
What security settings did you implement for the GDPR?
All Unity creators have access to a new security panel found at id.unity.com/security. Here you can manage your 2-factor authentication settings as well as see your most recent sessions beside the associated IP address.
How can I delete my Unity ID?
In the Settings > Account Management section of your Unity ID, you can delete your Unity ID yourself or request that we do it for you. This process shouldn’t be taken lightly, however, as once your Unity ID is deleted all your personal information will be removed from many of Unity’s applications and services, including content you have created in connection with your Unity ID.
What information do you collect from my profile?
We collect the following types of information:
- Profile information: We collect information about you when you register and fill out your account, which includes information such as your full name, email, experience, skills, and role. Your contact information is not publicly visible. You also have the option of adding a display name, experience, profile photo, role, and other details to your profile to be displayed on your public profile.
- Content you share: We collect and store content you post, send, receive, and share on our sites (e.g., articles or comments you have posted).
- Content you provide: We collect content you share on the site, including submitted feedback, surveys, contests, and promotions.
- Content you interact with: In order to serve more relevant content, we collect information about content and users you interact with on the site. An example would be any users you follow on Unity Connect or any projects you “like,” which we use to recommend similar projects and users.
What does Unity use this information for?
Unity uses information we collect to improve user experience and our services. For example:
- To personalize your experience: We use this information to provide a more custom experience. For example, if you follow a user, when that user posts new content, you are more likely to see their content in your feed.
- To do research and product development: We use some of the information to better understand our community and improve our existing services. We always strive to improve our services. To accomplish that, we collect learnings about users such as activity, purchase behavior, and overall usage.
- To communicate with you about major updates: To keep you up to date about service changes, we use your contact information to send transactional emails about changes that will affect your experience with our service (e.g., communications about new features or new contests).
How does Unity share information it collects?
We share this information with:
- Other users: Our service is a community platform, meaning that certain information is shared with other members of the community. When you use our service, we share certain information you have added to your public profile with other users. You can create and publish content that can be seen and shared by other users.
- Third parties: We share information with third parties to better operate, customize, and market our services.
- Unity Connect employers: We promote featured profiles and projects to employers on the site through our monthly newsletters.
- Unity Connect contest partners: We share submissions for contests with partners who are recognized as a sponsor of the contest. In order to provide support for contests, we provide access to discussion channels and groups for contest partners to be able to answer questions regarding submission criteria for contests. After a contest has been judged, personal contact information for contest winners is provided to partners in order to be able to distribute prizes.
How do I access and control my information?
To update your current information, click My Profile when you log in to your Unity Connect profile. To manage your privacy and notification settings, go to Unity Connect settings while logged into your profile.
How do I opt-out of data processing?
To opt-out of data processing services, go to Unity Connect settings and, under Privacy Settings, specify your data collection and processing choices. You can toggle on or off recommended jobs, tasks, projects, and people based on your interactions on Unity Connect.
What if I don’t want a Unity Connect profile?
If you would like to delete your profile, contact email@example.com.
Unity Asset Store
Currently, users of Unity Connect and the Asset Store have separate public profiles. These profiles will be merged and hosted on Unity Connect in an upcoming migration to make it simpler for users to access their privacy settings and modify all of their public-facing information.
What information do you collect from my profile?
We collect the following types of information:
- Profile information: We collect information about you when you register and fill out your account, which includes information such as your full name, email, and billing information.
- Content you share: We collect information on content you share on the site (e.g., a list of assets you have curated, a wish list you have created, or reviews you have posted on downloaded assets).
- Content you provide: We collect information on the additional content you provide on the site, including submitted feedback, surveys, and promotions.
- Content you interact with: In order to serve more relevant content, we collect information about content you interact with and purchase on the site.
- Content you provide: We collect information on the assets you publish on the site such as images and descriptions of your assets. Additionally, we track the total number of downloads in order to provide you with reports on SKU performance to pay out your royalties.
What does Unity use it for?
Unity uses information we collect in order to improve user experience and our services. For example:
- To personalize your experience: We use the information collected about you to provide a more custom experience. For example, we use your purchase history to recommend more relevant assets to you.
- To do research and product development: The information we collect helps us understand how we can improve the site. We collect anonymized learnings about users such as downloads, activity, purchase behavior, and overall usage.
- To communicate with you about major updates: In order to keep you up to date about service changes, we use your contact information to send transactional emails about changes that will affect your experience with our service (e.g., communications about our monthly newsletter, promotions, and to let you know about new features on the site).
- To market our services: The information we collect is used to promote our services. For example, we use user reviews and thumbnails on Asset Store listings to promote some assets on the site and via email campaigns.
How do we share the information we collect?
We share this information with:
- Other users: Your public profile information is visible to other users. Any content you submit to the site, such as reviews, is visible to other users on the site.
- Third parties: We share information with third parties in order to better operate, customize, and market our services. We provide this information to assist Providers (Publishers) with fulfilling your purchase(s) and, in the case of our Asset Store partners, to allow them to contact you about new products and services. To clarify, we provide this information for a limited number of partners who license their SDKs through the Asset Store.
How do I access and control my information?
To update your current information and manage privacy and notification settings, go to your Asset Store Account settings. To update your Provider (Publisher) information, go to your Asset Store Publisher settings.
If you have any questions not addressed above, please contact us at GDPR@unity3d.com.