Ask HN: GDPR and gaming analytics

3 points

8 years ago

We are working on a small smartphone game, to be released later this year. The game has RPG elements, so getting the game design right means balancing a lot of numbers. Now I'm wondering how we can collect this data while being GDPR compliant.

We need to answer questions like:

  - How many enemies has the player defeated when he reached level 5? 
  - What's the win/loss ratio for his fights? 
  - In which cities are the most players?

The game doesn't have user accounts, there is no registration. I plan to collect the data by sending events like "Player $X has found 250 gold" where X is a randomly generated ID that is stored only on the device and cannot be seen by the user. The server that receives these events can tie the string of events together to answer the questions above.

Here's the challenge:

Is this personal data? I think so, as the ID of the user uniquely identifies the user.

What if a user requests a copy of the data collected about him? I'd like to say that we cannot provide it, as it has been anonymized. However, in theory it would be possible to "de-anonymize" the data by retrieving the ID from the installed app.

So are we forced offer the option to retrieve the ID from the installed app, just to make it possible to de-anonymize the data, so that a user can retrieve a copy?

Technically it looks like the collected events are personal data. But in reality, it's nothing "personal" like names, payment details, whatever online shops and social networks collect, just a log of game events. If we send this data back to the user, we would leak implementation details of the game, which we'd rather keep hidden from competitors and users.

Must the data collection be opt-in? Or can we require it? Just hoping that enough players share the game data doesn't seem viable. Without enough data, we cannot balance the game.

Is anyone else here in a similar situation? What do you do?

(Shortened cross post from reddit.com/r/gamedev)

6 comments