Unity GDPR Position and Requirements for Third-Party Partners

In Europe on May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect. We encourage you to read Unity’s Statement on GDPR Readiness to see Unity’s overall position and approach to GDPR compliance.

In complying with GDPR, players of games made with Unity and players of other games who see ads served by the Unity Ads SDK will be able to opt-out of data collection on a game-by-game basis. Players will be able to change their privacy settings any time they see an ad with links and easy access to Unity’s Privacy Policy. Players who opt-out of data collection will still see ads, but these ads will be random and not tailored to the player. All Personally Identifiable Information (PII) associated with a player that opts-out will be stripped.

This document outlines Unity’s GDPR-readiness requirements for third-party providers (“partners”). There are two important requirements:

If you are a partner who is integrated directly with Unity via oRTB:

Readiness to receive update to OpenRTB request spec

Upon receiving confirmation from a GDPR-affected user who indicated an opt-out, the request structure for that user’s device will send a “GDPR” flag in the regs.ext object. Strip all PII (IDFA, AAID, IP Address, etc.) as outlined below (the changing sections are highlighted):

{ "id": "2IzklKGkMUlKSQUnuly47G", "at": 2, "tmax": 200, "imp": [ { "id": "1", "secure": 1, "instl": 1, "tagid": "15939-video", "video": { "mimes": [ "video/mp4" ], "minduration": 15, "maxduration": 30, "protocols": [ 2, 3, 5, 6 ], "sequence": 1, "linearity": 1, "pos": 7, "battr": [ 1, 3, 5, 6, 8, 9, 13 ], "w": 200, "h": 200 } } ], "app": { "id": "1", "bundle": "com.unity3d.ads.example" }, "device": { "ifa": "", // GDPR cleared out "make": "Dell", "model": "Venue 8 7840", "lmt": 0, "ua": "Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47D; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36", "os": "android", "ip": "", // GDPR cleared out "devicetype": 4, "carrier": "sprint", "osv": "7.1", "hwv": "Dell Venue 8 7840", "geo": { // GDPR cleared out // "lat": (not available with opt-out), // "lon": (not available with opt-out), // "type": (not available with opt-out), "country": "USA", //still available // "city": (not available with opt-out), // "utcoffset": (not available with opt-out) }, "connectiontype": 3, "language": "en", "h": 1184, "w": 768 }, "regs": { "coppa": 0 "ext": { "gdpr": 1 // 1 means the user opted out and the request is subject to GDPR regulations } }, "ext": { } }

If you do not want to receive requests from players who have opted-out of targeted advertising and therefore do not have PII associated, please contact ads-partners@unity3d.com and we will configure your preference in our system.

If you are a partner who receives PII data from Unity from Unity’s bid request or other data products:

Readiness to receive opt-out/deletion requests via an endpoint

In order for partners to continue receiving requests for GDPR-affected users, we will need readiness compliance from partners to receive an opt-out/deletion request via an endpoint. We also need to confirm receipt through a 200 OK message.

Upon receipt, we require complete deletion of said user’s data that is received from Unity Ads. This removal should affect all systems and subsystems within the partner’s ecosystem. Please note that your Data Processing Addendum, which will be distributed next week will require this compliance measure.

The opt-out deletion request protocol is described as follows:

  • Unity and the partner will communicate through HTTPs, therefore the partner needs to set up a highly available HTTPs endpoint.
  • Unity will send opt-out deletion requests in HTTP POST requests.
  • POST body will follow the following structure:

{ "id": "xxx", // version 1 uuid identifies the request "idfa": "xxxxxx", // IDFA of the user "opt-out": true, // boolean flag indicating the user opt out "ts": "1524785925" // unix timestamp }

  • In the case of a partner response with a HTTP status code 200, Unity considers that the partner has received the request and will delete the user data with the provided IDFA.
  • In the case where Partners has not seen the IDFA before, the partner should still respond with an HTTP status code 200 for the opt-out deletion request. Code 200 is to acknowledge message receipt and understanding of intent for deletion.
  • In the case of partner responding with a non-200 HTTP status code, Unity will retry the request for a period of time until Unity receives an HTTP status code 200.
  • Any long-term failure to return a 200 HTTP status code will designate the partner as non-compliant, which will force Unity to shut off traffic or data product affected by GDPR.

Any non-compliance with this requirement will result in the partner not receiving any traffic affected by GDPR. Exceptions will only be made on a case-by-case basis for partners that solely act as processors that meet the following criteria:

  • The partner does not store any data received from Unity as part of the Unity ad request and other data products that contain PII.
  • A partner acting as a processor should not use said data to build behavioral profiling, model training, or any other usage other than fulfilling impressions for the current ad request.