GDPR checklist for game developers: all you should know about ads in your app

GDPR (General Data Protection Regulation) is a challenging privacy and security law adopted by the European Union. Moreover, this regulation also relates to the transfer of personal data outside the EU and EEA zones, with some caveats: naturally, the main (and only) focus of this regulation is to protect European residents, among all data subjects.

Game developers mainly release their products to the world. In simple words, if you process the data of at least one resident of the EU, you must comply with the GDPR to protect his or her data. Period.

Do not think that the suggestion to become compliant with GDPR is only a piece of good advice. Beware: fines for not being GDPR compliant are high: either 4% of annual global turnover or up to €20 million. For example, La Liga’s (top Spanish football league) mobile app was fined €250,000 for privacy violation. But don’t be too alarmed to create something new: if your app complies with the GDPR, there shouldn’t be any problems. So, how can one put ads in the app without violating privacy? Read our checklist on in-app advertising.

Personalized or not?

First things first, as a game developer you have to decide what type of ads you will run (or allow to be run) in the app: personalized or non-personalized. Non-personalized ads are not based on a user’s past behavior. Therefore, in this case you don’t collect any kind of personal data. These ads will not be based on user preferences, therefore it is not so effective. There is a big advantage: you don’t bear the burden of responsibility for the processing of personal data.

However, nobody wants to lose money on conversions. Because of this consideration most developers choose personalized ads. To do this, you need to transfer personal data of your users to third parties. The tips below will help you handle it.

Review Ads services

Now that you have chosen personalized ads for your advertising strategy you have to make sure your partners are reliable. Most likely, you will use external service for serving ads. You need to be clear about where data will be storage and who will be in control of the transferred data.

It’s a mistake to assume that all third parties and SDKs connected to your app are GDPR compliant (even if they promise you so). You as a controller are responsible for all data breaches that may experience one of your third parties leading to a leak of your user’s data. You should ensure that all third party data processing and transfers are aligned with the GDPR. Also you take a responsibility for third party data security measures. To avoid trouble, you should ask your partners about their Privacy Policy and Terms, especially before any actual processing begins

So, make sure you have carefully reviewed your advertising partners. It will help safeguard your business from being in violation of the personal data laws.

Written DPA is a must

A Data Processing Agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. When you have chosen your partners, you should sign Data Processing Agreements (DPA) with them. Written contracts between your business and your data processors allocating roles and responsibilities are an important practices endorsed by the GDPR.

You must have a Data Processing Agreement with each of the advertising services to achieve overall GDPR compliance. Note that it takes a lot of time, it’s also one of the most basic steps of GDPR compliance and vital to avoid GDPR fines. This is what the GDPR itself has to say about the DPAs:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”.

You mustn’t do it alone. It’s always better to have access to the reliable adviser. For instance, you may check our GDPR services here

Select ad technology providers

If you want to use AdSense for advertising in your app you should select only ad technology providers who are compliant with the GDPR. Google is ready to help your app by providing a list of companies ( with information about their compliance with the GDPR. But don’t be shy to market around; companies perfect for you may just be in process of aligning with the GDPR and you may start a beautiful partnership.

If you select these ad technology providers, Google ensures that they will use data about your users for the purposes of ads personalization and measurement with requirements of GDPR compliance.


Ads for children

Recital 38 of the GDPR says that children merit specific protection when their personal data is used for the purposes of marketing because they may be less aware of the risks, consequences and safeguards concerned.

There is no strict restrictions about ads for child but we should use common sense in these relationships. Child tend to give you their personal data, such as an email address, or information about their hobbies, without concern or suspicion. They may not realise that you will use it to target them, and, moreover, they may not even understand what advertising is and how it works.

Children may receive advertising that they do not want or are not prepared for.This may lead to situation that children will spend money on goods that they can not use or afford. So, if you wish to use a child’s personal data for advertising you should pay attention to the ways to mitigate these risks. Remember, that the GDPR established specific requirements related to the plain language, parental consent and rights of minors.

Your advertisement must not exploit their credulity, loyalty, vulnerability or lack of experience. They must not encourage an unhealthy lifestyle in children.


Visibility and Transparency

Recital 58 of the GDPR says that the principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Especially it concerns children who can’t perceive heavy information.

In simple words, the Privacy Policy should not contain overly legalese-ish, technical or specialist language: everything should be clear even to a child (told you). All information should be provided free of charge (unless they are excessive or highly repetitive) and shouldn`t depend on whether the client wants to use the service or not.



Summarizing, it should be said that even if you don’t actually collect users’ data due to the use of advertising services SDK instead, you are still a data collector according to Article 4 of the GDPR. Therefore, can end up being liable for violation of any of these rules.Therefore, your app must be GDPR compliant. This is of vital importance in 2020.

    Your question to IT lawyers