Managing PIPL
Maintaining compliance with PIPL when you use Unity Analytics is a shared responsibility. Unity collects data to help improve the player experience with ads and gameplay. Some of that data includes personal information (PI) regulated under PIPL.
China’s new data privacy law - Personal Information Protection Law - came into effect on November 1st 2021. Personal information is data that can identify a person, such as name or address, and is stored electronically or otherwise. Sensitive personal information refers to biometrics, gender identity, religious beliefs, medical history, finance, and any personal information of minors under fourteen years.
PIPL is an opt-in based legislation. We are obligated to run a geolocation API call to see if a user is currently in China, and if so, if consent was given. The geolocation can’t be used for opt-out based legislation, as they might not be related to the location of a user. Opt-out based legislation doesn’t require getting explicit consent from the user for sending events. Without the geolocation check, events can’t be sent, even if the user is in a place where they are not under any legislations.
Note: PIPL (and any potential opt-in regulation in the future) will override any previous opt-out consent state.
This means that opting out in California won’t matter if the user travels to China; again we’ll require giving or denying consent, and vice versa. If the user opts out in China, it won’t be taken into account outside China.
If the user tries to opt out from PIPL while not being in China, or opt out from non-PIPL legislation while being in China, the CheckConsentException will be thrown that informs the developer that the user tried to opt-out from the incorrect legislation.
All previous GDPR-related logic was moved to the ConsentTracker class that stores all information about consents states in one place.
The opting out process (after giving consent) is implemented in the same manner as it was for GDPR.
Functions
You must present the Privacy Policy to the user with an opt-out button for your user interface and supported platforms.
There are three functions you should be aware of:
CheckForRequiredConsentsThis method will always need to be called in the beginning. It performs a GeoIP call for determining if you are obligated to ask the user explicitly for consent. If the PIPL legislation is in place, that would return the identifier. The developer is then obligated to ask the user if they are giving or denying consent before we trigger any action in the SDK. This method won’t return anything if the user is outside of China (so no opt-in based legislation is in place) or when the user already gave or denied consent.
OptOutThe old method that will opt out the user from every legislation, regardless of where they are. It still requires CheckForRequiredConsents to be called in the beginning to manage that process according with the law.
ProvideOptInConsentMakes sure you know the decision of the user. If it’s given, all will work as usual. If it’s denied everything is revoked - no Events will send, even the ForgetMe Event.
Place this code snippet in your startup code, or as earliest as possible:
using System.Collections.Generic;
using Unity.Services.Analytics;
using Unity.Services.Core;
using UnityEngine;
public class ConsentTest : MonoBehaviour
{
async void Start()
{
await UnityServices.InitializeAsync();
try
{
List<string> consents = await Events.CheckForRequiredConsents();
if (consents.Count != 0)
{
string legislation = consents[0];
// ask user for consent
// ...
// if user gave consent:
Events.ProvideOptInConsent(legislation, true);
// if user denied consent:
Events.ProvideOptInConsent(legislation, false);
}
// if user decided to opt out from every legislation, regardless of the location:
Events.OptOut();
}
catch (ConsentCheckException e)
{
// handle the exception by checking the reason
}
}
}