question

glen avatar image
glen asked

Get Country Code BEFORE Login

I don't see anything in the API's that suggests this, but is there some way to get a country code of a device before logging in? Even via CloudScript would be fine, though I'm pretty sure that always requires a logged in user.

The reason I ask is for the purposes of GDPR. Ideally we'd serve a consent popup before logging a user in and creating an account AND only show this popup to EU based users/devices.

I do know that once a player account is created we have access to that player account's country code but of course we don't want to create an account until we've received consent to process and store that kind of data.

PlayFab's country detection seems pretty solid so it would be really nice to be able to utilize this functionality when determining if a device is located in the EU.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

No, all Client API calls apart from login and password reset require a signed-in user (the SessionTicket). But also, it's not really safe to make an assumption about the player's country of residence based solely on the geo-lookup of their IP Address. While largely accurate geo-lookup by IP is not 100% in all cases, and further, the player could very well be on vacation or business travel outside their country of residence.

If you haven't already, I'd recommend reading our recent blog post on GDPR and PlayFab: https://blog.playfab.com/blog/gdpr-is-coming-new-features-from-playfab-to-help-you-prepare. We'll be posting more on this topic as we get closer to the May 25th date, but the key thing to know is that we are making certain that, as with COPPA, we're making sure that the service allows for the creation of games and apps that comply with the GDPR. Obviously, we can't guarantee your title will be compliant, since it's always possible for you to do things like save PII to player data, or even send it to your own servers, so we would always recommend that you review your plan for compliance with your own legal counsel.

6 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

glen avatar image glen commented ·

Thanks for the info. I've been reading through many different blog posts as well as the actual regulation and have been trying to formulate our strategy for compliance.

I will continue to monitor PlayFab updates and posts for additional information.

0 Likes 0 ·
charlie avatar image charlie commented ·
@glen

would be interested to know if you came up with a solution? I'm looking for the same thing and was hoping it might be a Playfab service.

0 Likes 0 ·
brendan avatar image brendan charlie commented ·

Well again, all Client API calls require a signed-in user, and it's the login process that gets you the geolocation info. But also (again, as above), that geo info is based on the IP Address and cannot be guaranteed to be 100% accurate. So if the problem you're trying to solve has any legal implication, you should really be talking to your legal counsel first, to determine whether that type of lookup would be sufficient (as well as what your obligations are as concerns what data you store and when).

0 Likes 0 ·
glen avatar image glen charlie commented ·

I was not able to find a reliable solution. Our final strategy was to be GDPR compliant for all regions, which turned out to be less difficult than I'd anticipated.

0 Likes 0 ·
charlie avatar image charlie commented ·

Haha. Thanks! In the end, it is supposedly illegal to use the IP address to look up anything about the person, including country.

So we are going to ask everyone if they are GDPR compliant. Yet another law that creates a warning no one will read and just click through!

The closest we came was a posting on Unity's forums I think, about using AWS Cloudfront to get the country (assuming you are already using Cloudfront, probably for free), I did not follow through on reading the article yet.

Then there were a few services that are about $100 for 2MM requests/day. Less if you need less requests. Since showing a GDPR or not is only necessary for a brand new user, you'd be lucky to get that many requests/day for sure!

0 Likes 0 ·
brendan avatar image brendan charlie commented ·

I can indeed confirm that PlayFab enables full GDPR compliance. While different lawyers may quibble over interpretation, we've been through a thorough review by the Microsoft legal team, so we have no doubts about this.

As a game developer, it's vital that you read through and understand the GDPR requirements, or have a legal rep who can do so for you, and advise you on how to make sure you're fully compliant, since it's not possible for us to force titles to be compliant directly. There are a number of good resources online that help to make things like consent easier to understand (ex: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf), but that's no substitute for a legal counsel who can direct you to make sure you're doing the right thing.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.