Hi Kato,
this isn't a simple question or short topic. And it's confusion which ID is used for which data. I spent a whole day just about this.
Firebase for Analytics is separated in two parts:
Demographic data and device information/events user perform.
The app Instance ID is used to identify the same user. The app instance ID might be used for Device Information/Events user perform.
The Advertise ID is available upon version 4.4 Kitkat.
Advertise ID is usually used for demographic Data (therefore it was invented). Before Android 4.4 the demographic Data was associated with the Android ID.
It might be that the device information/user events are associated with the advertise ID even if it's disabled through Device. This is still allowed through gdpr. Only the usage for personalized advertise isn't allowed anymore when the advertise ID is disabled.
If you make
resetAnalyticsData according to
https://support.google.com/firebase/answer/9019185?hl=en "Clears all analytics data for this app from the device and resets the app instance
id". It doesn't delete the data from the statistics (this is valid through gdpr). If the App Instance ID and Advertise ID is used everything is alright, since a new app instance ID is given and the old instance id can't be used to identify the person anymore. Therefore the old instance ID is no more a personal data. Just uninstalling the App gives a GDPR compliance.
The advertise ID can be reset at any time. No problem therefore.
But if by example the SSID is used instead of advertise ID:
As mentioned above, the data isn't deleted from the
server backend of the
statistic.
SSID can't be changed/reset.
Therefore personal data is kept into the server backend of the statistics. And this is under some circumstances, when the user got the right to delete his data invalid by GDPR. And i can't see a valid reason for collection persistent identifier. Therefore the usage of Analytics by legitimation through §6f GDPR is no more allowed. You would need the user consent.
When user give consent, he has always the right that the data is deleted. This persistent identifier makes it so complicated.
The Unity3d SDK doesn't provide the deletion of data only the reset of App Instance ID. A deletion of the App doesn't mean that there isn't anymore personal data collected when the SSID or similar persistent Identifier is used. I have to know, if i should implement a deletion through my server and also if i need user consent.
I