How we create our games
2024-02-14
Leveling Up Together: How to use video games for team building success
2024-03-20Privacy is paramount in this day and age, and gaming is no exception.
But as a gamer, it can be difficult to know or keep up with how our data is being used, and what rights we have to control it. And as a game company, there are important but often nebulous legal implications on how to gather, process, and store that information.
In this article, we break down one of the biggest names in data protection: the GDPR.
What is GDPR?
Signed and passed by the European Union (EU) in 2016, the General Data Protection Regulation (GDPR) is a law that grants rights to individuals over their personal information and how it is processed by collectors, regardless whether said processing happens online or offline.
It is intended to safeguard the right to data privacy for citizens of the EU, by imposing strict obligations onto organizations. These organizations can be based anywhere in the world, but they are still concerned so long as they target individuals in the EU.
How does it affect gaming?
Like many other industries, gaming companies collect players’ data in order to optimize efforts and maximize enjoyment. They also use that data in preparation for future projects to determine feasibility, project numbers, and predict marketability of games. Lastly, players’ data also serves to personalize advertisements - a main source of revenue for many developers.
As video games grew in the last decade however, so has the concern for how this data is collected and handled - specifically in the case of minors. Sadly, some companies have been determined to have handled their users’ data in ways that were non-conforming, and in some cases downright unethical.
How it works: The seven principles
The first rule of the GDPR is that personal data is off-limits. Personal data is defined in the regulation’s Article 4 as “any information relating to an identified or identifiable natural person”.
There are seven key principles to data protection and accountability principles outlined in Article 5.1-2 of the GDPR:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Let’s take these points one by one and see how they impact gaming.
What this means
In short, these principles state that any personal data that is to be processed by a company needs to first have a legitimate purpose, which is clearly and concisely communicated to the user, and may only be collected after express consent from the user (or in some cases such as minors, their legal guardians).
The data that is collected needs to be limited to what is strictly necessary, and may only be stored for the duration that is necessary for the purposes for which the personal data are processed. The company is to communicate any and all evolution to the way they process their data at all times, and must ensure that it is secured at all times. Any breaches that occur must be notified within 72 hours of their occurrence - unless a safeguard, such as encryption, is put in place to render the data useless to an attacker.
Companies will be held accountable for maintaining these principles. Any failure to comply will leave them open to fines that can reach 20 million euros or up to 4% of a company’s global turnover in their preceding fiscal year, whichever is higher.
What you need to know as a gamer
First things first, keep in mind that your data is yours and you have every right to know what data of yours is being used, and every detail of its processing, and storage. Not only is it your right to know, it is the data collector’s obligation to inform you of their intention with your data in a clear, concise manner, and get your express consent to do so.
Moreover, you are entitled to request a copy of the data that is being kept on you at any time. That data should also be clear, easy to understand, and not encrypted. Gaming companies will often keep track of your behavioral data: what games you play, how much you play, what characters you choose…etc.
If you are a parent to a minor - especially if your child is under 13 - then the responsibility and jurisdiction of consenting to data collection is yours, and gaming companies should be prompting for your express consent.
Keep in mind that there is data with legitimate use that must be used in order for you to play. For instance, a multiplayer game will most likely require you to provide your geographical location in order for them to connect you with their closest servers. Most games nowadays will need you to create an account, or link an existing one for convenience.
You may find that providing this data is not circumventable, however you are very much allowed to refuse sharing data that is not intended for legitimate purpose in regards to your gaming experience, such as ad personalization.
What you need to know as a developer
If you are developing a game, you will need to build your GDPR compliance framework. Whether you are based in the EU is irrelevant: as long as you are making your game available for players based in the region, you have to comply with the GDPR.
There are resources available, provided by the GDPR itself to provide practical and actionable insights to understand how to reach GDPR compliance.
Remember that the GDPR, albeit strict in its accountability, is based on principles and does not dictate the minutiae of your data governance. As long as what you do considers data protection, first and foremost, “by design and by default.”
At its core, your data processing actions should be communicated expressly and unambiguously to your player base, and you should maintain the highest level of security and transparency.This includes performing encryption and pseudonymization (a technique for replacing personally identifiable information with other similar data), ensuring confidentiality of the data processing systems, and testing any and all security measures put in place.
These standards also extend to data storage and physical location, so make sure you choose the right place. Accountability being one of its founding principles, the GDPR and European Commission have a system in place for “Adequacy Decisions” that determine whether companies will require additional safeguards to store or transfer their data in countries outside of the EU. If you wish to store or transfer storage to a country that isn’t subject to an Adequate Decision, you will need to employ additional safeguards, such as including standard ironclad GDPR clauses to the contracted provider in the recipient country.
In short...
GDPR has quickly risen to become in many ways the golden standard of data protection, with many countries and regions now following suit and molding their standards after it. This law adds to the existing pressure from the public on companies to manage their data in an ethical way.
The unfortunate reality however is that compliance can demand both time and expertise, such as recruiting or training personnel to make and execute plans, in addition to evaluating and optimizing them. No easy task for a smaller game company!
Perhaps in the future there will be easier tools and services that companies can rely on to make compliance a smoother and more natural process.
