The EU General Data Protection Regulation (GDPR) regulates and restricts the processing of personal data, meaning any information relating to an identified or identifiable person.
The GDPR generally applies to any company located in the EU or one that provides its services to people within the EU. As the EU is a big market for the gaming industry, this applies to nearly every games provider. However, the GDPR is not applicable to software developers or hardware producers involved in the games business that do not process personal data themselves, but merely enable others to host and operate by using their software infrastructure.
Games providers generally collect and store a lot of personal data, especially if they offer browser-based or multiplayer games: registration or payment information, metadata on usage such as times, possibly durations and locations of logins, behavioral data on the interaction of the player within the game, communication data and video footage from internal chat applications and so on.
From our experience, the following issues generally arise when implementing the GDPR (see our Step Plan for GDPR implementation):
• General obligations
A first challenge for games providers that maintain complex software environments is to gain an overview of and identify all data flows relating to personal data. General compliance obligations include the draft of a record of processing activities and privacy notices as well as the requirement of a lawful basis for any data processing operation. Contrary to popular opinion, users’ consent is not always necessary or advisable. Other justifications may apply, specifically if the processing of the player’s personal data is necessary in order to play the game.
In general, any processing has to observe the general principles of the GDPR and a good documentation and robust polices are the best way to deal with possible future disputes with data subjects or data protection authorities.
• Data subject rights of players
Games providers may have to implement challenging software modifications when developing procedures in order to ensure that players can exercise their data protection rights under the GDPR. Amongst others, data controllers must be able to provide players with information on data processing concerning them in case they exercise their right to access, including an overview of all categories of information they store and the purposes and duration of storage. Since players may be entitled to erasure of their data, games providers have to think of ways to cut the player’s character out of the game without impairing the other users’ playing pleasure. Best practice is to provide players with a remote access to a secure system, which would provide the data subject with direct access to their personal data.
In addition, under certain circumstances, players may have the right to ask to receive the personal data concerning them in a structured, commonly used and machine-readable format in order to transmit this personal data to another games provider. Regardless of whether or not it makes any sense to transfer usage data concerning a particular game to another game, providers may face such demands and should be ready to deal with them.
Games providers focusing on underage target groups should pay special attention when they base their processing on legitimate interest. When child data is involved, most processing activities should be limited to what is strictly necessary to provide the game, and such personal data generally may not be used for direct marketing purposes.
Especially, when obtaining consent from children it is necessary to fulfil the additional requirements for child consent. The GDPR sets a minimum age of sixteen years to consent, but grants flexibility for the EU member states to provide a lower age limit down to thirteen years, and thereby forces providers to assess compliance with each member state separately. In case players are younger than the age limit, games providers must ensure that legal guardians consent instead on behalf of their children.
• Data Security
Under the GDPR, any data controller must maintain technical and organisational measures in order to ensure an appropriate level of data security. Since especially providers of browser-based or multiplayer games may store vast amounts of personal data on servers, they should make major efforts to keep their security concept up to date. In 2018, a German supervisory authority fined a local social network for storing unencrypted user passwords. In addition to impending fines, the possible reputation damage in case of data breaches may be even more threatening for games providers than law enforcement.
• Data transfers
Games, especially those with multiplayer modes, may require international data transfers, such as hosting the player’s data on servers throughout the globe or the disclosure of certain player’s data to other players as part of the game concept. Free flow of EU players’ data to outside the EU is only possible between a very limited number of countries. In all other cases, games providers must have certain data protection safeguards in place. For example, providers may have to consider specific other safeguards regarding their service providers.
• Ad Networks
In order to be able to provide the games free of charge, many games providers rely on so-called ad networks. Ad networks can be quite complex. The roles of each party in an ad network may vary based on how the ad network is structured, and it is necessary to evaluate each party’s role in each ad network on the given situation. It may be that one party processes certain personal data on behalf of the other or solely for their own purposes (please see an overview on controller and processor roles under GDPR here).
However, the controller needs to choose carefully the right lawful basis for processing. There is an ongoing debate at the moment in the EU on websites cookies and whether consent is necessary for certain targeting cookies (please see the CNIL in France, the ICO in UK and the DSK in Germany). It is advisable to follow cautiously this debate, as its results might also be applied to ad networks in apps in generally.
• Data protection by design
Considering data protection matters when developing games software may lead to significant competitive advantages. Data controllers are obliged under the GDPR to minimize data collection and processing, using, for instance, anonymization or pseudonymization of personal data where feasible.