Attention Game Publishers: The Privacy Tsunami is Coming, Get Ready!

The EU’s GDPR is an ‘extinction level’ game change if you ignore it, and it’s just the first of its kind.

I’ve blogged here for several years about privacy regulation and gaming, mostly about the U.S. COPPA law.  Taking the Federal Trade Commission’s COPPA enforcement record into consideration, I understand why game publishers might think they are immune from privacy regulation. Major privacy gaffes like the 2015 breach of six million children’s personal information, photos and other data by V-Tech have gone unpunished.  The only noteworthy recent COPPA enforcement (involving Viacom, Mattel and Hasbro) wasn’t even pursued by the FTC, it was undertaken by the New York State attorney general. The small fines, totaling $834K were less than a traffic ticket to the multi-billion dollar companies involved.

So in that light, I’m sure my credibility with Gamasutra readers is in question. Fair enough. But I still feel the need to try one more time to get game publishers to understand that the world has changed in a fundamental way, and their days of gleefully tracking users, capturing and sharing their data, and leveraging user data without knowledge or consent are over.

As an industry, the game development business is completely unprepared for this coming privacy tidal wave. How do I know that? In preparation for this blog post, I visited both PocketGamer and Gamasutra and performed site searches for “GDPR”. On PocketGamer the only result was my company AgeCheq’s GDPR press release. On Gamasutra, the only results were my previous blog posts!

Imagine if both Apple and Google instituted a major app store change that would require every game to be redesigned and reworked.  Further, suppose the required changes definitely meant lower acquisition conversions due to friction, decreased revenue generation due to inability to track user activity, optimize revenue generation, or deliver higher CPM targeted ads.  Under such a terrible scenario, do you think most industry professionals would just blissfully carry on, hoping if they ignore the massive change, it might just go away?

That’s exactly what the game industry is doing with privacy in general, and GDPR in particular.

Here’s how the GDPR tsunami compares with COPPA, in detail.

COPPA only required notice and parental consent when a child was under 13. GDPR requires clear notice and consent for EVERYBODY, regardless of age.

COPPA required parental consent for children under 13.  GDPR defaults to 16 as the age of consent, but allows member states to choose from 13-16.

COPPA tried to include third parties like ad networks. GDPR deeply involves third party “Data Processors”

COPPA had no design requirement.  GDPR requires you to demonstrate your app is designed to protect privacy by default.

COPPA fines were based on the number of affected children. GDPR fines are based on 2%-4% your company’s global topline revenue, or €20M, whichever is greater.

COPPA had numerous ‘loopholes’ that allowed publishers to avoid it.  GDPR doesn’t. 

COPPA had a single enforcement agency. GDPR will be enforced by any of 28 DPAs, or by the European Commission directly.

COPPA required the FTC to prove your violation.  GDPR requires you to prove your compliance. Big difference!

GDPR has been called the biggest privacy regulation of our lifetimes, and I agree with this assessment. Many businesses will be negatively impacted, particularly those that depend on leveraging private data without user permission. With its dependence on analytics and targeted advertising, the game industry is perilously close to being included on that list.

Are you thinking “Wow, GDPR really is scary, I’m glad it doesn’t apply to me” ?

If you think GDPR doesn’t apply to you because your company isn’t EU-based, you should know that GDPR applies to any company that interacts with EU citizens, regardless of their country of incorporation. 

Think you’re not in the tsunami’s way because you are UK based and Brexit will save you? That’s wrong on two points. First, the UK will still be in the EU for the first 9 months of enforcement, starting in May 2018. Second, in order to continue trading with the EU, the UK is required to maintain privacy protections as good as, or better than GDPR.

Do you think you won’t be impacted because your audience is only in the US? The “Privacy Shield” privacy treaty that replaced the longstanding EU-US “safe harbor” privacy agreement states that the US will maintain privacy protections “in line with EU data protections”.. also known as GDPR. So GDPR-level privacy protections are coming to the US. 

Maybe your company is in Australia or Argentina, far away from the US or EU? Both of these countries are in the midst of adopting GDPR-like privacy laws. Many other countries are following suit. The waves are coming. GDPR-style privacy laws are in force or soon to be everywhere in the world.

In closing, I respectfully advise you to do your own research and really understand how the privacy tsunami affects your company and games. Non-trivial work will be required to both your internal operations and data handling and to redesign your games to gather and log user consent and to embody "Privacy by Default" and "Privacy by Design".  If you maintain databases with user data gathered without GDPR consent, they will have to be "Repermissioned" or deleted.  You have one year in which to make these changes, or risk having to explain to your board of directors why you didn’t take it seriously.