It’s been another wild few months in the Privacy space since my last post. Bringing everyone up to date:
GDPR is now the law
The new European Union privacy law called ‘General Data Protection Regulation’ (GDPR) is now in effect, replacing the 20 year old ‘Data Protection Directive’. This privacy law is being called the ‘biggest legal change of the digital age ’, and for good reason. Companies that capture private user data (called ‘Data Controllers’) from EU citizens are now required to get explicit, informed consent (no more TOS consent or default opt-ins) and they are required to give users the ability to view the captured data, get a copy of it, and revoke their consent and trigger complete erasure with the same ease that they initially gave it.
This is a big deal because unlike COPPA, which only deals with privacy of children under 13, GDPR requires data controllers to do this for EVERY USER that is a EU citizen. The GDPR also has a child privacy aspect that is similar to COPPA but does not have COPPA’s numerous loopholes. An added complexity is the fact that GDPR allows each EU member state to choose the age of consent for child privacy, with the default age being 16. Before they voted to leave the EU (more on that later), the UK announced they would stay with 13 as the age of consent.
Another big change with GDPR is its focus on third party companies that process private user data, such as ad networks that use private data to optimize and target ads. GDPR brings third parties (called Data Processors in GDPR lingo) into the same regulatory requirements as Data Controllers. And since virtually none of the databases they currently have were created using GDPR-compliant user opt in, the entire Ad tech business is gearing up to comply with GDPR in time for enforcement day, May 28, 2018.
Regarding enforcement, my opinion is that within the EU there are 28 different countries, some of which will diligently enforce privacy while others will not. This situation is very different from the US COPPA law which was never aggressively enforced by the FTC, to the point that trade groups have begun self-policing COPPA. GDPR is going to be enforced, and the penalties are very real and potentially career-ending.
Game developers who do not have any users in EU countries do not have to worry about GDPR. Or do they? Perhaps not in the short term, but I believe because of its huge reach, GDPR will become the model for online privacy regulations around the world.
What about Brexit?
There have been dozens of blog posts asking how Brexit affects game publishers. If the UK wishes to continue trading with the EU (and I’m pretty sure it does), it will have to create privacy laws that are as good as, or better than GDPR in order to be accepted as a trading partner. The most obvious solution here would be for the UK to copy GDPR word-for-word which would fulfill the ‘as good as’ requirement and reduce compliance complexity for all parties involved. But as we know, government doesn’t always do the obvious so this remains a question mark. There is a 2 year transition period that starts once the UK triggers Article 50 to formally leave the EU, and it hasn’t done that yet. My advice would be to focus on GDPR compliance with the knowledge that whatever the UK comes up with will be similar.
Alrighty then, what about Privacy Shield?
Just for clarity, Privacy Shield is the name for the new online data protection treaty between the EU and US that was negotiated following the previous ‘Safe Harbor’ treaty being struck down in fall 2015. Two weeks ago, following several months of additional negotiation, the US and EU agreed to the new treaty, called ‘Privacy Shield’. Max Schrems, the advocate who helped kill Safe Harbor is expected to challenge Privacy Shield in the same way. Since Privacy Shield interlocks with GDPR and existing US privacy laws, US game publishers should begin designing for GDPR type privacy with games in production now.
So to summarize this update, here are my quick thoughts on how these issues will impact game publishers :
GDPR – Huge, unavoidable, you must start dealing with it now to have quality GDPR compliant products.
Brexit – Not really a factor, new UK privacy law is likely to be very GDPR-like unless UK goes rogue with even tougher privacy regs. 2 year clock hasn't started yet.
Privacy Shield – Not really a factor, likely to be challenged again in 1 year, too important to fail.