Game Developers : GDPR and Privacy Shield Will Rock Your World

Things have really been popping in the world of privacy and regulation since my December post about the FTC’s long awaited COPPA enforcement actions.   The vast majority of mobile game publishers have sidestepped COPPA by using a variety of strategies. Except for a few minor FTC COPPA enforcements,  the mobile game market has been unaffected by user privacy regulations, but that’s definitely going to change a lot in 2016.

Big changes in US-EU Data Protection Agreements  -  Safe Harbor is out, Privacy Shield is in.

As I predicted in my Oct 28 blog, the “Safe Harbor” disconnect between the EU and the US moved much closer to being resolved with the joint announcement of a replacement agreement that is called “Privacy Shield”.  Final acceptance might involve more negotiation but resolution is expected sometime this summer.  It now appears that the odd and impractical requirement to store EU user data on EU soil I warned about will not be necessary.  Of course, there are those who feel the EU capitulated to the US in the negotiations and are urging a ‘re-do’, but I think it’s unlikely that any changes to Privacy Shield to assuage these concerns would be anything other than minor details.

So what does Privacy Shield mean to game developers vs. Safe Harbor? A lot. If your games touch data from users in any of the 28 EU countries, your company must sign up for Privacy Shield (the exact method of doing this isn’t in place yet), and you’ll need to comply with the privacy protection rules of Privacy Shield, pledging to design your games to handle PII correctly (according to the EU’s much broader definition of PII), not to collect user data unless you have a real reason, and to self-recertify for Privacy Shield annually.  You cannot transmit EU user data to other companies without users’ advance consent. You’ll also have to make sure your privacy policy is updated to explain how EU customers can register complaints about your privacy handling, and pledge to respond to complaints within 45 days.

Since formal adoption is six months away, I would recommend that your development teams begin looking into implementing Privacy Shield compliance today for games that will be released this summer.

Even bigger changes in EU Privacy regulations – the General Data Protection Regulation (GDPR) is replacing the 21 year old Data Protection Directive.  

Following at least four years of effort by the European Commission, a major update to the EU’s basic privacy laws was adopted by the European Parliament in December 2015.  GDPR is definitely going to affect every mobile game publisher that has even a single user in any of the EU states. Unlike the 21 year old ‘directive’ it replaces, GDPR is a regulation that will be enforced  and there are severe penalties for violations. 

GDPR is a very wide ranging regulation that governs all aspects of EU personal data collection and management by websites and apps.  It has a child privacy provision that is quite similar to COPPA, with the following notable exceptions:

In essence, for a game studio, this means GDPR equates to potentially 28 new versions of COPPA, each with its own age of consent, language, and methods of parental verification.  Oh, and the penalty for not complying with GDPR? It’s up to 4% of your company’s annual revenue.

But GDPR actually goes a lot farther than COPPA, because it applies to every app, game and website that touches EU users.  Let me repeat that.

Every mobile game and app publisher touching EU users will have to comply with GDPR.  

There are no exceptions.

What is required to comply with GDPR?  Publishers are required to get “explicit and affirmative consent” before gathering any user data. That means no more default Terms of Service opt-ins, and a lot more post install pop-ups.  Of course, on each app start, you’ll need to verify that the user has given their consent.  GDPR also requires you to notify regulators within 24 hours if you experience a data breach.  GDPR requires studios to maintain an interactive relationship with every user that is based on your handling of their privacy.

Imagine a world where every game studio created their own method for managing GDPR user consent and breach notice.  Users would quickly tire of dealing with different logins, wording, and usage flows that would result from many companies solving the same problem in slightly different ways.  

The numerous GDPR-required interactions between publisher and user (and sometimes children) cry out for a ‘common consent mechanism’ similar to the system AgeCheq launched for COPPA compliance several years ago.  In fact, AgeCheq recently added GDPR compliance to the features of its service, freeing studios to devote their engineering resources toward making great games rather than building and maintaining bespoke compliance systems.  Due to the enormous size and scope of the market and the compliance friction brought on by GDPR, I’m certain many other companies will offer similar GDPR compliance systems.

My final thought about GDPR is the timetable. Officially, it will begin being enforced in 2018.  But the commission seems to regard the 24 months between now and then as a ‘grace period’ during which publishers can make the modifications to their businesses and software to comply with GDPR.  Some member states, notably France, have indicated their desire to shorten the grace period to just 12 months. One of the requirements of GDPR is “Privacy by Design”, the concept of paying proper attention to privacy through the entire lifecycle of a product, instead of tacking on a privacy policy two days before release.

My recommendation would be for studios to have their legal/compliance people deeply understand the requirements of GDPR and begin implementing whatever compliance tech you choose in new games that you intend to publish in fall 2016. That will give you defensible proof of “designing for privacy” and allow you to comply with early adopters like France, fine tuning user flows without the pressure of last minute ‘under the gun’ changes.

Keeping in mind that each member of the EU has its own enforcement agency, I think GDPR is far more likely to be more aggressively enforced than COPPA has been.  Studios that ignore GDPR until the 11^th hour are most likely to become the first ‘examples’ when enforcement begins.