Game Developers : GDPR and Privacy Shield Will Rock Your World
Things have really been popping in the world of privacy and regulation since my December post about the FTC’s long awaited COPPA enforcement actions. The vast majority of mobile game publishers have sidestepped COPPA by using a variety of strategies. Except for a few minor FTC COPPA enforcements, the mobile game market has been unaffected by user privacy regulations, but that’s definitely going to change a lot in 2016.
Big changes in US-EU Data Protection Agreements - Safe Harbor is out, Privacy Shield is in.
As I predicted in my Oct 28 blog, the “Safe Harbor” disconnect between the EU and the US moved much closer to being resolved with the joint announcement of a replacement agreement that is called “Privacy Shield”. Final acceptance might involve more negotiation but resolution is expected sometime this summer. It now appears that the odd and impractical requirement to store EU user data on EU soil I warned about will not be necessary. Of course, there are those who feel the EU capitulated to the US in the negotiations and are urging a ‘re-do’, but I think it’s unlikely that any changes to Privacy Shield to assuage these concerns would be anything other than minor details.
Since formal adoption is six months away, I would recommend that your development teams begin looking into implementing Privacy Shield compliance today for games that will be released this summer.
Even bigger changes in EU Privacy regulations – the General Data Protection Regulation (GDPR) is replacing the 21 year old Data Protection Directive.
Following at least four years of effort by the European Commission, a major update to the EU’s basic privacy laws was adopted by the European Parliament in December 2015. GDPR is definitely going to affect every mobile game publisher that has even a single user in any of the EU states. Unlike the 21 year old ‘directive’ it replaces, GDPR is a regulation that will be enforced and there are severe penalties for violations.
GDPR is a very wide ranging regulation that governs all aspects of EU personal data collection and management by websites and apps. It has a child privacy provision that is quite similar to COPPA, with the following notable exceptions:
- GDPR does not have any of the ‘loopholes’ that most game developers have used to avoid complying with COPPA– there’s no “Actual Knowledge”,”Internal Operations” or “Directed At Children” escape hatches. GDPR is very clear. If kids will be using your game, you need to handle their privacy properly.
- What age defines a “kid”? While COPPA defines a child in any U.S. state that is under 13 as needing parental consent, GDPR defaults to age 16 but allows each EU member state to choose their own age of ‘consent’. Some like the UK have already declared they will stay with 13.
- Member states can also specify the acceptable methods publishers can use to positively identify parents.
In essence, for a game studio, this means GDPR equates to potentially 28 new versions of COPPA, each with its own age of consent, language, and methods of parental verification. Oh, and the penalty for not complying with GDPR? It’s up to 4% of your company’s annual revenue.
But GDPR actually goes a lot farther than COPPA, because it applies to every app, game and website that touches EU users. Let me repeat that.
Every mobile game and app publisher touching EU users will have to comply with GDPR.
There are no exceptions.
What is required to comply with GDPR? Publishers are required to get “explicit and affirmative consent” before gathering any user data. That means no more default Terms of Service opt-ins, and a lot more post install pop-ups. Of course, on each app start, you’ll need to verify that the user has given their consent. GDPR also requires you to notify regulators within 24 hours if you experience a data breach. GDPR requires studios to maintain an interactive relationship with every user that is based on your handling of their privacy.
Imagine a world where every game studio created their own method for managing GDPR user consent and breach notice. Users would quickly tire of dealing with different logins, wording, and usage flows that would result from many companies solving the same problem in slightly different ways.
The numerous GDPR-required interactions between publisher and user (and sometimes children) cry out for a ‘common consent mechanism’ similar to the system AgeCheq launched for COPPA compliance several years ago. In fact, AgeCheq recently added GDPR compliance to the features of its service, freeing studios to devote their engineering resources toward making great games rather than building and maintaining bespoke compliance systems. Due to the enormous size and scope of the market and the compliance friction brought on by GDPR, I’m certain many other companies will offer similar GDPR compliance systems.
My recommendation would be for studios to have their legal/compliance people deeply understand the requirements of GDPR and begin implementing whatever compliance tech you choose in new games that you intend to publish in fall 2016. That will give you defensible proof of “designing for privacy” and allow you to comply with early adopters like France, fine tuning user flows without the pressure of last minute ‘under the gun’ changes.
Keeping in mind that each member of the EU has its own enforcement agency, I think GDPR is far more likely to be more aggressively enforced than COPPA has been. Studios that ignore GDPR until the 11th hour are most likely to become the first ‘examples’ when enforcement begins.