Presented by OneTrust
With the increase of mobile device users and not to mention, a global pandemic with stay-at-home guidelines, the gaming industry is growing rapidly. In fact, there are an estimated 2.7 million gamers around the world using mobile games which will impact gaming revenue of $77.2 billion in 2020, growing +13.3% year-over-year.
With more than a quarter of the world’s population playing games across PC, console and mobile, we'll take a deep dive into how, when and why you should be looking towards leveraging a Consent Management Platform such as the OneTrust Unity SDK.
The free-to-play (FTP) model, games that give players access to a significant portion of their content without paying, is the new battleground, especially when talking about the mobile gaming space. Because of this, the two most common revenue streams are In-App purchases and advertising with more creative data brokering peppered in. These are obviously not mutually exclusive options with many games offering both to generate revenues. That said, the most prevalent by far is advertising. According to App Annie, nearly 90% of all games across iOS and Google Play currently contain advertising SDKs. That’s an impressive number and you can see why when we as players see advertising as the revenue model of choice as seen in App Annie’s recent U.S. study below.
So what are the regulatory impacts of choosing to serve ads as part or all of your revenue model?
There are too many regulations to cover all of them in this article, so we’ll focus primarily on the GDPR and touch on the CCPA for now and focus solely on the consent aspect – when do you need it? How do you obtain it? What model do you need to follow?
General Data Protection Regulation (GDPR)
The first thing to note when thinking about the regulatory impact and your exposure is that the process of showing an advert/creative to your players does not require consent. Consent only becomes a requirement when Personal Data is being processed and shared and this will absolutely be the case if you are showing any form of personalised advertisements. This is because the ad-tech eco-system will be identifying the individual and their behaviours, preferences and details such as gender with this then being shared throughout the real-time bidding (RTB) process. This makes the advertising inventory much more appealing for Advertisers as they can target specific audiences thereby increasing the cost-per-millie (CPMs) for Publishers.
All of this however constitutes as the processing of Personal Data under GDPR and therefore a lawful bases is required in order to do this in a compliant manner. Legitimate interests is not something that you can rely on, you can see decisions and guidance on this from the Supervisory Authorities such as the ICO and CNIL (authorities for the UK and France, respectively). Therefore, if you are serving personalised ads you must gather consent from the individual.
Consent itself is specifically defined in the GDPR. Article 4(11) states:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
While Article 7 further defines conditions for valid consent such as:
- keeping records to demonstrate consent;
- prominence and clarity of consent requests;
- the right to withdraw consent easily and at any time; and
- freely given consent if a contract is conditional on consent.
This is all very specific and extremely complex when thinking about the different vendors within the eco-system, so from the gaming perspective how can you ensure you are compliant?
The good news is that the Ad-tech industry has already addressed this challenge, something you likely have seen when browsing a publisher’s sites. It’s called the Transparency and Consent Framework (TCF) and it’s been built by the Interactive Advertising Bureau’s European Chapter (IAB Europe). The framework allows for the gathering of consent against specific purposes of processing that align with the requirements of the ad-tech ecosystem and is heavily used today in the web space – even Google have recently signed up to it. There are three main players in the TCF; the Publisher, Consent Management Platform (CMP), and the Vendors. Each of these has individual responsibilities in order to work together:
- The CMP must provide a complaint TCF banner & preference center that allows users to provide consent and it’s also their responsibility to make that consent available to the wider ad-tech ecosystem to check, something that is done via public APIs.
- The Publisher is responsible for implementing a CMP, whether internal or via a third-party provider.
- The ad-tech vendors are in charge of checking for the user’s consent and preferences prior to processing any personal data.
The advantage of the TCF here is that it makes this whole process seamless removing the need for numerous manual dev integrations.
California Consumer Privacy Act (CCPA)
The important distinction between the CCPA and GDPR is the difference in the required consent model. While the GDPR specifically requires consent to be ‘opt-in’, the CCPA requires companies to allow individuals to ‘opt-out’ of the sale of their personal data which are covered in the following articles of the CCPA.
- 1798.120 (the right to opt-out)
- 1798.135 ("Do Not Sell")
The business impact however is that you’re able to have personalised advertising turned on by default with no prior explicit consent from the player, but you must provide a mechanism for players to be able to ‘opt-out’. This is most commonly seen via a webform and/or a preference center to allow users to turn off this feature and any personalisation of advertising.
The IAB supports the CCPA as well. This time the support comes from a different chapter, IAB Tech Lab, but the premise remains the same. The IAB CCPA framework specifies a US Privacy String that can be accessed and shared throughout the eco-system to ensure a player’s personal data preferences are upheld.
It’s important to say that while we have covered the consent aspect for personal advertising for GDPR and CCPA above there are wider Privacy Rights that you must also address and be conscious of such as the right to data deletion and access to information.
Challenges and Best Practices for In-Game Advertising
The first thing to consider is that the privacy and compliance landscape is a complex and ever- changing environment in today’s world. The GDPR is often called Europe’s first and most successful export for a reason – many other countries are now introducing their own Privacy regulations such as the LGPD in Brazil and PDPA in Thailand. Because of this, it’s definitely worth engaging with a partner that is in the trenches on these to support you in not just getting compliant today but remaining compliant in the long term.
Another challenge for the gaming industry is the platform landscape. You can be deploying and developing across multiple different platforms such as PC, iOS, Android, Xbox and PlayStation. This means that adding consent management into your games becomes a greater challenge versus a CMP rolled out on a website.
Not only do you need to provide a CMP on each platform, to provide a better player experience you need to have these consents and preferences transfer across these different devices and environments. Game development engines such as Unity have provided this capability for the build of the games and so you should look at implementing a solution at this level so that you can keep with the ‘deploy once, develop anywhere’ ethos. It’s also worth looking at a provider that can support with APIs that allow you to take control of the front end to ensure an on-brand and uninterrupted experience while receiving the benefits of consent version control, framework support and flexible data modelling that a top end CMP supplier can provide.
Zachary Faruque serves as a Privacy Solutions Engineer at OneTrust – the #1 most widely used privacy, security and trust technology platform. In his role, Zachary advises companies large and small on EU GDPR, California Consumer Privacy Act (CCPA), Brazil LGPD, and hundreds of the world's privacy laws, focused on formulating efficient and effective responses to data protection requirements as well as building and scaling privacy programmes. Zachary is a Certified Information Privacy Professional (CIPP/E).