Tik Tok goes the privacy enforcement clock. Still think your games are immune to privacy concerns?

Hello again, Gamasutra!  It’s been over two years since I’ve posted to this blog.  When we last met, GDPR was just a radar blip over a year into the future, very few game publishers were concerned about privacy or even child privacy, and it was big news that class action lawsuits were filed against Disney and Killoo on the basis of COPPA (the US Child Privacy Law).  I decided to give Gamasutra a break until things changed to make my rants here more meaningful to the Gamasutra audience.

So, what happened in those two years?  Well, in the EU, GDPR came into force last May and the world waited for the European Union to dish out some of those nasty career-ending fines that filled the headlines.  Regulators started the ball rolling in November, calling out a French ad network for improper transparency and consent.  Then in January, both Facebook and Google were cited, with Google getting a €50M fine. As of today, 91 fines have been levied, totaling € 56M.  Facebook is facing not just one, but several multi billion euro fines for privacy improprieties.

Some interesting things have happened in the US, too. Remember COPPA? The child privacy law updated in 2014 but never enforced? Last December, the NY attorney general completed its investigation of AOL / OATH with a record-setting $5M fine. Then in February, the FTC announced its largest ever COPPA fine of $5.7M, this time against TikTok (formerly known as Musical.ly).  This is big – TikTok has been the most downloaded IoS app for the last 5 quarters.  Now the UK is coming after TikTok for the same issues.

Are you beginning to see a trend yet?

While GDPR has triggered many to call for a similar US federal privacy law, numerous states have enacted their own GDPR-style privacy regulations, following the lead of California, which passed their CCPA regulation in August 2018, to begin enforcement in January 2020. Nevada’s SB220 beats CCPA to the punch, going into effect in 4 months from now, in October. New York’s SB S5642 privacy law is expected to pass any day, and it’s notable for being very tough on adtech and permitting class actions against companies that violate it.  Other states working on privacy regulations include Connecticut, Hawaii, Illinois, Louisiana, Maine, New Jersey, New Mexico, Pennsylvania, Texas, Rhode Island, North Dakota and Washington.   

If you have read this far and still think a “wait and see” approach on handling privacy properly is the best for your business, my advice is “good luck with that”.  The “Privacy Tsunami” I spoke of two years ago is now crashing ashore, flattening everything that tries to stop it, including the very powerful advertising and marketing technology companies that rely on tracking and surveillance to drive their businesses.

How should a game publisher respond to all of this? I have two pieces of advice.

First, have your development teams verify that your games adhere to the philosophical goals of “Privacy By Design”.  This common sense strategy simply looks at privacy from the user perspective, keeping your data collection to a minimum, clearly informing them about what you’ll collect, how you’ll use and protect it, and getting their consent to collect and use it.  As you know, the standard operating procedure until now for games has been to use any means available to improve user acquisition, retention and monetization – often including privacy-invasive tracking, data mining and other acts. 

The PBD principles are baked into GDPR, ePrivacy, the US state regs and all of the related regulations around the world – LGPD in Brazil, PDPA in India, the APA in Australia, etc. If your apps operate under these guidelines, you’ll have much less trouble complying with privacy laws, and as a side benefit, your users will trust you much more because the operations of your games prove to them that you really do respect their privacy rights.

My second recommendation would be to accept these facts and adjust your future accordingly:

It’s certainly possible to craft games that gather no private data as a way to avoid all this.  Even simply minimizing the amount of private data you gather will help, but I think most modern games will always require some user data to be competitive in the marketplace and therefore privacy compliance is going to be a part of the equation. If you monetize with ads, it's almost certain your the ad technology will be accessing private information on the user's device, and you, the publisher is considered responsible.

Fortunately, the requirements of COPPA, GDPR, CCPA, NYPA, SB220 and the other new privacy regulations are quite similar and (unsurprisingly) they follow the Privacy By Design philosophy.  One common requirement is that a publisher must offer users an easy way to manage their privacy rights. Rather than force users to create and manage separate privacy logins and UX for each individual game or publisher, the obvious solution for the game industry is a common privacy dashboard where users can manage their privacy for many games from many publishers.  This is called a “common consent management” function, and my company got the FTC to explicitly approve the concept five years ago.  

Summing up my two year absence, when I look back at the topics I blogged about, many of the predictions I made have come to pass, but they took longer to happen than I thought they would.  On the other hand, once GDPR really became real, the pace of activity (such as the US states exploding into action creating their own GDPR versions) has been surprisingly fast.  The pending multi-billion fines to Google, Facebook and other multinationals will just increase the tsunami action as they hit the headlines.