The past few months have seen some pretty devastating enforcement actions against companies that have improperly handled or ignored user privacy. In June, the FTC fined mobile ad network InMobi $4M (reduced to $950K because $4M would have bankrupted the company). In September, the New York State Attorney General fined Hasbro, Mattel, Viacom and others $950K for violating the US COPPA regulation. This week, Texas Attorney General announced enforcement against the publishers of ‘Jott’ app. Yes, that’s right, individual states can also enforce COPPA – a preview of the way GDPR will be enforced by both the European Commission and each of the European Union member states.
And if you are UK-based and wishfully think you won’t be subject to GDPR because of Brexit, that’s wrong; in fact, it’s likely that whatever privacy regulation the UK ends up adopting will be as restrictive or possibly more restrictive than GDPR. The new treaty governing data transfers between the US and EU is called 'Privacy Shield' and it essentially mirrors the protections of GDPR.
As most publishers are just beginning to become aware of GDPR and its ‘game changing’ privacy compliance requirements, their attention has understandably focused on what to do with existing games and sites that will require updating before May 2018 in order to comply. But in this blog I wanted to talk about an underlying concept built into GDPR that very few companies have begun to consider.
Article 25 of the GDPR requires publishers to build proper handling of user privacy into everything they create going forward. This initiative is sometimes called ‘Privacy by Design’ or ‘Privacy by Default’. Not only do you have to retrofit your existing apps and sites to gather and manage user consent, you are required to build proper privacy controls into every new product you offer. Let that sink in a minute…
On Sept. 6, the Bavarian Data Protection Authority issued a press release clarifying many points about enforcement of the GDPR. Specifically, they noted that failure to implement “Privacy By Default” is considered a violation and therefore subjects a publisher to potential enforcement fines.
Quoting from the translation (my highlighting): “In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.”
What does this mean? It means with 84 weeks left until GDPR enforcement begins (as of 10-5-2016), not only do you have to upgrade each of your existing user touchpoints to handle user privacy properly, but your entire development pipeline has to be revisited to make sure you are GDPR compliant as well.
That is going to be a very daunting task.
As my company focuses on GDPR and COPPA compliance, we have a unique view into the activity of the game publishing market, and I can tell you that the publishers we are working with are continually surprised at the degree to which privacy concerns affect their development, marketing, user acquisition, and support efforts.
Human nature leads many to think ‘I have almost two years to deal with this, I’ll do it next year’ but if you take a realistic look at the number of weeks required for privacy impact assessments (a GDPR requirement for larger companies), development of a complete implementation plan, creation, testing and verification of technical solutions and finally in-house testing and customer rollout, the 84 week timetable is workable, but not luxurious.
For publishers with more than a few active games, the required effort will by multiplied by the number of games that need to go through the process. They will likely need to create an internal ‘GDPR swat team’ that works with product management and dev teams of each game to deliver a rapid and consistent compliance approach. I have no doubt that some publishers will find it easier to kill underperforming games in their portfolio than to expend the resources necessary to bring them up to GDPR compliance.
A ‘gotcha’ that further tips the scales toward killing current games is the fact that if PII that has been captured without GDPR-compliant user consent (i.e. most of your current data) it could trigger a privacy enforcement action after May 23, 2018 unless you reach back out to users to get their consent (this is called ‘repermissioning’). This makes a great argument for switching to GDPR compliant notice and consent as soon as possible, because every day you wait gives you one more days-worth of PII that will require repermissioning in the future.
Everything I’ve discussed so far relates to ‘in-house’ privacy processes and technical solutions that are within your control. In this respect, GDPR refers to you, the publisher as the “Data Controller”. But GDPR was written specifically to address the fact that most apps and websites use services from third parties that also have the ability to impact user privacy. The prime example is ad networks that may track user activity or location. GDPR calls these third party companies “Data Processors”. Even if your game and backend data processes have been fully scrubbed and are GDPR compliant, if you use a third party SDK or Ad network that violates the law, you are on the hook. So validating the compliance of everything you build into your games is another time consuming action item that few people are considering.
What will it cost a game publisher to comply with GDPR and Privacy Shield? Of course, I can’t provide an exact number, but based on the list of required activity above, it will not be a nominal number. Fortunately, it’s a one-time pain if your compliance efforts also include designing privacy into your development pipeline. My guess is that the cost of converting existing games will be so high that only the top grossing games will be updated. This may have an interesting effect of temporarily clearing the market of a lot of underperforming games, making it slightly easier to launch new privacy-friendly games into the void.
So to summarize:
- Interlocked global privacy laws are coming fast and can’t be skirted or avoided like COPPA.
- Publishers should budget now for a lot of compliance activity in 2017. There will be an increasing rush of late starters that will increase the costs due to high demand.
- The ‘Privacy by Design’ requirement obligates publishers to verify proper handling of privacy, user notice and consent, ‘Right to be forgotten’, breach notice for all of their future offerings, not just those in the market today.
- Publishers who ‘get privacy right’ will enjoy market advantages due to enhanced user trust.
- Yes, it’s true – privacy compliance is going to incur costs, both operationally (assessments, operational and technical changes required for compliance) and engagement losses from the friction caused by required notice and consent.
- Avoiding the ‘privacy wave’ is no longer possible. The number of laws and enforcement agencies are increasing rapidly. Fines are ‘career-ending’ for GDPR (up to 4% of global gross revenues).
Update 7/10/2016 - Here's a useful "Privacy By Design" checklist put together by our CIPT Futurist. It summarizes the key actions needed to fulfull PbD, with clickable links to the actual GDPR text relating to each item. http://www.consentcheq.com/index.php/pbd-checklist/