Many entities in the gaming industry believe that they process little or no personal data. This belief can be misleading. We discuss what gaming companies should look out for in practice to avoid the risk of financial penalties.
Selling a game through a sales platform is not the only time players’ personal information is acquired. Games are becoming more and more technologically advanced and are increasingly encroaching on users’ privacy. Today, it is no longer a surprise that for the sake of better entertainment, players are willing to share increasingly sensitive data and, as a result, entities operating in the video game industry are gaining access to a wide and valuable spectrum of personal data.
Where are the data?
Personal data are not just players’ names or credit card numbers, which they provide when registering, for example. Under the EU’s General Data Protection Regulation, personal data can be any information about an identified or identifiable natural person. And an identifiable natural person is a person who can be identified, in particular, directly or indirectly by reference to an identifier such as, for example, an online identifier or location data.
Personal data may also include information collected during the game itself: the game style, the number of calories burned by the user or the number of steps taken, the amount of time spent playing. In practice, the type of data collected will depend on the type of game. For mobile games, a particularly broad range of data contained on the player’s mobile device may be collected (e.g. user contacts, photos). Often, these types of games also offer the possibility to integrate with the user’s social media account.
As part of computer games, it is often possible to chat with other users. Players can create virtual groups or rooms, upload their images, record their voices, or share their geolocation. Apart from being a space for sharing personal data, chat rooms can also be a zone where crimes are committed.
What does it mean?
The fact that a game processes personal data makes it necessary to meet the requirements imposed by the GDPR. The types of data collected and the purposes for which they are used make the list of these requirements quite substantial. Below, we present selected issues which we think are particularly worth paying attention to.
- Information obligation. Pursuant to Art. 13–14 GDPR, a player should be informed that their data are being processed and informed of the method of processing of the data (e.g. to whom the data are transferred, for what purpose they are used, whom to contact in order to exercise rights under the GDPR). Information about data processing should be provided to players when they start using the game. (In practice, meeting the information obligation may be a real challenge, especially in the case of mobile games.) It is also worth ensuring that players are guaranteed constant access to such information, e.g. from their individual profile.
- Basis for data processing. To process data legally, it is necessary to secure an appropriate legal basis. Many times, within a game, special categories of data are processed, such as biometric data. In this regard it will be necessary to obtain the player’s voluntary and explicit consent. The principle of data minimisation should not be forgotten either: pursuant to the GDPR, the data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
- Marketing, profiling. Game operators should be particularly careful about using players’ data for marketing purposes. Depending on the planned activities, regardless of securing an appropriate basis in the GDPR, it may be necessary to obtain the player’s consent to direct marketing messages to them, e.g. to email them newsletters about games. It is also necessary to obtain the player’s consent to use tracking mechanisms for marketing purposes, which will track the user for example in social media.
- Transfer of personal data between the publisher or producer of a game and other entities. Often, players’ data flow between the various entities involved in creation, production and distribution of a game. This flow cannot be carried out freely, but must be properly regulated pursuant to the GDPR, particularly when it comes to transferring data outside the European Economic Area (which in practice is a standard procedure due to the global nature of many computer games).
- Automated decision-making. The GDPR introduces specific requirements to be taken into account where automated decision-making regarding a player occurs (e.g. where players are automatically suspended on suspicion of inappropriate behaviour).
- Processing children’s data. Children are the target group of many games. The GDPR contains specific regulations in this respect. Among other things, they require that messages addressed to children be formulated in simple and clear language, and in certain situations the parent’s consent to data processing must be verified.
An additional difficulty for entities from the video game industry can be that they often operate globally, offering their games to users from all over the world. Therefore, it may be necessary to also take into account local requirements for processing personal data.
So it can be a real challenge to ensure that a game is compliant with the data regulations. Undoubtedly, the first step should be a thorough analysis of data flows (what personal data will be processed, for what purpose, on what basis, to what entities the data will be transferred, whether there will be transfers outside the EEA) in connection with the functioning of the game and its distribution.
Controversy over the TikTok platform
Processing of personal data in connection with the use of mobile entertainment applications, in particular those aimed at children, is of increasing concern. The TikTok platform is an example.
Processing of a very wide range of children’s personal data by this platform has been controversial for a long time and has attracted the attention of regulators. In April 2021, the platform was sued in the UK by the former Children’s Commissioner for England (information about the lawsuit can be found on a site dedicated to this case).
Karolina Romanowska, adwokat, Employment practice, Wardyński & Partners