The internet has dramatically changed the way that games operate, and the amount of data that they collect. In the days of the arcade, the most data that a game would collect from a player would be their initials to put at the top of the leaderboard after a particularly good game.
Now games are capable of collecting much more data from a player. Identifying information like emails, names, geolocations, login times, play session information, payment information, and much more can be collected and used by the game. On the somewhat benevolent side, a developer can use this data to improve the game experience by taking play data and using it to balance the game. On the darker side of things? Advertisers will often be willing to pay for this information.
With all of this in mind, it’s important to keep the player’s privacy in mind as a game developer. Even large publishers like Microsoft have run into trouble over this, including a $20 million fine from the FTC for collecting children’s personal information without notifying their parents.
It is essential that you have policies in place that enable the safe and confidential treatment of player and employee data that is also compliant with the various regulations in the markets you will be interacting with. If you’re working on a single-player game that plays offline and doesn’t collect data from a play session there’s probably not much to worry about, but once you start working with connected accounts and online play it becomes very important to make sure you’re not violating any global regulations concerning your customer’s privacy.
The Patchwork of Internet Privacy Law
The United States does not have a single controlling federal law concerning internet privacy. Only three states (California, Virginia, and Colorado) currently have comprehensive data privacy laws. While this may be fine if you’re operating a small store that only collects customer emails for promotions and only operates in one state, video games are an internet business that touch every state. Accordingly, it’s important that you maintain compliance with all of the relevant privacy laws. Since California currently has the most comprehensive laws, that’s where much of our focus will be.
Further complicating things, the internet is a global network. The General Data Protection Regulation (GDPR) is a regulation that was passed in the European Union. If you’re a game developer selling your games online, it also applies to you since you offer services to the EU.
Since there are a lot of privacy laws and they can be massive, this is only intended to be a brief primer on some of the major ones.
FTC Unfair and Deceptive Trade Practices
While the United States does not currently have a uniform body of law surrounding internet privacy, the Federal Trade Commission (FTC) will enforce against some privacy violations. The FTC is an agency of the United States government primarily focused on antitrust law and consumer protection. Because of this consumer protection goal, they have taken an interest in protecting consumer privacy, and have taken action against video game developers in the past, such as fining Epic Games $275 million for violating children’s privacy law.
The FTC has made it clear that if you tell customers that you will protect their data, you must do so. Violations of your privacy policy will be considered unfair and deceptive trade practice and will be actionable by the FTC. Likewise, omission of the fact that you are collecting data is deceptive. As such, you have to tell consumers that you are collecting data and how it is to be used.
The Children’s Online Privacy Protection Act (COPPA) was passed in 1998 and became effective in 2000. It is federal law that is enforced by the FTC and is probably the closest thing to a uniform federal on internet privacy. It imposes certain requirements on operators of websites or online services (including games) who knowingly collect data from children under the age of 13 or direct their games toward children under the age of 13. And no, your game being rated T for teen, indicating that the game is for ages 13 and up, does not automatically mean you can assume that it won’t be deemed to be directed towards children. This data can include the user’s name, phone number, email, unique identifier, geo-location, or any other information that could be matched to a child.
Compliance with COPPA must be built into the design of your player onboarding experience. Compliance requires age gating, then parental consent for users under the age of 13.
Age gating must be neutral. That is, it must ask for the user’s birthdate, not whether they are over 13. If the user fails the age gate, then they can’t get any indication that they failed the birthday screen. They must be taken to another game-related experience that does not collect information (such as a limited offline version of the game) until they have parental consent, and they can’t be allowed to go back and try again.
Parental consent is typically verified in one of two ways. The first is called “email plus.” This is where a parent receives an email explaining that the child is seeking permission to play the game with a link to the privacy policy. A follow-up email is sent a few days later, the “plus” portion. The other less popular method is through verifiable parental consent. This can be done through a phone call, a signature on a form, a credit card transaction, or another method that is verifiable. This must be done whenever the child’s information will be used beyond internal use. In either case, the parent must get clear language about what information is being collected and how it will be used, what third parties will have access to the information, how the consent will be given and revoked, and more.
The European Union has a regulation called the General Data Protection Regulation (GDPR) that you probably heard of a few years ago when every account you ever made sent you an email telling you they updated their privacy policy. GDPR is a large regulation, containing 99 articles and recitals, though most of them do not apply to game developers and publishers. It does contain requirements that game developers should comply with, and the fines for non-compliance are substantial.
First of all, GDPR can still apply to you even if you do not live in the EU. Article 3 lays out the territorial scope of GDPR. It applies to you and your studio if you offer goods or services to people in the EU, or you monitor their online behavior.1GDPR Art. 3 Section 2 Since video games are largely an online business, you are offering goods or services to people in the EU and are subject to its regulations. GDPR also defines personal data very broadly, so any data collection should be compliant.
GDPR establishes eight main rights concerning privacy and online data. They are:
- The right to access personal data
- The right to be forgotten
- The right to data portability
- The right to be informed
- The right to have information corrected
- The right to restrict processing
- The right to object
- The right to be notified if there is a data breach.
These rights could be their own article. For now, at least, it’s important to understand that these rights exist for your customers and that you need to respect them.
Compliance with GDPR can be complex. You are required to document any and all data that you process that is subject to the GDPR. Additionally, you must provide clear privacy notices and obtain consent when necessary. In keeping with the listed rights, you must provide removal and erasure procedures as well as the ability to opt out of data collection. GDPR is one of the most expensive regulations concerning privacy, and compliance is a continuous effort that will touch every part of your studio.
CCPA and CPRA
While California is only one of three states with comprehensive data privacy laws, theirs are by far the most comprehensive, which means compliance with California’s laws will usually mean you’re compliant with the others. It was amended by the California Privacy Rights Act (CPRA) which took effect at the start of 2023 and added additional privacy protections. It applies if you have data of more than 100K Californians, or at least half of your revenue comes from selling consumer information. It’s better to be prepared before hitting the threshold of California residents.
CCPA and CPRA create a list of rights similar to GDPR’s. These are:
- Right to know what personal information is collected, why, and who it is sold to
- Right to delete personal information
- Right to opt-out of the sale of personal information
- Right to opt-in to the sale of personal information for consumers under the age of 16
- Right to non-discriminatory treatment for exercising any rights here
- Right to initiate a private cause of action for data breaches
The CPRA added the following rights:
- Right to correct inaccurate personal information
- Right to limit use and disclosure of personal information
Compliance with CCPA is similar to GDPR. You can only collect data that is necessary for the purpose stated by your business, and you can only keep it for as long as is necessary for that purpose. You must include a “Do Not Sell My Personal Information” link on your website that allows customers to opt out of the sale of data, as well as an accompanying toll-free number. You must also include a statement in your privacy policy regarding the rights of California residents to opt out of the sale of their data. Your privacy policy should also be updated and reviewed every 12 months.
Conclusion
Privacy laws can seem incredibly daunting, but ultimately they have become necessary in our highly connected world. There are a variety of laws throughout the world to keep an eye on. The easiest solution is to stay on top of it before things go wrong or you start collecting enough data to become subject to a new set of regulations.