Six practical tips to help game developers and publishers avoid regulatory fines, civil lawsuits, and negative PR.
Emerging data privacy regulations are increasingly restricting how organizations collect and process personal information. Game developers are no exception – particularly given the type of data they collect, who they collect it from, what they do with it, and who it is shared with (either knowingly or inadvertently).
The stakes for non-compliance can be extremely high. Those found to be in violation of data privacy and protection laws may be subject to substantial fines in one, or potentially multiple jurisdictions. Since regulatory breaches are often made public, civil lawsuits and negative publicity may soon follow. Under certain circumstances, board members may be personally liable.
Aside from current compliance requirements, game developers should stay informed about emerging regulatory changes and how they affect long-term profits. Games as a Service (GaaS), in particular, need to be future-proofed against new privacy legislation and data security risks to maximize the longevity of their returns.
Preemptively addressing privacy risks can cut down on long-term operational expenses, while reacting too late could require overhauling a game’s code or re-drafting the privacy policy. Other potential pitfalls for those who are not proactive include unanticipated project costs, slipped deadlines, frustrated users, and employee morale issues. In some cases, games have been shelved altogether. When GDPR came into force in the EU, Edge of Reality’s Loadout and Uber Entertainment’s Super Monday Night Combat were literally shut down due to the costs associated with achieving compliance.
So, where to start? Game developers must strongly consider implementing a structured privacy program if they don’t have one already in place. The following are just a few elements that should be included:
- Conduct a comprehensive data inventory, classification, and mapping exercise: This should include all data records from games, apps, websites, user forums, marketing communications records, and other sources. Take a close look at the modular and agile development practices your studio uses to develop games by scrutinizing SDKs, third-party engines, and libraries that may be collecting telemetry, personal information, and other user data behind the scenes. Work with an independent privacy advisor to categorize data based on regulatory definitions.
- Understand which data privacy regulations apply to your business: Game developers that process personal information from users in the US, EU, UK, and Canada may need to comply with several privacy laws, including CCPA, COPPA, GDPR, DPA 2018, and PIPEDA. Other U.S. states and Canadian provinces have either tabled or enacted modernized privacy regulations, which will likely come into effect soon. Current and future implications of these laws should be anticipated in the game design process, its code, networking, and back-end infrastructure.
- Monitor website, forums, and apps: Task an internal or external resource to monitor your website, forums, and apps for regulatory and distribution platform compliance. Your consent management platform should be customizable and up to date as regulations evolve across all jurisdictions. Periodically conduct static and dynamic analysis of gaming apps to document data flows and uncover behavior that is non-compliant with regulations or platform policies. Several major app providers have come under intense scrutiny for sharing personal user data – sometimes unknowingly.
- Re-evaluate the impact of data processing practices: Adapt forward-thinking models for managing user identities, transactions and data. For example, some games collect data on user preferences or utilize in-game chat, avatar attributes, and other data to shape the player experience or serve targeted advertisements. While such data points might seem harmless in the context of telemetry, the increased implementation of geospatial data and its inclusion in customer profiles could have severe implications. As a rule of thumb, data collection should be limited to specified, explicit, and legitimate purposes.
- Ensure your policies are compliant, accurate, and current: Companies that have documented false or inaccurate statements in their privacy policies have been subject to significant fines from data privacy regulators and competition bureaus. Developing a strategy to align your company’s privacy policy, cookie, and data processing practices will reduce financial risk and create opportunities to build a trusted brand. Remain current on third-party SDK privacy policies to ensure end-user consents are compliant. In view of the dynamic nature of data privacy regulations, policies should be monitored for ongoing compliance across all covered jurisdictions.
- Train your staff on data privacy and protection: EU privacy laws require organizations to conduct “the appropriate data protection training [for] personnel having permanent or regular access to personal data.” Under California law, regulated businesses must provide CCPA training to employees who handle consumer inquires regarding company privacy practices, as well as anyone responsible for CCPA compliance. Web designers, community managers, back-end developers, and marketing staff should be considered a high priority for privacy training. Since nearly every department plays a role in data privacy and protection, consider a company-wide program.
Implementing effective data privacy and protection cannot be achieved through independent projects alone. Given the interconnectedness of data and policies both throughout an organization and with third parties, a strategic approach to privacy should be embedded within a company’s operating model and culture.
Vayle can help develop your privacy program. Schedule a no-obligation consultation with one of our Data Privacy Advisors today.