On May 25, a new law called General Data Protection Regulation (GDPR), the general data protection regulation, came into force in the European Union. GDPR provisions should strengthen the protection of personal data of residents of all EU countries, but, according to experts, the new regulations will complicate the lives of developers and publishers of video games.
The Purewal&Partners law firm, at the request of the Games Industry publication, analyzed the new document and the impact that GDPR now has on the gaming industry.
Background of the law
The European Parliament approved the GDPR back in 2016.
The GDPR Regulation replaced the Data Protection Directive that had been in force since 1995.
Unlike the predecessor directive, the GDPR requirements are not enforced through the local legislation of the EU member states, but act as a universal and binding law throughout the eurozone.
Violation of the law threatens with a fine of up to €20 million 4% of the company’s global revenue for the previous year.
Who exactly do the GDPR rules apply to?
The regulation applies to all companies (located in the European Union and beyond) that collect personal data of EU residents and residents.
What is “personal data”?
Any information that can help determine the identity of a particular person. Name, physical address, email address, gender, age and health status. In addition, personal data may include IP addresses, geolocation data, and so on.
Who are data controllers and processors?
GDPR introduces the concepts of data controller and data processor.
The controller decides what happens to the personal data and is responsible for processing. The processor collects data for the controller.
In a nutshell, what exactly will change after May 25?
- Data protection authorities will have more powers to control and regulate the collection of user information. For violations of the law, they will be fined more harshly. The process of data collection for companies will also become more complicated — firms will not be able to collect some information even with the consent of their customers.
- Companies will have to update their policies on the use and protection of user data and make it a priority in business development. How this will be implemented is still unclear.
“Small and medium—sized companies will monitor the actions of industry leaders and the reactions of regulatory authorities to these actions,” Purewal & Partners comments.
What does the gaming business have to do with it?
Many companies in the video game sector use user data to analyze title indicators, game optimization, increase monetization, and so on. Due to GDPR, it will become more difficult to collect and process information. This may affect the industry in the following ways:
- The law requires developers and publishers to make the protection of user data their priority. This should be reflected in agreements with users, which will have to be reworked to GDPR standards.;
- Creators of free-to-play mobile games may face additional difficulties because they are highly dependent on user data. It may become more difficult for companies to monitor such important metrics as DAU/MAU/ARPU/ARPPU, as well as data on user retention and engagement;
- The implementation of GDPR requirements will require costs to provide technical capabilities, train personnel, appoint responsible persons, and so on. The cost of data protection will affect the cost of video game production.
The implementation of GDPR leaves a number of questions. For example, how to force those companies that do not have physical representative offices in the European Union to comply with the regulations?
Or who should video bloggers and other influencers be considered as controllers or processors of user data?
Frequently Asked Questions in connection with GDPR
We are a game studio, and we have a contract with a publishing house. Who should be responsible for compliance with GDPR standards?
It depends on the terms of the contract. Most likely, the publisher will assume most of the responsibility, because he usually decides what to do with the collected data. But the developer also has obligations as a data collection processor. If you publish the game yourself, then all responsibility lies with you.
We host our games on Steam, iTunes and other platforms for online distribution. Who should comply with GDPR in this case?
If you collect user data through the platform, you are responsible. If the platform collects your players’ data for its own purposes, then the platform.
We are an esports team and cooperate with different leagues and broadcasting channels. Who is responsible for GDPR compliance?
You are responsible for the data that you collect as part of your business activity. As for relations with leagues and broadcasting organizers, the responsibility depends on the terms of your cooperation and partnership obligations. Do not forget that you are still responsible as a data collection processor.
We only collect anonymous data. Does GDPR concern us?
Yes. Companies cannot ignore the data protection law. Even if you collect anonymous data, you must confirm this and prove that the collected information does not indicate the identity of your users.
We receive all data through third-party services. So GDPR compliance is their concern, not ours?
No. If they collect data about your users on your order, then the responsibility lies with you as the data controller. Of course, data collection operators also bear part of the responsibility as processors. If you use their services, we recommend checking whether your contract meets the GDPR requirements.
We are outside the eurozone and therefore we believe that EU laws do not apply to us. Can I not worry about GDPR?
No, the GPRD regulations must be implemented by all companies that collect data from EU residents. In addition, it cannot be excluded that similar GPRD laws will be adopted in other parts of the world in the near future, so it is better to prepare in advance.
Also on the topic: