Game companies should be aware of the General Data Protection Regulation (GDPR) and how it applies. The GDPR is a regulation that was passed in the European Union (EU) in 2016 and went into effect in 2018. It is designed to protect the privacy of EU citizens and their personal data.
In this blog post, we’ll provide an overview of GDPR compliance for game companies in 2023, including what it is, who it applies to, and the steps you can take to ensure compliance.
What is the GDPR?
The GDPR sets out the rules for how businesses should handle the personal data of EU citizens. It gives individuals more control over their personal data and requires businesses to be transparent about its collection, use, and processing.
Who does GDPR apply to?
The GDPR applies to any business processing EU citizens’ personal data, regardless of where the business is located. This means that if your game collects any personal data from EU citizens, such as their name, email address, or location, you must comply with the GDPR.
Steps for GDPR compliance
Compliance with the various rules and regulations under the GDPR requires you to take steps in several different categories. I’ve broken them down here:
- Understand the types of personal data you collect: The first step in GDPR compliance is to understand the types of personal data your game collects. This not only includes the data collected directly from users, but also data collected through cookies, tracking pixels, or other third-party tools.
- Obtain user consent where required: Under the GDPR, in certain situations (where you don’t have an alternative legal basis – see below) you must obtain explicit consent from users before collecting, processing, or sharing their personal data. You must also provide users with clear and concise information about what data you collect and how you use it, so consumers can make an informed choice. You also need to provide a method to withdraw that consent at any time!
- Ensure data security: Under the GDPR, businesses are required to implement appropriate data security measures to protect personal data. This can include measures such as encryption, access controls, or regular security audits.
- Provide data access and deletion: Under the GDPR, individuals have the right to access their personal data and request its deletion. Game companies must have processes in place to provide users with access to their data and to delete data upon request.
- Designate a data protection officer: Businesses processing large amounts of personal data or sensitive personal data are required to designate a data protection officer. This person is responsible for ensuring compliance with GDPR and providing guidance on data protection matters.
Complying with GDPR is important for game companies that process the personal data of EU citizens. By understanding the types of data you collect, obtaining user consent where required, ensuring data security, providing data access and deletion, and designating a data protection officer, you can better ensure compliance.
Under the GDPR, data controllers must have a legal basis for processing personal data. There are six legal bases for processing personal data under GDPR, each of which has its own requirements and limitations.
- Consent: This is a common legal basis for processing personal data, and it requires that the data subject has given explicit, informed consent to the processing of their personal data for a specific purpose. This consent must be freely given, specific, informed, and unambiguous.
However, for game companies this is not always convenient or desired, so we often look for an alternative legal basis to rely on.
- Contract: This allows an entity to process personal data necessary for the performance of a contract or to enter into a contract.
- Legal obligation: A company may process personal information necessary for compliance with a legal obligation.
- Vital interests: This legal basis allows processing personal data necessary to protect the vital interests of the data subject or another person. Not very common for game companies.
- Public task: An entity may process personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Again, not very common for game companies.
- Legitimate interests: This legal basis allows processing personal data necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject.
This is a good catch-all when none of the others fit, but requires that you’ve done a balancing test to determine that your interests are greater than the privacy interests of the data subject.
In addition, the legal basis must be reviewed periodically to ensure that it remains relevant and appropriate.
- Data controller and contact information: A data controller is the entity that decides how and why personal data is processed. An entity must provide its contact information.
- Data processing: The policy should clearly state the purposes for which personal data is processed. This should also include any specific products or services that the company provides.
- Legal basis: The policy should state one of the above legal bases for processing personal data.
- Types of personal data collected: The policy should detail the types of personal data that are collected, including both basic personal information and any sensitive or special categories of data.
- Data recipients: The policy should identify any third parties with whom personal data is shared, including any data processors, and explain the legal basis for such sharing.
- Data transfers outside the EU: If personal data is transferred outside the EU, the policy should state this, along with the appropriate safeguards in place to ensure the protection of the data.
- Data retention: The policy should include details on how long personal data is retained and the reasoning behind it.
- Data subject rights: The policy should explain data subject rights, including the right to access, rectify, erase, and restrict processing of their personal data. It should also detail how data subjects can exercise these rights.
- Complaints: The policy should provide information on how to make a complaint to the data controller or supervisory authority if a data subject believes their rights have been violated.
- Updates to the policy: The policy should explain how any updates or changes to the policy will be communicated to data subjects.
It should be easy to understand, clearly state the purposes for which personal data is processed, and include detailed information on how data subjects can exercise their rights.
Cross border transfers under GDPR
Under the GDPR, the transfer of personal data to countries outside the European Economic Area (EEA) is restricted. However, cross-border transfers are sometimes necessary, particularly for global game companies or those that rely on third-party service providers located outside of the EEA.
To ensure the protection of personal data when transferring outside of the EEA, game companies must adhere to certain measures and requirements. These include the use of Standard Contractual Clauses (SCCs) and compliance with the Schrems II decision.
Standard Contractual Clauses (SCCs) are a set of contractual terms and conditions developed by the European Commission for data transfers outside of the EEA. SCCs offer a legal mechanism for transferring personal data to a third country, often used by businesses processing data in the United States. The SCCs also clarify obligations and responsibilities for the parties involved.
However, in the 2020 Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, a data transfer agreement between the European Union and the United States. The decision held that the U.S. did not offer adequate data protection to EU citizens. It also invalidated the then-current version of the SCCs, so they were updated in 2021 to comply with the Schrems II decision.
To comply with the Schrems II decision and ensure that cross-border transfers are GDPR compliant, game companies should do the following:
- Conduct a risk assessment: Conduct a risk assessment of the countries or jurisdictions they transfer personal data to, taking into account the risks, laws, and practices of that country or region.
- Use supplementary measures: Businesses should use additional technical, organizational, or contractual measures to supplement SCCs, where reasonable. These measures may include encryption, pseudonymization, or multi-factor authentication, among others.
- Evaluate third-party providers: Businesses should evaluate third-party providers to ensure that they are also GDPR compliant.
- Stay informed: You should stay informed about any changes or updates to GDPR regulations or relevant case law to ensure ongoing compliance.
Cross-border transfers of personal data require specific measures and attention to ensure GDPR compliance. Companies must comply with relevant case law such as Schrems II.
By conducting risk assessments, evaluating third-party providers, and staying informed, game companies can ensure they meet GDPR requirements and protect their users’ personal data.
Frequently Asked Questions about GDPR compliance for game companies:
What is the GDPR and how does it affect my game company?
GDPR is the General Data Protection Regulation, a set of privacy laws that went into effect in 2018. It applies to any company that processes personal data of EU citizens, regardless of where the company is based. If your game company collects or processes personal data from EU citizens, you must comply with GDPR.
What are the key principles of the GDPR that game companies must follow?
Some key principles of the GDPR helping ensure compliance include obtaining valid consent, providing transparency and control to data subjects, implementing appropriate security measures, and reporting data breaches within 72 hours.
What are other steps that game companies can take to ensure GDPR compliance?
Other steps game companies may take to ensure GDPR compliance, include conducting a data audit, updating their privacy policies, obtaining valid consent from users, implementing appropriate security measures, and appointing a Data Protection Officer if necessary.
What are potential consequences of non-compliance with GDPR?
The consequences of non-compliance with GDPR can be significant, including fines of up to 4% of a company’s global annual revenue or €20 million (whichever is greater). Additionally, non-compliance can damage a game company’s reputation and lead to loss of customer trust.
How can game companies stay up-to-date on GDPR compliance requirements?
GDPR compliance requirements may change over time, so it’s important for game companies to stay up-to-date on the latest regulations and best practices. Companies can stay informed by subscribing to industry publications and attending relevant conferences or webinars. It is helpful to work with a legal or privacy expert.