You may be wondering what’s going on, or how it impacts you personally. I’m a lawyer who has been working with companies trying to deal with these laws, and I’m here to explain exactly what’s going on.
You can blame Europe
The General Data Protection Regulation (GDPR) is a set of regulations about privacy and the collection of your data in the European Union that went into effect on May 25, 2018 and companies are reaching out to let you know that they are (mostly) ready to comply. So what does this mean for you, the players?
If you aren’t located in the EU, maybe not a lot. However, many companies are implementing compliance and enforcement strategies that apply to all end users, not just the ones located in the EU. And although the GDPR requires privacy policies to be transparent and concise, those policies now contain a lot of new terms and legal jargon that may be completely alien to you. This is why you may feel overwhelmed even if you live in the United States.
I’ve spent the past few months getting my own clients to comply in advance of the law going into effect. It’s why I didn’t write this sooner, in fact.
But, frankly, the disclosure requirements under GDPR seem to have one over-arching effect, and that’s content-dense privacy policies that aren’t as easy to navigate as companies want to believe. And while this may satisfy legal requirements under GDPR, the practical effect is information fatigue, despite guidance from the appropriate authorities to eliminate just that. These regulations were supposed to make things simpler for everyone, and they are not.
So what are the rights granted under GDPR? How are they enforced? Will you be able to take advantage of these new rights, or will they only benefit those in the EU?
The GDPR grants a specific bundle of rights to “data subjects” (literally anyone that can be identified through collected data) located in the European Union. Each right is meant to give end users some level of control over the data companies collect. Specifically, this includes the right to:
- access your data, as companies have to provide a means to let you see your data, the sources of that data, who receives it, how it is stored and the technical measures in place
- receive a copy of your data in a portable format, as companies have to provide you a copy of your data in a format compatible with most devices
- have your data deleted, (unless they have to keep it to provide services under their contract with you or they need to keep it for legal reasons), as companies have to delete your data on your request
- to modify your data, as companies have to provide a means to let you correct or change the information you have provided
- restrict sharing or processing activities among third parties, or retain information, as companies have to stop sharing data to elect to restrict when the legal basis for obtaining that information is consent or a legitimate interest;
- object to data processing, including the legal basis for data processing, if you have complaints or concerns about how or why your data is being processed, to have the right to object to that processing and seek recourse.
Additionally, if the legal basis for data collection is based on consent, individuals have the right to withdraw any consent given at any time. This is all supposed to be easy for users to understand and consent to, or not consent to if that’s your choice. Does that all seem straightforward to you?
Whether can take advantage of these rights if you are not located in the EU will depend largely on the data protection strategy of the company you want to enforce those rights against.
Some companies, like Facebook and a few of my clients, are taking an approach that allows all end users to take advantage of the rights granted under GDPR. Others are setting up separate procedures for EU data subjects, especially where those companies rely heavily on consent. Some clients are even cancelling titles that under-perform in the EU to avoid the cost of getting into compliance with respect to those titles. That means games that don’t bring in enough money to justify the cost of compliance might be going away. These rules are a big deal.
For example, companies that aren’t located in the EU may be subject to different rules, or a separate framework that makes them compliant with GDPR’s requirements concerning data transfers but limits the rights available to end users (e.g. the EU-U.S. Privacy Shield framework, which certifies compliance under Chapter 5 of the GDPR, but only requires that end users can access their data and restrict transfers). This is another way that rules that are supposed to be easy run into the reality of online business and become complicated very quickly.
Companies are required to disclose whatever rights you have under any respective framework, and they will generally remain liable for enforcement of all of the rights available to a data subject, the player in this situation, located in the EU regardless of the framework, even if those rights aren’t specified.
As I said. Complicated, at least if you’re not located in the EU. So how do we make this easier?
How to Read the New Privacy Policies
There is an independent commission called the Article 29 Working Party that more or less came up with GDPR and provides guidance on compliance. It recommends companies layer their privacy policies to avoid information fatigue.
Most new policies will include a navigable table of contents for each required disclosure, as recommended by the Article 29 Working Party.
For example, a heading titled “How can I control my data?” will likely tell you what rights that particular company (or the applicable law) is granting you and the mechanisms to enforce those rights. A heading titled “How do we use your Data” will likely cover what they do with your data and how they share it, as well as the legal basis they’re relying on to collect that data.
So what is this “legal basis” companies need to communicate? Under the GDPR, data collected from individuals located in the EU must be collected and processed on a legal basis that outweighs the rights granted to those individuals under the GDPR. Generally these include:
- it’s necessary to comply with EU or applicable extra-territorial laws, regulations, or legal obligations;
- it’s necessary to perform contract between the company and the end user
- it’s necessary for legitimate interests except where individual privacy rights outweigh legitimate interest; and
The last one, consent, is the one we really need to pay attention to, although the “legitimate interest” can be grounds for an objection if you have that right.
Consent under the GDPR has seen a lot of talk in terms of guidance, because the consent requirements are extensive.
Consent will be relied on when another legal basis isn’t available, and many companies are on the fence as to when consent should apply.
This is particularly true with regard to marketing and advertising. Behavioral advertising, which tracks things like your location and location history, search history and other online engagements, often requires the collection of a substantial amount of personally identifiable information.
On the other hand, event-based and non-behavioral advertising may only require the collection of less sensitive information like a device ID. Companies treat this as a sliding scale; the more information collected, the less likely it is that a company can rely on a legal basis like “legitimate interest.”
For example, many of the game companies that I represent maintain the position that data collected for non-behavioral advertising is a legitimate interest, and as it doesn’t require profiling or the collection of sensitive information, this legitimate interest doesn’t materially impair individual privacy rights.
However, where behavioral advertising is concerned these same companies will rely on consent due the nature of the information collected and how it is used to modify the individual’s experience. Other companies have elected to apply consent to all marketing and advertising, regardless of the data actually collected. There’s no one size fits all approach to compliance in this situation and, despite the regulation hoping to simplify things, many aspects of compliance can be arguable.
Consent is now a big deal
Consent must be specific, concise, easy to understand and freely given. Individuals in the EU must also have the ability to withdraw consent in a manner no less difficult than it is to give consent.
This means privacy policies that obligate you to consent generally aren’t GDPR compliant with regard to EU data subjects and may not be permitted under the framework through which they operate.
The practical application of this is the current state of your inbox, or individual consent requests for ads pushed on your device or in the games you play. It may be annoying for now, but it’s annoying because you’re getting more rights and protections. That’s a good thing, in the grand scale of things. Take the time to read the emails, they’re asking permission to do and track a lot of different things.
There are other consent considerations we need to think about when examining GDPR from a consumer perspective. For example, some EU countries, when drafting their own government’s legislation in response to GDPR in their own territories, have and will continue to prohibit companies from collecting or transferring certain types of sensitive information, even if the individual has otherwise consented to the collection (or would have been permitted to do so with consent under GDPR).
And consent under GDPR for minors has left a lot of unresolved questions. If you’re between the ages of 13 and 16, you may suddenly require parental consent to continue playing your games, as the GDPR increases the age limit for parental consent from 13 to 16.
Exercising Your Rights
Companies are required to implement mechanisms through which its end users can exercise their privacy rights under GDPR.
This means providing mechanisms for, among other things:
- GDPR compliance verification
- Recourse mechanisms to investigate unresolved disputes, and
- binding arbitration mechanisms to ensure enforcement resulting from such disputes
How these mechanisms look will vary. US companies operating under Privacy Shield, for example, should provide information on each of the above referenced mechanisms and, under privacy shield, these can be implemented independently by the company (by self-verifying, designating a Data Protection Authority like ICO for the recourse mechanism, and whatever arbitration solution they want to use for the binding arbitration mechanism), or the company can rely on a third party like E-Verify or TrustE to provide these mechanisms on their behalf.
So what can you do to better secure your data, now that we have all of these tools available thanks to GDPR?
- Your first step is to determine whether the new policies you’re reviewing and the rights set out apply to all end users and not just individuals located in the EU. You will need to actually review the policies you’re getting in your inbox if you want to make use of any of the rights GDPR can provide;
- Next, reach out to companies collecting your data and request a copy, if that right is available to you. If not, request access — this should be available whether you live in the EU or the US, if the company is complying with Privacy Shield
- Check the data they have collected and the information they have provided. The information provided should include the categories of data they collect, where they collect the data from, the duration the retain it, the specific companies they share it with, and the technical security measures the have in place to protect your data. If the response to your access request doesn’t include all of the above, request the missing information;
- If you are concerned about any of the third parties with whom they are sharing information, submit a follow up request to restrict your data in connection with those third parties (questionable advertisers, sketchy research firms, Cambridge Analytica);
- Finally, when you’re ready to terminate your account, you can submit a request to have your data deleted, unless they need to hold onto it for legal reasons. In the alternative, you can request that they RETAIN your data beyond their usual retention period if you need that information for some reason (like a lawsuit).
Most of the rights requests will need to be made directly to the company, although in some cases (like when there are joint independent controllers … but that’s for another article), you may need to reach out to a company’s third party providers to verify that the request has been satisfied (e.g., you may need to reach out third parties when you cancel your account and want your data deleted). It’s a pain in the ass and many people will not take the extra step.
This shouldn’t happen under GDPR, and there will likely be steps taken to make a company the “one stop shop” for the data they collect, but frankly that gets messy when there are multiple parties all with differing obligations and rights with respect to any category of data.
For example, a company may engage an advertising mediator to push behavioral advertising content in their game. To become GDPR compliant, the companies have to enter into a new “data addendum” that identifies each party’s role under GDPR. in most of these addendums there will be one processor and one controller (generally the publisher/developer is the controller).
However, in some cases mediators collecting this data through an SDK will take the position of controller or joint controller. This means two parties have a say in what happens to your data — and how long they keep it.
Therefore it’s smart to make sure the developer or publisher is, in fact, the one stop shops they’re supposed to be when you reach out for a data rights request. In the future, and as GDPR becomes more and more certain, most of the solutions will become automated in some form. In some cases they already are.
A good example comes from the consents mentioned above — as users must be able to withdraw consent as easily as it was given, an automated method of obtaining consent would require an automated and identical or near identical method for withdrawing that consent.
Little of this is written in stone, or at least its application isn’t. Facebook and Google have already been hit by multi-billion dollar lawsuits in the first days of GDPR.
While the rights granted under GDPR go a long way to address many of the concerns consumers have in connection with data protection, it’s a very new law and no one is certain how it will be enforced.
Companies are currently scrambling to comply and, in the meantime, you will play a very vital part in determining the shape this law eventually takes. As you, the consumer, communicate your requests concerning data collection and how you want those requests serviced, companies will implement new strategies to ensure they don’t lose your business.
GDPR operates on the principle of “Privacy by Design,” which emphasizes strategy and implementation of data protection measures in a way that financially and philosophically benefits them. Companies have plenty of incentive to pay attention to you moving forward if providing end users data protection solutions makes a company more attractive to you.
And while GDPR only applies to individuals in the EU for now, the current pro-data protection environment will likely lead to other territories adopting similar data regulation standards — if not to protect their consumers, then to ensure they can still engage in trade with EU companies and service providers. The steps I laid out above to interact with your data and learn about where it’s going may feel like a pain in the ass, but this is the world in which we live. The more involved you become, the better the outcome is likely to be for everyone.
In the meantime, non-EU citizens still stand to benefit from the rights granted under GDPR, if only by digital proximity. But what exactly that means is still in motion, and likely will be for some time.
Mona Ibrahim is a Senior Associate at Interactive Entertainment Law Group. She is an avid gamer and has dedicated her career to counseling the video game industry and indie development community.Mona Ibrahim is a Senior Associate at Interactive Entertainment Law Group. She is an avid gamer and has dedicated her career to counseling the video game industry and indie development community.