Essential Law for Game Devs: A game dev’s guide to data privacy

Please note: since writing this piece, Tim has moved on from Sheridans.

If terms like GDPR, PECR, and COPPA fill you with an uneasy sense of dread, we get you. The world of data privacy compliance can feel intimidating, and at a glance, appears packed with bewildering jargon and less-than-welcoming acronyms.

However, if you're a developer, founder or studio head, understanding data privacy compliance isn’t just key to the success of your games. It’s also about respecting your users – and it’s a legal obligation. Fortunately, it need not be as intimidating as it first appears.

With that in mind, we called on LootLocker friend and experienced game industry legal professional Tim Repa Davies to give us an overview of the fundamentals of how data privacy relates to your games (and if you want a general primer on Tim and his insights on how you can get started understanding game law, check out our recent blog post).

With that, let's hand things over to Tim…

What is GDPR?

The General Data Protection Regulation (GDPR) is central to data privacy across Europe and the UK, and makes up a part of EU law focused on protecting the data and privacy of users. Following the UK’s departure from the EU, the GDPR has been replaced in the UK by the UK GDPR which is largely similar to the GDPR so for the purposes of this article when we refer to GDPR we are also referring to the UK GDPR for any readers based in the UK.

Today so many games, apps, websites and other digital entities pool data based on a user’s interactions. At the simplest level, that data might be used to tailor a player's experience of a game. Many devs also use data to inform the process of updating, refining and maintaining games. More famously – or infamously – such data is used to target ads and services. That can be a crucial part of monetising a game, and advertising proponents might tell you it also means you are exposed to more relevant, interesting brands. Others see targeted ads as something of an invasion of privacy.

Regardless, many are rightly concerned by how their information and data is handled, protected and used.

Essentially GDPR rules require you to take the time to ensure compliance with the regulations and the laws around data privacy. Because we all deserve privacy in a great many contexts.

That means three things. Firstly, the GDPR rules require companies to be open with their players about the different types of personal data that they might process via their website, game, or app; in the case of games that might mean email addresses or Steam IDs, but the definition of “Personal Data” is very broad and essentially covers any information relating to an individual.

Secondly, the GDPR requires that you be clear with your players regarding the reasons why your studio processes that personal data, even if it is purely about improving the nuance of a game. This requires studios to have a “lawful basis” for using that personal data, such as getting consent from the player to use their personal data. At its core these first two requirements ask studios to be clear, open and honest about how you use personal data and your purposes for using it.

Thirdly, the GDPR introduces a concept called “data minimisation”. That means studios should only process personal data that is sufficient to fulfil its stated purpose, have a rational link to that purpose, and be limited (in quantity) to only what is necessary.

Finally, the GDPR insists on the implementation of various safeguards, security measures and mechanisms to ensure the protection of personally identifiable information.

In other words, GDPR is about keeping user information itself private, while being public about how you use that data, ensuring that you have a lawful reason for collecting and processing that data, and only collecting what you need.

What is PECR?

PECR stands for the “Privacy and Electronic Communications Regulations”, and sits alongside the GDPR. PECR covers several areas including marketing by electronic means (such as email, calls and texts), as well as the use of cookies or similar technologies that track information about players.

There is some overlap between GDPR and PECR, but there are differences, and studios need to ensure that they are compliant with both. Crucially, PECR applies even if you are not processing personal data.

The key principle introduced by PECR is that all unsolicited electronic marketing is restricted without specific consent from the player/end-user. The best way to obtain valid consent is to ask players/end-users to opt-in by ticking a box confirming that they are happy to receive marketing communications from you relating to your game or studio. However, there are limited exceptions to this rule for previous customers where that customer may be deemed to have provided their consent (known as “soft opt-in”). However, you still need to give those players/end-users a chance to opt-out if they wish.

If studios are setting cookies (small text files that are downloaded onto computers or smartphones) when a player accesses your website then the PECR introduces general rules to tell your players the cookies are there, explain what those cookies are doing and why, and get the player’s consent to store a cookie on their device.

Getting GDPR Compliant

To make sure you are compliant, think about the personal data you are collecting from your game, such as analytics, platform data, user data and so on. Equally, consider the reasons why you are collecting it. For example, you might be collecting analytics from each user’s gameplay activity to track bugs or issues in the game so that you can fix and patch them. Or you might also be collecting Steam IDs or other platform IDs so that you can link their game stats from the game to their platform account.

However, if there is any data that you do not have a good reason to be collecting, then as a rule of thumb do not collect, store or process that data. One of the main principles of installing GDPR was ‘data minimisation’ – that being reducing the amount of data that data controllers and processors (including games companies and services) were collecting, storing and processing. So be absolutely sure you only collect, store and process the personal data that you actually need. Just as importantly, place clear, unmissable privacy notices that clarify your approach to data collection and use front and centre of your game – ideally at the point of download and as part of a boot up screen.

You’ll also want a publicly accessible privacy policy covering every element of your approach to gathering, using and protecting user data. Make sure they are highly tailored to your specific game. Copying and pasting a privacy policy from another studio won't cut it. Expertise will be critical here. Get talking to a game lawyer. They’ll happily give you general advice, and if you hire them to make sure you are GDPR (and PECR) compliant, it might be some of the best money you’ve ever spent. And while you have them, you can get some guidance on preparing an end-user licence agreement (EULA), which provides a legal contract entered into between your studio and players of your games.

The GDPR is very focussed on the “integrity and confidentiality” of personal data, and requires such data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful process and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This means studios must have appropriate security measures in place to prevent personal data that they are holding from being compromised (whether accidentally or deliberately). Security measures should go beyond just how a studio might store or transmit personal data. Such measures should address cybersecurity, but also how personal data is accessed, altered, disclosed or deleted - and who by - and also ensuring that the personal data held is accurate and complete in relation to the reasons for which it is being processed.

There is no ‘one-size-fits-all’ approach to security of personal data so studios will need to decide what measures are appropriate by carrying out a data privacy impact assessment to review the personal data held and the way it is used. Such assessment should also take into account the nature and extent of the studio’s premises, computer systems and IT infrastructure; and the number of staff and the extent of their access to personal data.

Protecting Young User's Data

If one group requires more protection than any other, it is, of course, children. Even simply taking data to squash bugs still means robust regulations must be respected. Bear in mind this is not only about games themed for children, or games with certain age ratings, but any case where data is taken from young users.

In the US the Children’s Online Privacy Protection Act (COPPA) applies to the online collection and processing of information from children under the age of 13. Over in the UK, the comparable Children’s Code provides a similar age-related data privacy law.

The main focus of COPPA is protection of children’s privacy in the digital, online space. COPPA is a requirement under US law, but it applies worldwide to companies providing services that are directed to children in the US, or knowingly collecting personal information from children in the US. So if your game gets a US release, COPPA applies, wherever you are based.

A game would fall within COPPA’s scope if either of the following applies:

• It is directed to children under the age of 13 and collects personal information from them; or
• It is not directed to children and is instead ‘general audience', but the service provider (e.g. the game publisher) has actual knowledge they are collecting personal information from a child under the age of 13.

In the second case, if a game asks for a user’s age, and that age is listed as under 13, COPPA applies.

What About Beyond the US?

The Children’s Code, meanwhile, was introduced in the UK in 2021. In short, it defines how online services including games and apps must ensure that their services appropriately safeguard children’s personal data. The code sets out 15 standards of age appropriate design that games businesses will need to put in place, including data minimisation and acting in ‘the best interests of the child’. Crucially the Children’s Code defines “child” as any individual under the age of 18, which is a higher age than used by the GDPR when instituting specific protections for young people.i

All games businesses will need to consider the code if children are likely to access their service. That could mean giving children who play your app or game a high level of privacy by default, such as switching off targeting advertising and limiting geolocation features. (I’ve written a short primer on The Children’s Code that you can find on GameDeveloper.com).

Elsewhere globally, other regulations exist, and if your game appears in those territories, you’ll have to respect their laws. Clearly that can be complex and time consuming. Understanding the nuance is a career in itself. But just as with preparing a privacy policy, consulting a lawyer is powerfully impactful and effectively essential. Again, despite the cliche, most lawyers in the gaming space won’t charge a fortune (or anything) to start the conversation. If and when that lawyer does need to ask for a fee, remember that’s exactly the kind of thing your game’s budget needs to cater for.

You Can Do It!

Again, you’ll need some kind of legal guidance here. Getting data privacy right isn’t something you can rush through and improvise. It takes time and expertise, and a complete guide is beyond the scope of a single article.

But as you can see, the fundamental principles are easy to grasp. It’s about respecting your users, and their right to privacy. We all want to be respected and have our privacy supported. So if nothing else, put yourselves in the shoes of your user and think about how they feel. And, of course, get in touch with a lawyer.