Reaching more than 10 million downloads in the United States alone during just its first week, Pokémon Go demonstrates the potential for mixed-reality games, not only for the game business but for the retail world generally. Merchants can pay the app daily fees for “lures” that attract users, thereby drawing traffic to their stores. However, mixing physical reality with a fictional world of game characters, requiring people to visit various public locations on virtual quests raises a number of legal concerns – most conspicuously, data collection and privacy, trespass, and liability for injuries.
Data and Privacy
Privacy concerns have arisen due in part to the location information that the Pokémon Go collects and uses in the game, and appear to have caught the attention of regulators. Senator Al Franken of Minnesota wrote to the developer Niantic inquiring about the data being collected from users’ phones – especially geolocation data, requesting “greater clarity on how Nintendo is addressing issues of user privacy and security, particularly that of its younger players.” (There appears not to be a public response at this time.)
In addition to geolocation data and other information collected from phones, information accessible through Google accounts may be accessible to Niantic. When first released, the app allowed Niantic full access to users’ Google accounts. Thus, Niantic could view contacts, emails, calendars, documents on Google Drive, photos, map history, and location searches. Niantic subsequently released an update, and has since assured users that the game can only access a person’s Google user ID and email address.
However, organizations such as the Electronic Privacy Information Center (EPIC) continue to push for further investigation into the company’s data collection policies. Writing to the Federal Trade Commission (FTC), EPIC called for additional scrutiny, arguing that the developer had previously collected data from Google users in a questionable manner. EPIC is also concerned about former Google company Niantic’s ongoing relationship with Google. According to EPIC, though Niantic now only has access to basic Google account profile information, the app still collects email addresses, names, messages, IP addresses, and the web page visited last before accessing Pokémon Go. Also of concern is that the app accesses cell phone cameras and location information, presenting a significant risk since the app has already received threats of hacks and has been the target of a cyberattack.
Another issue that has been raised raised is trespass, which occurs when someone physically enters someone else’s land. Pokémon Go and other mixed-reality experiences are supposed to direct users to publicly- owned lands, but given the zeal that Pokémon Go users have already demonstrated when tracking (especially rare) pokémon , it is easy to predict that users – especially children – may trespass onto private property in order to reach their destination. If developers are considered to have led users onto private property, they might be held jointly liable for the trespass (along with the individual trespasser).
In addition to developers and trespassers, a land owner might also be liable for damage when children trespass, under the doctrine of “attractive nuisance.” This doctrine applies when (1) a land owner has reason to know that children are likely to trespass onto the land and (2) should realize that there is unreasonable risk of death or serious bodily harm to such children, (3) the children do not discover the risk, (4) the burden of eliminating the danger is slight compared to the risk, and (5) the land owner does not exercise reasonable care to eliminate the danger. This situation could exist, for example, if the best way for users to access destinations is to cross an area that is under construction.
Thus, mixed-reality developers should consider how users are likely to reach an intended destination, and they should also consider a policy of removing destinations upon request. In the case of Pokémon Go, a number of physical sites that have been designated as PokéStops (locations where players can collect in-game items) have complained about traffic and nuisance. While Niantic does accept requests for removal of PokéStops , it does not guarantee the requests will be granted.
Liability for Injuries
Pokémon Go is also gaining considerable publicity for injuries users have sustained while playing it. Accidents include collisions with physical surroundings, driving accidents, and even a case of players falling off of a cliff. Players may also be easy targets for crime. In Missouri, for example, armed robbers have used the geolocation feature to predict where players will be and how secluded the area will be.
Not surprisingly, Niantic has taken measures to limit its liability. The app includes a warning screen about paying attention to physical surroundings, and game’s terms of service include a $1,000 liability cap and mandatory arbitration provision. In addition, a player must agree that playing the game is at the player’s own risk, and the terms state that it is the player’s responsibility to maintain medical and insurance policies for any injuries the player may incur while using the app. The player must also agree not to use the app to violate trespass (and other) laws. However, there could be an argument that a developer is expected to know whether a destination or path to it is not well-lit, or undergoing construction, or generally dangerous, especially given that many players are children.
As mixed-reality and augmented-reality experiences continue to evolve and enter the mainstream, industry norms and societal expectations will also develop. Developers should maintain as transparent and consumer-friendly data collection practices are practical, referring to the principles laid out by the FTC. And although the law does not explicitly require it, developers would be wise to take steps to avoid leading users into or through clearly dangerous areas or private property.