The first video games did not collect information from users. The capability didn’t exist. While sales data was available, there was no way for game creators to collect and utilize metrics from those playing the games. Eventually, arcade games allowed players to enter their name or initials along with their high score to be displayed to the entire arcade. This was the first time video games were able to collect and track personal information. Eventually, that practice developed into the collection of even more personal information as well as data related to gameplay. Now that video games are online, every action a player takes can be logged and analyzed. Video game developers can use this information to improve their game, fix bugs, and create better versions of new games. But developers can also monetize this information by developing new features based on data analysis, getting players to buy more in-game purchases such as weapons and skins, or even selling data to third parties. 

This is especially true of free-to-play games that earn revenue through in-game purchases as well as monetizing the data. Wargaming’s popular free-to-play game World of Tanks leverages its data to make money. World of Tanks boasts 110 million registered users and 4 million players at any given point in the day. According to Alexander Ryabov, head of Wargaming Business Intelligence Data Services, this generates several terabytes of data per day. Ryabov explained that the video game company “captures data from the second players log in to a game to when they log out. The company also collects and analyzes in-game chat logs, along with mentions of its games on social media sites and in many gaming discussion communities. Using this data, they can run models to retain customers, cross-sell other games, convert players into paid users, monitor the player journey and reduce friction points in the games.” Similarly, Epic Games monetizes Fortnite’s legions of players “by selling dance moves, ‘skins’ to change the look of the player’s character, and access to pre-release game modes.”

Unsurprisingly, the practice of using player data to generate revenue, or even to make games better, presents a litany of privacy issues. There is a somewhat fine line between personal information and gameplay information. Some pieces of data are clearly on one side of the line or the other but it’s not always obvious. For example, the collection of geolocation data or IP addresses is clearly the collection of personal information. If, however, a company collected data on the number of shots taken per fight, for example, this would likely be gameplay data. But some companies go further and mine in-game communications. Some use a player’s webcam to track eye movement and facial expressions. Even if used to improve game performance, this data is personal information. Privacy concerns are gaining attention in the United States and around the world. It is therefore critical for video game developers, platforms, and app creators to be mindful of privacy laws.  

U.S. Privacy Law

FTC – Unfair and Deceptive Trade Practices

Privacy in the United States is complicated. One of the earliest privacy statutes was HIPAA, a federal law that covers healthcare entities and their business associates. Eventually, the Federal Trade Commission (FTC) began taking action against companies for privacy violations under the theory that the companies’ actions constituted unfair trade practices. The FTC made it clear that companies must tell consumers both the fact that the company was collecting customer data and how that data was being used. If a company used customer data outside the scope of its privacy notice, this use constituted unfair and deceptive trade practices – actionable by the FTC. Individual states have similar administrative agencies and bring privacy-related regulatory actions against companies for the same type of practices.

Children’s Privacy

As internet use became more widespread, the government became concerned with the privacy of children using the internet. This led to the enactment of the Children’s Online Privacy Protection Act (“COPPA”) in 1998. COPPA imposed several requirements on websites with content targeted to children under the age of 13. Among other things, it required websites with actual knowledge that a user was under 13 to post a privacy policy, obtain parental consent prior to the collection, use, or disclosure of the child’s personal information, and allow parents to review the personal information collected from the child. If a website is not collecting personal information from its users, COPPA does not apply. However, if personal information is being collected, web-based video games targeted to children or those with actual knowledge they are collecting information from children must comply with COPPA. Likewise, apps – games or otherwise – available for download on phones and tablets are also subject to COPPA if they have actual knowledge they are collecting data from children.

This statute is enforced by the FTC. State attorney generals have also brought regulatory actions for child-related privacy practices. Just last month, a U.S. District Court ruled the New Mexico Attorney General could proceed with a lawsuit against several tech companies – including Google and Twitter – for collecting children’s personal information without consent in violation of state and federal law.

CCPA

California’s new privacy law – the California Consumer Privacy Act (CCPA) – is a broad statute that aims to protect the privacy of California residents. The CCPA applies to any business that collects consumers’ personal data which does business in California and (1) has annual gross revenues in excess of $25 million; (2) buys, receives, or sells the personal information of 50,000 or more consumers or households; or (3) earns more than half of its annual revenue from selling consumers’ personal information. Many tech companies are based in California and California has nearly 40 million residents. Thus, this threshold is not difficult to meet, and most video game creators and streaming services are therefore subject to the requirements of the CCPA. These requirements include, among other things, the conspicuous posting of privacy notices, giving the consumer the right to obtain a copy of his or her personal information collected by the company, and granting the consumer the right to demand that his or her personal information be deleted.

Other States

Currently, only two other states have formal privacy statutes: Maine and Nevada. All 50 states have data breach notification laws but – so far – efforts to enact data privacy laws have been met with resistance particularly by “BigTech” – Google and Facebook, among other large tech companies. Vermont only enacted a law that applies to data brokers – third parties that buy and sell data and do not have a direct relationship with customers or users. Many states are considering data privacy bills and there has been talk of a comprehensive federal privacy statute but so far these are simply conjecture.

Other Jurisdictions

GDPR

The European Union General Data Protection Regulation (“GDPR”) was enacted in 2016. It applies to any organization regardless of where it’s based as long as that organization intentionally offers goods or services to the EU or that monitors the behavior of individuals within the EU. Many video games are played across the globe. As a result, if a platform is collecting data about its users, it is likely collecting data about users in the EU and is therefore subject to the GDPR. Like the CCPA, the GDPR provides data subjects with the right to view the personal information collected about him or her and the so-called “right to be forgotten.” The GDPR also imposes notice and reporting requirements on organizations including the requirement to prominently post an easy-to-read and easy-to-understand privacy notice on the organization’s website. Noncompliance can be costly, as evidenced by the €50 million fine levied against Google. Less severe violations could result in a fine of up to €10 million, or 2% of a company’s worldwide annual revenue, whichever amount is higher. More severe violations can result in a fine of up to €20 million, or 4% of the company’s worldwide annual revenue, whichever is greater.

Non-EU Countries

According to the United Nations, 64% of countries have data privacy laws and an additional 8% of countries currently have draft data privacy legislation. As with the GDPR, and given the global nature of the internet and video games, companies will need to be mindful of privacy requirements across the world.

Takeaway

With more and more states and countries adopting privacy laws, gaming companies must be vigilant about privacy. Video game manufacturers and platforms not only need privacy policies, but they need to adhere to those policies. While companies rely on certain user information to understand and improve their games, they must be up front with users about the types of information collected and how that information is used. Not doing so opens the company to lawsuits, regulatory actions, fines, and, potentially more damaging, negative PR.

Gamma Law is a San Francisco-based firm supporting select clients in cutting-edge business sectors. We provide our clients with the support required to succeed in complex and dynamic business environments, to push the boundaries of innovation, and to achieve their business objectives, both in the U.S. and internationally. Contact us today to discuss your business needs.