Upcoming GDPR regulations and impact to gaming

Kyleran

On May 25th the EUs new data privacy regulations go into effect, and reactions outside the EU range from "the sky is falling" to "GDPR wut?"

This following is something I shared on the site of an indie game in development where this is being considered by the Devs and the community.  

Unfortunately they have rules that prevent me from sharing URLs as I lack sufficient influence (meaning I'm not a backer) so I decided it was a good topic here and has fewer restrictions. 

There is still significant question whether the EU will be able to enforce the GDPR against companies with no actual presence within the EU.

They tried to solve this be adding a requirement that if a company "knowingly" intends to market within the EU, they must establish a representative within the EU, presumably to receive any legal actions including fines.

Problem is, they can't actually force anyone to do this anymore than insure any fines levied can be collected.

It seems they left the actual enforcement provisions outside of the GDPR with references basically saying according to international agreements which will be determined later.

Such agreements may never come. For example, the EU considers IP addresses to be private data, the US doesn't. Will a US judge or legal entity actually agree to enforce this, that's for a future court to decide.

Some point out generally the US and EU cooperate on reciprocal agreements. It was also noted German courts normally frown on US court punitive damages as recently happened to Blizzard and their judgement against the cheat software firm located in Germany.

I found two pretty good articles/ discussion threads on this subject, and clearly this is in the realm of something which should be dealt with under the advice of competent legal counsel.

Bottom line is, its quite possible smaller firms like many indie developers might not have to really comply, because enforcement actions will likely be centered around larger firms with an EU presence.

Might want to consider moving that German website outside of the EU, or they may end up designated as the representative.

.https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr

https://politics.stackexchange.com/questions/30509/how-are-gdpr-fines-actually-enforced-for-us-companies-with-no-physical-presence

anemo

Sure the law says one thing.   But I'm pretty sure it's only going to be used against American companies, since lets be honest they're surveillance companies that are more beholden to a foreign power than EU power.

It's not like you see every site every having cookie tracking warnings when you visit them.   You only see them on a few big websites.

Aragon100

ikcin said:

In fact it protects customers from the greedy companies, that can use the personal data for commercial goals.

Yes it is a welcome change. Just look at the Cambridge Analytica mess that had a impact on democracy.

https://www.reuters.com/article/us-facebook-cambridge-analytica/trump-consultants-harvested-data-from-50-million-facebook-users-reports-idUSKCN1GT02Y

Quizzical

Most games aren't trying to collect tons of your personal data so that they can sell your attention to advertisers.  They're trying to get you to pay for their game.  So it probably won't be a big deal for games to comply with the regulations unless they're excessively complex and/or vague.  Which they probably will be, because that's how regulations tend to be.

Kyleran

Aragon100 said:

ikcin said:

In fact it protects customers from the greedy companies, that can use the personal data for commercial goals.

Yes it is a welcome change. Just look at the Cambridge Analytica mess that had a impact on democracy.

https://www.reuters.com/article/us-facebook-cambridge-analytica/trump-consultants-harvested-data-from-50-million-facebook-users-reports-idUSKCN1GT02Y

You should actually read the article you shared. Doesn't say there was any definitive impact on the US elections, just a bunch of allegations saying so.

Also, appropriate legal investigations are already underway, without any more additional laws.
 
But this discussion isn't about US politics, its about the impact of compliance on smaller gaming firms without the funds to do detailed legal analysis and compliance activities.

But firms like EA and WOW will certainly have to comply, and certainly can well afford to do so.

Aragon100

Kyleran said:

Aragon100 said:

ikcin said:

In fact it protects customers from the greedy companies, that can use the personal data for commercial goals.

Yes it is a welcome change. Just look at the Cambridge Analytica mess that had a impact on democracy.

https://www.reuters.com/article/us-facebook-cambridge-analytica/trump-consultants-harvested-data-from-50-million-facebook-users-reports-idUSKCN1GT02Y

You should actually read the article you shared. Doesn't say there was any definitive impact on the US elections, just a bunch of allegations saying so.

Also, appropriate legal investigations are already underway, without any more additional laws.
 
But this discussion isn't about US politics, its about the impact of compliance on smaller gaming firms without the funds to do detailed legal analysis and compliance activities.

But firms like EA and WOW will certainly have to comply, and certainly can well afford to do so.

The more than 50 million profiles represented about a third of active North American Facebook users, and nearly a quarter of potential U.S. voters, at the time, the Observer said.

“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on,” Wylie told the Observer.

https://www.reuters.com/article/us-facebook-cambridge-analytica/trump-consultants-harvested-data-from-50-million-facebook-users-reports-idUSKCN1GT02Y

I read it and i can assure you i was not on a mission to derail your thread. You dont need to be a rocket science engineer to understand that democracy was attacked. That was the entire point with the company Cambridge Analytica that now is bankrupt.

Since you dont seen to appreciate a wider discussion in the matter i see no point in further replies.

Quizzical

Aragon100 said:

ikcin said:

In fact it protects customers from the greedy companies, that can use the personal data for commercial goals.

Yes it is a welcome change. Just look at the Cambridge Analytica mess that had a impact on democracy.

https://www.reuters.com/article/us-facebook-cambridge-analytica/trump-consultants-harvested-data-from-50-million-facebook-users-reports-idUSKCN1GT02Y

The scandal basically consists of people discovering that Facebook is, indeed, Facebook.  Cambridge Analytica is hardly the only political group to exploit Facebook.  They may have managed to do so on a broader scale than any other political group since Obama's last campaign.  But at most, that's a difference of degree, not of type.  And it might not be much of a difference of degree, either.

Facebook's entire business model consists of getting people to input their personal information and then trying to profit off of using people's personal information.  That Cambridge Analytica managed to extract and use personal information in ways that Facebook didn't approve of isn't any worse than what Facebook itself does to its own customers every day.

As the saying goes, if you're not paying for a product, you are the product.  If you use Facebook, you are the product.  Whatever you input on Facebook, you should assume that it will eventually be open for all the world to see and with your name attached to it.  If you don't like that, then don't use Facebook.

Quizzical

DMKano said:

Quizzical said:

Most games aren't trying to collect tons of your personal data so that they can sell your attention to advertisers.  They're trying to get you to pay for their game.  So it probably won't be a big deal for games to comply with the regulations unless they're excessively complex and/or vague.  Which they probably will be, because that's how regulations tend to be.

They don't - if anyone here thinks that Blizzard has any interest in selling gamers personal info to someone - lol

It's exactly as you say - Blizzard as well as other game companies have one interest - to make players keep playing and spending on their games. That's it.

I'm not worried about Blizzard.  They're big enough that they can handle it just fine.  I'm more worried about the impact on smaller companies.  Regulations tend to hit smaller companies harder than bigger ones because the cost often doesn't scale with revenue.  If it takes a fixed $100k in compliance costs, that's no big deal for Blizzard, but a much bigger problem for a company with only $1 million in annual revenue.

Ideally, the compliance costs for small gaming companies would at most consist of paying some minor fee to implement a standard solution that is for sale.  We don't want them to aim at Facebook and accidentally smack small, independent game studios instead.  Whether that will happen depends tremendously on the details.

IceAge

I pretty much like the GDPR regulations. 

I am sorry to say, but US , since your "awesome duck" has come into power, has done nothing but harm EU. 

If this will harm the gaming industry , is yet to be seen, but I doubt it will. Actually is ..somehow cleaning it.

AlBQuirky

Show of hands here: How many here have a Facebook account? How many use Twitter? How many apps on your "smart phone" ask for your contacts info?

Your personal information is more than likely already sold and resold to multiple info brokers.

What the article is trying to address, and I wonder about it, is how EU will protect their people. The US has shown it cares not. "When in Rome..." comes to mind, and how local laws trump national laws, like if a German committed murder here in the US, say in Texas, they would be tried based on Texas law, not EU law, I think (I'm no lawyer). The Internet is a "sticky wicket", so to speak, crossing boundaries freely without actually (physically) crossing boundaries. No ONE country owns, runs, or controls the Internet.

Also, for the "voting tampering" hubbub... I believe that any sane human would realize that given a choice between Hillary and Donald, Russia would much rather have the "bend over backwards for peace" Hillary in power instead of "meaty tweety" Donald Trump. Just my opinion.

Quizzical

ikcin said:

Oh, it will limit many companies how they use the personal data, not only gaming, but media too. Anyway it is a good lаw for the customers, and it will not hurt the small companies. European regulations in fact protect very much the small business. It is not very effective as economics, but anyway.

Some US regulations explicitly exempt small businesses on the basis that the compliance costs would be minor for a large business but ruinous to a small one.  This can sometimes cause other, undesired effects, but that would at least avoid any problems of small businesses having to spend a large chunk of their money dealing with complex regulations.  I don't know if the EU commonly does that.

Quizzical

AlBQuirky said:

Show of hands here: How many here have a Facebook account? How many use Twitter? How many apps on your "smart phone" ask for your contacts info?

I don't have an account on Facebook or Twitter.  Nor do I have a cell phone at all, whether "smart" or otherwise.  As personal data protections go, Twitter isn't remotely near the problem that Facebook is.  As I see it, the bigger problem with Twitter is that 140 characters is not conducive to context or nuance, but is very conducive to digital lynch mobs trying to destroy people because something can be made to look bad if taken out of context.

I'm not saying that there shouldn't be regulations to protect customer privacy.  I am saying that, if you're aiming at Facebook, then hit Facebook and not a bunch of other companies that weren't the problem.  And maybe they will, but it depends on the details that no one on this site will bother to investigate and understand.  To say that you unequivocally support or oppose the regulations is based mostly on ignorance.

Ridelynn

Quizzical said:

Most games aren't trying to collect tons of your personal data so that they can sell your attention to advertisers.  They're trying to get you to pay for their game.  So it probably won't be a big deal for games to comply with the regulations unless they're excessively complex and/or vague.  Which they probably will be, because that's how regulations tend to be.

Most PC/Console games aren't trying to collect tons of your personal data.

All those "free" mobile/web-based/casual games, on the other hand....

Cleffy

From what I am seeing right now, a lot of small US publishers are backing out of the European Market entirely. It's just not worth it. The regulatory structure of the EU with it's spotty enforcement always makes it a risk to do business in the member states.

Kyleran

In the context of indie game development this could be vexing.  The company I work for spends multi millions dealing with compliance issues and quite a bit was spent on GDPR. 

I could see more small devs setting up licensing agreements like Portalarium did, especially with firms in Russia which isn't actually a great respector of other nations rules and regulations.

anemo

Ridelynn said:

Quizzical said:

Most games aren't trying to collect tons of your personal data so that they can sell your attention to advertisers.  They're trying to get you to pay for their game.  So it probably won't be a big deal for games to comply with the regulations unless they're excessively complex and/or vague.  Which they probably will be, because that's how regulations tend to be.

Most PC/Console games aren't trying to collect tons of your personal data.

All those "free" mobile/web-based/casual games, on the other hand....

Cellphone game publishers would sell their mom in a heart beat for a few pennies.  

And lets be honest literally do, since of course your mom is going to play a game you worked on, and of course your company is going to sell her data (there's a reason they grab everything from contact lists to photo albums).

Quizzical

Ridelynn said:

Quizzical said:

Most games aren't trying to collect tons of your personal data so that they can sell your attention to advertisers.  They're trying to get you to pay for their game.  So it probably won't be a big deal for games to comply with the regulations unless they're excessively complex and/or vague.  Which they probably will be, because that's how regulations tend to be.

Most PC/Console games aren't trying to collect tons of your personal data.

All those "free" mobile/web-based/casual games, on the other hand....

For some suitable definition of "game".

Yes, I realize that I'm wandering into "no true Scotsman" territory here.

cameltosis

I've spent quite a lot of time working on the GDPR - I work in IT in the UK so not only are we having to become compliant ourselves but also having to work with 100s of clients to help them become compliant. 


On the tech side of things, compliance actually doesn't seem all that difficult. You need to understand what all the personal data you are collecting is, what it's being used for and where it's being stored. Assuming you aren't doing anything dodgy with the data, compliance for most of our clients so far just involves a greatly improved privacy policy (which has to explain all the uses of data) plus a load of consent capture mechanisms that we now have to make use of (for example, customers can opt out of automatic processing of their data if not vital to delivery of the service). 

The harder side of things is getting everyone to change their mindsets when it comes to personal data. For example, our developers routinely copy live database onto their local machines so that they can work on a website with the latest data. We can no longer do that without anonymising the databases. Likewise, we have tons of clients who write personal data down or print out data and leave it lying around. Again, they're no longer allowed to do that unless they have a valid reason or unless they delete/destroy the data once they've finished using it. 


Outside of the EU I am given to understand compliance is actually harder than inside the EU. In a discussion over on MOP, someone was trying to explain to me that if an EU client leaves a US business, the GDPR means they have to delete all data about that client. As the guy worked for a small bank which used tons of internal systems, he was saying that it was basically impossible to do due to archaic nature of their IT systems and so they were having to pull out of the EU market.


Thinking of MMO companies, I think all the big companies will be fine unless they are selling your data. What will be interesting is they have to tell us what they're using our data for and I think we could see some surprises. For example, if an MMO monitors your behaviour and then suggests cash shop items based on your behaviour, that is a type of automatic processing of personal data that is not essential for the delivery of the game, thus we are allowed to opt out of it. 

That is where their cost of compliance might go up. Allowing us the ability to opt out of data processing that isn't necessary for the core product (playing the game) could be difficult. 



Personally, I'm still very happy that the GDPR is coming into force next week. Ideally we needed these regulations 20 years ago when the internet first became popular, but better late than never! I had been debating for a while about deleting my Facebook account but am now waiting for the GDPR to come into effect before doing so, then I'll exercise my new right to be forgotten. I'll then be testing them over the following few months to see whether they start collecting my data without my permission (what they refer to as shadow profiles). 

Kyleran

cameltosis said:

I've spent quite a lot of time working on the GDPR - I work in IT in the UK so not only are we having to become compliant ourselves but also having to work with 100s of clients to help them become compliant. 


On the tech side of things, compliance actually doesn't seem all that difficult. You need to understand what all the personal data you are collecting is, what it's being used for and where it's being stored. Assuming you aren't doing anything dodgy with the data, compliance for most of our clients so far just involves a greatly improved privacy policy (which has to explain all the uses of data) plus a load of consent capture mechanisms that we now have to make use of (for example, customers can opt out of automatic processing of their data if not vital to delivery of the service). 

The harder side of things is getting everyone to change their mindsets when it comes to personal data. For example, our developers routinely copy live database onto their local machines so that they can work on a website with the latest data. We can no longer do that without anonymising the databases. Likewise, we have tons of clients who write personal data down or print out data and leave it lying around. Again, they're no longer allowed to do that unless they have a valid reason or unless they delete/destroy the data once they've finished using it. 


Outside of the EU I am given to understand compliance is actually harder than inside the EU. In a discussion over on MOP, someone was trying to explain to me that if an EU client leaves a US business, the GDPR means they have to delete all data about that client. As the guy worked for a small bank which used tons of internal systems, he was saying that it was basically impossible to do due to archaic nature of their IT systems and so they were having to pull out of the EU market.


Thinking of MMO companies, I think all the big companies will be fine unless they are selling your data. What will be interesting is they have to tell us what they're using our data for and I think we could see some surprises. For example, if an MMO monitors your behaviour and then suggests cash shop items based on your behaviour, that is a type of automatic processing of personal data that is not essential for the delivery of the game, thus we are allowed to opt out of it. 

That is where their cost of compliance might go up. Allowing us the ability to opt out of data processing that isn't necessary for the core product (playing the game) could be difficult. 



Personally, I'm still very happy that the GDPR is coming into force next week. Ideally we needed these regulations 20 years ago when the internet first became popular, but better late than never! I had been debating for a while about deleting my Facebook account but am now waiting for the GDPR to come into effect before doing so, then I'll exercise my new right to be forgotten. I'll then be testing them over the following few months to see whether they start collecting my data without my permission (what they refer to as shadow profiles). 

Like you, the company I work for has to handle all sorts of PI while processing transactions and we've long had controls in place to protect it very similar to yours.

Only a select few in IT (of which I am not one) may even log into a prod system to troubleshoot and all test data must be masked or stimulated. 

So compliance with the GDPR wasn't too hard with most changes being on the marketing side of the firm.

On the IT side data segregation has long been an issue and we are heavily regulated as to where data may be stored and who may access it.

I think the greatest challenge for game companies (and everyone really) is putting in secure systems to prevent unauthorized access as the penalties for breeches is going up.

Kyleran

Torval said:

We deal with medical data PHI and HIPAA. We pay for services like Citrix ShareFile. A single fine can ruin a small company.

We process and move others data so we're not directly responsible for the data's end destination. We are responsible to protect it while handling under our custody. I wonder if and how EU citizens data being mixed in here will be handled.

One service we provide is archiving medical data. There are legal requirements for keeping data several years. This data is often stored in a third party system for reference until it can be purged.

This got me thinking what happens when laws outside the EU directly conflict with their laws. So in this example, there are probably requirements for storing or mandatory purging of EU citizen data. There are also requirements for keeping that data which may conflict. That will be interesting to see if and how that is handled.

Great point. Being I work for a firm handling financial data, we have to deal with conflicting regulations and we have departments which deal with them all.

That "right to be forgotten" applies to our marketing data, but not the financial, we keep that as long as legally required. 

Quizzical

cameltosis said:

That is where their cost of compliance might go up. Allowing us the ability to opt out of data processing that isn't necessary for the core product (playing the game) could be difficult. 

But what if the act of buying stuff from the cash shop and being told what you should buy is the core activity, and the rest of the "game" is just something built on top of that?

Renoaku

I don't understand the whole issue, if a company is in the United States, or Europe, and a person from another country wants to "buy" "sell" "use a service" or such then they should be forced to abide by the laws of the country in which the servers are located (or not use the service if a person doesn't agree?)

Cross Country lawsuits and stuff is pretty damn hard to deal with especially when another company scams you i've found that out before, but I've also been told by some that doing business online if you sell something on Ebay for example, or are a EU Customer and such the people who sell are forced to abide by European Law, even if they are not actually making the sale or located in European region.

Kyleran

Renoaku said:

I don't understand the whole issue, if a company is in the United States, or Europe, and a person from another country wants to "buy" "sell" "use a service" or such then they should be forced to abide by the laws of the country in which the servers are located (or not use the service if a person doesn't agree?)

Cross Country lawsuits and stuff is pretty damn hard to deal with especially when another company scams you i've found that out before, but I've also been told by some that doing business online if you sell something on Ebay for example, or are a EU Customer and such the people who sell are forced to abide by European Law, even if they are not actually making the sale or located in European region.

Yeah, thats the crux of the debate.  Say you are a small indie developer who has no physical presence in the EU, but you offer your game for sale over the internet. 

Someone from the EU could purchase an account and under the GDPR the company would be required to follow its rules or face penalties.

The reality is atm there is no defined way for the EU to enforce those rules,  which the GDPR leaves very much in a TBC state atm.

If you are a large firm with deep pockets and many EU customers I suspect the EU would be much more inclined to try and press the enforcement of the regulations.

Also, perhaps as in the US someone would have to file their own legal procedures in the EU to then get EU authorities to begin to take action as I assume resources to enforce will be limited.

Bottom line, a smaller firm or ebay seller may be able to ignore the GDPR as there really isn't much the EU authorities can do.

It may mean however,  companies won't locate servers in the EU as that might be a physical presence.

Well, if the UK completes a hard Brexit then that would likely become the main home of EU servers, while Germany would likely be avoided.

kjempff

@Kyleran I wonder if the GDPR contains an option to not just fine a company but also "ban" it from operating (if continuosly not complying) ? If that is the case then it might be possible to enforce through secondary means, like requiring Steam to not sell their products to EU citicens (I mean Steam already do this to comply with various local laws..Australia for example).
Just wondering...

Kyleran

kjempff said:

@Kyleran I wonder if the GDPR contains an option to not just fine a company but also "ban" it from operating (if continuosly not complying) ? If that is the case then it might be possible to enforce through secondary means, like requiring Steam to not sell their products to EU citicens (I mean Steam already do this to comply with various local laws..Australia for example).
Just wondering...

I'm sure they could,  as Steam definitely would have to be compliant or could be prevented from offering their service in a particular country.

Its just all of this takes time and money to pursue, and the focus would be on larger titles. 

You know how many games Steam has listed right?  Imagine having someone go through and validate if all are GDPR compliant.

Ugh, not a job I would relish. 

Kyleran

ikcin said:

Kyleran said:

Renoaku said:

I don't understand the whole issue, if a company is in the United States, or Europe, and a person from another country wants to "buy" "sell" "use a service" or such then they should be forced to abide by the laws of the country in which the servers are located (or not use the service if a person doesn't agree?)

Cross Country lawsuits and stuff is pretty damn hard to deal with especially when another company scams you i've found that out before, but I've also been told by some that doing business online if you sell something on Ebay for example, or are a EU Customer and such the people who sell are forced to abide by European Law, even if they are not actually making the sale or located in European region.

Yeah, thats the crux of the debate.  Say you are a small indie developer who has no physical presence in the EU, but you offer your game for sale over the internet. 

Someone from the EU could purchase an account and under the GDPR the company would be required to follow its rules or face penalties.

The reality is atm there is no defined way for the EU to enforce those rules,  which the GDPR leaves very much in a TBC state atm.

If you are a large firm with deep pockets and many EU customers I suspect the EU would be much more inclined to try and press the enforcement of the regulations.

Also, perhaps as in the US someone would have to file their own legal procedures in the EU to then get EU authorities to begin to take action as I assume resources to enforce will be limited.

Bottom line, a smaller firm or ebay seller may be able to ignore the GDPR as there really isn't much the EU authorities can do.

It may mean however,  companies won't locate servers in the EU as that might be a physical presence.

Well, if the UK completes a hard Brexit then that would likely become the main home of EU servers, while Germany would likely be avoided.

Pretty wrong. You cannot just escape from the European justice in US and vice versa. If you owe money in EU, you will in US too. In general till GDPR every country in EU had own legislation, so now the legal cost should me smaller for the companies.

Read the two links I posted in the OP and you will gain enlightenment, should be a novel experience.