Does my game need a privacy policy?

There are many legal requirements that companies, especially game and digital media companies, must adhere to in this day and age. One question that comes up often is whether game companies must have a privacy policy on their website.

What is a privacy policy?

A privacy policy is a document that explains what personal information a company collects from users, how the company uses it, who they share it with, and how they safeguard that data. What constitutes “personal information” varies but it typically includes things like names, email addresses, physical addresses, IP addresses, browser cookies, etc.

In some countries, privacy policies are required by law if a company collects information from their citizens. Some services, like Google AdSense and Amazon Affiliates, also require that you have a privacy policy on your website.

What is a EULA?

End-user license agreements (EULAs) are a different matter than privacy policies. This is the contract established between the licensor and the purchaser and establishes the purchaser’s right to use the software. Whenever you download a new game, you are functionally signing a contract through your purchase and use of the game.

A EULA establishes how the game publisher allows gamers make use of the game license. An end user technically does not own the source or object code that forms the basis of a game and the EULA sets the terms for the bundle of rights licensed through the purchase. A EULA may set limitations on things like if the license can be transferred, if the software can be copied, rented or leased, and how the code can be modified or if derivative works can be created from the original work.

A good example of that we’ve covered recently is how EULAs may cover terms for things like Let’s Play videos or the creation of game mods.

EULAs are different from privacy policies because EULAs apply specifically to software and how a user can actually use a license. A EULA protects the company. A privacy policy, on the other hand, is intended to primarily protect the consumer and clarify how a company is using the personal data it collects.

When do you need to have a privacy policy

If a company is collecting personal information, it should be explaining to its users what it intends to do with the data. If it’s using any kind of analytics, collecting any information from user input, using cookies or persistent trackers, etc., it needs to disclose that to its users. If it is sharing user data with third parties, it needs to disclose that to its users. Before you say “I would never share user data with anyone,” consider two examples: first, the FBI subpoenas your company for the information. Will you be ready to fight the subpoena, or even be held in contempt of court to protect that data? Second, and more happily, what if a larger company offers you billions of dollars for your company, but as part of the diligence process, they want to review your user data? Will you walk away from the sale? Probably in both situations, the answer is “no.”

Privacy policies are a disclosure to the users of a service about the privacy and data handling practices of that service provider. They are there to warn users “if you use this, we will use your information in these ways.”

If you’re a digital media site or if your game company has an eCommerce store, you also need to consider implementing a privacy policy on your site because it’s required for Google AdSense, Amazon Affiliates and other third-party sites. You may be in violation of their requirements if you don’t already have a policy in place.

Some example privacy policies in the video game industry are listed below. It is important, though, that you never copy another company’s privacy policy. A privacy policy needs to accurately reflect how you are collecting, using and sharing information. If you copy another site’s policy, odds are it won’t be accurate. To underscore how important this is, consider that LinkedIn ultimately lost a lawsuit because its privacy policy indicated it would send one email to your contacts if you allowed it access to them and in reality, it sent three emails. Accuracy is key.

California specifically has the California Office of Privacy Protection and if you operate a commercial website that collects information on California residents, there are more granular requirements. Also note – Europe is a whole different beast when it comes to privacy policies.

Contact us if you’d like to discuss setting up a privacy policy and what sort of information it needs to include based on your specific business needs.