Data collection and analysis have become ubiquitous with modern technology and are pivotal aspects of contemporary video game design. Game developers may collect data for any number of reasons, including anything from wanting to obtain a user’s name, address, and billing information for in-game purchases, to utilizing collected data to catch hackers, or identify areas of games where users spend the most time.

Regardless of the purpose of collection by game developers, there is a potential for game developers and their associated entities to be liable to the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR). Here are some common legal issues game developers can run into regarding in-game data collection.

COPPA Compliance

COPPA was created to protect the privacy of children under age 13. COPPA specifies that sites must require parental consent for the collection or use of any personal information on websites and online service users aged 12 and under. 

Developers may use various methods to attempt to limit the amount of child data collection, such as creating an age-gate to prevent users under 13 from accessing certain aspects of a game or the game altogether. However, where this is not feasible, developers should maintain a heightened level of compliance. Any games engaging child users are required to have: 

• Clear and comprehensive language about which information is being collected about children and why;
• How this information is collected and used;
• Any third-party affiliates that will have access to the information and why;
• Statement of parental rights regarding their children’s personal information;
• Instructions as to how children’s information may be accessed, reviewed, edited, or deleted by the parents; and
• Instructions on how (verifiable) consent may be given and/or revoked by the parents.

GDPR Challenges

GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU that offer goods or services to customers or businesses in the EU. GDPR defines personal data as “any information that relates to an identified or identifiable living individual,” and “different pieces of information, which collected together can lead to the identification of a particular person.” 

Regarding children under the age of 16, although a separate children’s Privacy Policy is not specifically mandated by the GDPR, it does state that any online business that targets children should write their Privacy Policy in a way that is clear and easy for children to understand. The GDPR also has similar requirements to COPPA in that even if a game is not intended or targets children, a company may still be subject to the GDPR’s standards about child privacy if the game is deemed attractive to children.  

Moreover, although this goes beyond GDPR requirements and is a UK-specific measure, the United Kingdom has recently implemented the Age Appropriate Design Code, which mandates that companies “put the best interests of the child first when they are designing and developing apps, games, connected toys and websites that are likely to be accessed by them.” This “likely to be accessed” language is important to note because it applies to all minors (children under 18 as opposed to under 13) and it goes substantially beyond COPPA’s threshold of only applying to companies that have actual knowledge that information is being collected from a child.

Generally, game developers should attempt to adhere to the GDPR by at least completing the minimum requirements of: 

• documenting the data it processes that is subject to the GDPR; 
• providing concise and clear privacy notices; 
• obtaining consent in accordance with the GDPR when necessary;
• providing removal/erasure procedures, and an opt-out feature for collected data; 
• identifying a compliant data transfer mechanism; and
• and amending subprocessor/subcontractor agreements. 

CCPA Challenges

CCPA affects all businesses who do business in California AND either (i) have at least $25 million of annual gross revenue; (ii) buy, sell, share or receive personal data the personal information of 50,000 or more California residents; or (iii) receive over half of their revenue from the sale of personal data of California residents. CCPA also allows California residents to request that businesses meeting these criteria identify the “personal information” that those businesses collect, as well as to demand that those businesses delete and/or not sell such personal information. Furthermore, the CCPA broadly defines personal information (instead of “personal data” as the GDPR uses) to be “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

One of the primary situations the CCPA may present unexpected issues to a developer is that various types of information can be classified as personal information. For example, biometric information about a game’s player, such as keystroke patterns, recognition and click speeds, and logon/logoff times, could all fall under the CCPA definition of “personal information” if they can be identifiable. In fact, some privacy experts assert that there is no such thing as fully anonymous data, as seemingly unrelated individual pieces of data can be cross-referenced against other databases and used to create identifying information. 

What developers also may not realize is that collecting this information is not a violation of the CCPA itself, but that collecting, storing and possibly sharing this information then subjects them to the CCPA, thus making them liable for any violations. 

While companies can satisfy a portion of their CCPA compliance by being within GDPR compliance, CCPA does have unique requirements. For example: 

1. the inclusion of a “Do Not Sell My Personal Information” link on your company’s website;
2. a toll-free number consumers can call if they decide they want to opt-out of having their data sold;
3. a statement regarding the rights of California residents to opt-out of the sale of their data to your Privacy Policy; and
4. a review and update of the Privacy Policy every 12 months (make note of this update within the Privacy Policy).

Cameron Benton

Cameron Benton is a rising 3L at the North Carolina Central School of Law in Durham, NC, currently completing their technology certificate, a first of its kind. He intends to practice in the areas of data privacy and compliance, cybersecurity, and other emerging technologies like blockchain. Outside of the demands of being a law student, he enjoys bird watching, tinkering on cars, and spending time with loved ones.