You know the word, and you know it’s important. But what does GDPR really mean? And why do you need to care about it? To help new developers and studios located outside of the EU, we’ve outlined a list of important steps that can keep your game and company fully GDPR compliant.
TL;DR – Your GDPR checklist
- Step 1: Ask for consent
- Step 2: Find out where you data comes from
- Step 3: Put safety first (Data Protection Impact Assessment)
- Step 4: Don’t be clingy (Allow your users to withdraw)
- Step 5: Know how GDPR affects overseas developers
- Step 6: Be clear but creative with your forms
- Step 7: Embrace full compliance
GDPR stands for General Data Protection Regulation (GDPR), and this new European law has changed the game on how companies manage personal data. While most mobile game developers have now adapted since its introduction on 25th May, some are still unsure about how EU user data should be handled.
The reality for everyone – whether you’re an EU-based studio hoping to release your first smash hit, or an international game developer with dozens of titles – is that toeing the line when it comes to GDPR is a must.
User activity tracking has been integrated into the core functionality of pretty much every digital platform. And games that monetize through ads have long relied on data tracking to optimise various aspects of user acquisition (UA). While GDPR doesn’t necessarily call for a complete overhaul of this, expect some work when it comes to mapping your flow of data, as well as being as clear as possible on how personal information is gathered and used.
Ultimately, the world of mobile gaming has not escaped the wide net that GDPR has cast over the tech industry. And with penalties that could amount to 4% of your company’s revenue, or €20 million (whichever is greater), there’s a high price to pay if you don’t follow the rules.
You may already be aware of this new rule, but one of the biggest steps of GDPR compliance is getting consent from your players to use and store their data. This is pretty simple to do and can be done in a number of ways, but an electronic opt-in box is often the chosen method for mobile games.
An example of how King & Big Fish have implemented consent into their game’s UI on first launch. Players are not allowed to move on any further until they agree.
When it comes to language, convey your request in a clear and concise way, breaking down essential information into understandable chunks. There’s definitely room for using language and visuals that suit your brand, but before you move on to this stage, make sure your message is as straightforward as possible.
By keeping it crystal clear on how your players data will be controlled, as well as giving them easy options to opt out, you’ll be complying with GDPR’s Right to be Forgotten principle.
User data is personally identifiable information, which can include someone’s name, email address, or device ID (IDFA/GAID). Essentially, it’s anything that can be associated with one person, even if you cannot identify them in the real world.
And you can’t prove that you’re following the rules if you don’t understand how your platform gets that data. You’ll want to make sure to first identify what personal information you’re collecting, and how that data is being extracted from your users. You’ll then need to map the various transfers into your database.
You may find that some information is unnecessary or redundant, and should be removed to tighten up the amount of data you store – another principle of GDPR. And if nothing else, this process should help you hone your tracking and measurement skills when it comes to optimising your platform’s game analytics.
As GDPR is all about protecting the personal data of EU citizens, enforcing strong barriers against manipulation or fraud is a must. Think about how third-parties may access the information you gather and what they’re using it for. You’ll be liable for anything a third party controller does with this data.
An example of how Rovio has implemented consent into their game’s UI on first launch. Players are not allowed to progress any further until they agree.
A data protection impact assessment (DPIA) is highly recommended before you begin a project where user data is involved. This means you should review your process of data collection and identify any areas that may lead to risk of serious impact on individuals. Although we haven’t found a specified format to follow for a full DPIA which supports the GDPR’s accountability principle, the UK Information Commissioner’s Office (ICO) has a helpful checklist you can use.
Under GDPR, the Right to Erasure clause requires that users should be able to remove their personal information from your system should they so wish. If there isn’t already an easy way to do this, you may want to seriously consider making one.
It might be a shame to relinquish useful player analytics that can be used to support your UA strategy, but saying goodbye when necessary is a requirement of GDPR compliance. So be ready for a few farewells.
An example of how Voodoo has given access to its users to remove any data they may have, within the settings of their games.
As Jason M. Lemkin says, ‘Making it hard to cancel doesn’t reduce churn, it just modestly delays it’. Meaning you won’t save yourself from losing users in the long run by making it hard for them to withdraw their data. Those who really want to leave, will, in the end, do just that.
Even if you’re a developer coding away on the opposite side of the world, if you have a presence in Europe, then you’re going to be affected by GDPR.
Although at the moment GDPR is only bound to the EU, it could one day be the model for countries across the globe. And in anticipation of this change, we’ve seen multiple companies adopting this policy worldwide in efforts to save future time and money. This could be good practice if you’re thinking of launching your games into other markets.
Interestingly, not all countries are actually bound to implement GDPR in the same way. Finland for instance, has taken advantage of the new law’s margin of manoeuvrability. Countries are essentially allowed to integrate GDPR principles into their existing privacy protection framework, which means rules could vary slightly.
With this being said, it’s definitely worth double checking the relevant laws in the countries you wish to launch, just to make sure everything matches up.
As shown in our examples from King, Rovio and Voodoo, there are lots of different ways to you can put consent into your game. And fitting this to your company’s identity doesn’t always require a lot of words. As long as you’re including the right message and giving your players the option to withdraw, you’re free to add some creative flare to your data request forms.
Not that you need to go over the top, but there is certainly room for various visuals to accompany your opt-in screen or GDPR emails. This is a great way to add some consistency to your user experience while you gather your all-important user consent.
An example of how Lion Studios has given access to their users to manage their data in their Happy Glass game.
Keep in mind however, if your creative idea makes any of your forms unclear or difficult to understand, then you may be compromising your compliance under the GDPR law.
Whether you need to conduct a full evaluation of your portfolio, or are working on your upcoming title, this is one situation where it’s better to grab the bull by the horns and make sure you’re fully compliant.
The end result is often a shiny new terms of service (ToS) document that you can send to your users, and a ‘hard wall’ interface, requesting consent before access to platforms is granted. This may even go unnoticed by your actual players, who are already accustomed to clicking ‘accept’ in various apps. But if you really want to make sure your company and mobile game stay protected, embrace the requirements of full compliance.
If you’re interested to learn how GameAnalytics stays compliant, check out the GameAnalytics GDPR FAQ page here.