The whole of May 2018, the one common email users worldwide, especially in European Union has been getting is the update “GDPR Policy” email
But what is GDPR? And what does it mean for the game player, game developers, and partners?
What is GDPR
The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679 as it’s known in official contexts, is a regulation spearheaded by the three legislative European Union institutions to protect the data and privacy of citizens and residents of the European Union member states.
The goal of the GDPR is to return control to data subjects in the union over their data and make the regulatory environment simpler for international business.
It will replace the current Data Protection Directive (Directive 95/46/EC) when it comes into force on May 25, 2018.
What’s different from ePrivacy
Both the GDPR and ePrivacy are based on Articles of the EU Charter of Fundamental Rights, a document containing the rights and freedoms protected in the EU.
Simply put, the GDPR is focused on data protection, and ePrivacy is focused on the right to respect a data subject’s private and family life, home, and communications.
What does it mean to users now that we have GDPR?
At the heard of GDPR is the goal to retain control of data subjects. Under GDPR, users will have the following rights:
- The right to be informed about the existence of profiling, the consequences of such profiling, the processing operation, and its purposes.
- The right of access confirmation from the controller as to whether or not personal data concerning them is being processed. This right was already part of the Data Protection Directive.
- The right to rectification of inaccurate personal data concerning him or her.
- The right to erasure (“right to be forgotten”) of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
- The right to restrict processing if the accuracy of the personal data is contested by the data subject, the processing is unlawful, and the controller no longer needs the personal data for the purposes of the processing.
- The right to data portability, meaning they have the right to receive personal data that’s been collected about them by a controller. The data must be in a structured, commonly used, and machine-readable format.
- The right to object at any time to processing of personal data concerning them.
What are Data Subjects?
The “internet” universe is a super big gargantuan source of data. We can reconstruct, reinvent or recreate this universe many times, using browsing data we willingly and unknowingly gave. But wheat re this data subjects that fall under GDPR jurisdiction?
‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Namely, information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Pseudonymous data refers to data that’s been changed into a non-identifiable format, rendering it unable to identify a person without the use of additional data, such as the hashing function or encryption keys.
The best way to understand the difference between these three is
|Personal Data||Anonymous Data||Pseudonymous Data|
107 Spring St, Seattle 98121
Date of Birth
Sept 1st 1921
107 Spring St, Seattle ***121
Date of Birth
Sept 1st 19**
Date of Birth
How does this work with Game Developers & Partners
Game developing companies collect vast amounts of user data every day, both the GDPR and ePrivacy will have a substantial impact on their business operations.
However, as the online gaming and partners are powered by technological platforms and processes, the GDPR and ePrivacy will require companies to make changes to the way their platforms operate to comply with these two regulations and adhere to their newly updated policies.
As most Game developers, marketers, and publishers collect and use online identifiers, such as those mentioned above, as well as location data, they will now have to take additional steps to ensure they are compliant with the GDPR’s rules regarding the collection, storage, and usage of personal data.
Examples of personal data include:
- Email, home, and work addresses
- Phone numbers
- Cookie IDs (visitor identifiers stored in cookies)
- IP addresses
- Device IDs
- Device fingerprints
The GDPR states that companies collecting personal data should implement measures to ensure the data is protected at all times, via encryption and pseudonymization, for instance. Although most companies already do this with obvious examples of personal data, such as emails, phone numbers, and IP addresses, they will have to apply this to all types of data they collect.
While these measures will help online advertising and marketing companies mitigate risks associated with data security, encrypted and pseudonymized data are still classed as personal data, meaning companies will still have to obtain user consent and carry out various data-protection measures if they wish to collect and use the information.
The main challenges Game developers and their partners face with personal data are collecting it in the first place (i.e. obtaining consent), ensuring its security, and creating a chain of responsibility with their partners when they exchange with them.
The real test for game developers and their partners will be to update their current platforms so they can anonymize and pseudonymize data to meet their data-protection obligations, and create future-proof businesses that allow clients to run effective and successful advertising and marketing campaigns that respect user privacy and limit their exposure to the GDPR and ePrivacy regulation.
So how does that affect game monetization?
Companies operating in the online advertising and marketing industries will need to be completely upfront with online users about what they plan to do with their data, with whom they wish to share it, and how long they’ll keep it for, while at the same time getting clear agreement from online users to collect their data.
The GDPR and ePrivacy draft make it pretty clear that if companies want to collect personal data from users, use it to track their behavior around the web, display ads based on their data, and trade or sell it to other companies, they will have to get consent from the user before they can do so.
Please send your question, feedback to firstname.lastname@example.org