Contact Us

Author: Greg Doane

Vice President of Compliance and Security at Game Data Pros. Software Executive, Architect and Developer with 30 years in Silicon Valley.

Privacy Laws Move Forward. Have You Kept Up?

Posted on by Greg Doane

Did you know Facebook has paid over $2 billion in fines related to an inadvertent violation of privacy laws in just two US states? This violation occurred not due to some nefarious, back-room data exploitation but as a side effect of trying to provide an enhanced user experience for a well-loved customer-facing feature. If this is the impact of a privacy violation in just Texas and Michigan, imagine what the potential total costs if other states (and the rest of the world) take a closer interest in consumer privacy compliance and start levying fines.

The days of operating under the radar, without a clear view of the implications of regulatory compliance—even if your intentions are pure as the driven snow—are over.

Apps as a service are certainly here to stay—people want them! Heavy competition for customer mind- and wallet-share is so intense that clever use of big data to optimize user experience is an absolutely critical component to the survival of any service offering in the space.

There is not a GM alive today who would willingly take a percentage of his feature development budget and set it aside willingly to do compliance work on his own. This is why proactive governments like those in California and the European Union have introduced laws like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) with stiff fines for companies that do not do the right thing for their customers. The penalties for ignoring or violating these consumer rights protections are incredibly severe and give really good justification for large and thriving businesses to allocate some of their development budgets to ensure that these penalties never show up on their P&L statements. Welcome to the wonderful world of compliance!

So, what’s a service provider to do?

The California capitol building. Photo by Josh Hild on Unsplash.

The criticality of privacy compliance in games and digital entertainment cannot be overstated. From the outset, teams must embed privacy considerations into the core architecture of their products. This encompasses everything from data minimization principles to robust encryption protocols. As games and other digital experiences transition from concept to market, publishers must navigate a labyrinth of regulatory frameworks, ensuring that every touchpoint with consumer data adheres to the latest legal standards in all relevant markets.  

Moreover, the live operations (live ops) phase of a game, characterized by continuous updates and player engagement, presents ongoing challenges and opportunities in privacy management. Here, the ability to segment audiences effectively and optimize revenue streams depends on data, which is complicated by compliance practices. Sophisticated audience segmentation allows for personalized player experiences, which in turn drive higher engagement and monetization rates. However, this intricate balancing act can only be maintained through meticulous adherence to privacy laws, ensuring that player data is used ethically and transparently. 

The cost of ignoring privacy regulations and requirements can include crippling fines, legal issues, and a tarnished brand reputation in a market where trust is a valuable currency. GDPR fines are based on percentages of global revenue! The fines could easily drive your business to insolvency!

Successful revenue optimization strategies are inextricably linked to how well a company adheres to privacy and compliance regulations. In an era where data breaches and privacy violations are met with swift backlash, companies prioritizing data protection are better positioned to leverage analytics and personalized marketing without compromising player trust. By fostering a culture of compliance, game publishers can explore monetization strategies such as in-game advertising and microtransactions with the confidence that their practices will withstand regulatory scrutiny. 

Privacy and compliance are not just regulatory hurdles but foundational elements of a successful game publishing strategy. From initial design and development to live ops and revenue optimization, these considerations shape the user experience, influence player trust, and ultimately determine the financial success of a game. As privacy laws continue to evolve, staying ahead of the curve is essential for game companies aiming to maintain their competitive edge and foster long-term relationships with their player base. 

Privacy Compliance Starts with Understanding Relevant Regulations 

The landscape of data privacy is evolving rapidly in the US, with individual states enacting various privacy laws to protect consumer personal information, such as the previously mentioned CCPA. In addition, regulations such as GDPR and the Digital Markets Act (DMA) include critical privacy compliance mechanisms that must be understood by anyone hoping to do business in the EU.

For game companies, staying abreast of these laws is an important matter of legal compliance and a crucial component of maintaining consumer trust and safeguarding brand reputation. Ignoring these regulations can result in potentially severe financial penalties and legal challenges—or, at a minimum, significant reputational harm—making it imperative for businesses to stay informed about and responsive to privacy law developments. 

Let’s examine some recent developments in state-level privacy laws across the US and consider why there is no one-size-fits-all solution for compliance. 

The California Consumer Privacy Act (CCPA) took effect in 2020 to give consumers more control over their personal information by providing new rights, such as the right to know what personal data is being collected, the right to request deletion of personal data, and the right to opt out of the sale of personal data. It set a high standard for data privacy in the US, granting California residents robust new rights over their personal information.  

The CCPA was drafted and enacted in response to growing concerns over consumer privacy and the protection of personal data. Key factors included concerns about:

  • Increased data collection related to the Internet, social media, and digital services.
  • High-profile data breaches, such as those affecting Equifax and Yahoo, highlight the vulnerabilities in data security and the potential risks to consumer privacy.
  • A lack of existing comprehensive privacy legislation.

Before the CCPA, there was no comprehensive privacy law in the United States that addressed the collection, use, and sharing of personal data. Existing laws were fragmented, and consumer advocates believed they did not adequately protect consumers. 

Following California’s lead, Virginia, Colorado, and Connecticut also implemented comprehensive privacy laws, each with unique requirements and enforcement mechanisms. Companies must navigate this patchwork of regulations to ensure compliance and avoid substantial penalties. 

For instance, the Virginia Consumer Data Protection Act (VCDPA) (an overview is available from the Attorney General of Virginia’s office) and the Colorado Privacy Act (CPA) include provisions for consumer rights to access, correct, and delete personal data and opt out of data processing for targeted advertising.  

While these regulations share broad similarities, it is critical to understand their differences unless you are targeting customers in only one very specific market. These data privacy laws have some key differences. 

For example, evaluating the scope and applicability of each regulation for your business is complicated. CCPA applies to businesses operating in California that have gross annual revenues above $25 million, buy or sell data of 50,000 or more consumers, households, or devices, or derive 50% or more of annual revenue from selling consumers’ personal information. VCDPA applies to businesses that control or process data of at least 100,000 Virginia consumers annually or control or process data of 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. CPA likewise applies to similar numbers of Colorado residents or businesses that derive revenue or receive a discount on the price of goods or services from selling personal data and controlling or processing data of 25,000 or more consumers. 

As another example, CCPA does not have explicit provisions for sensitive data but covers personal information broadly. VCDPA and CPA explicitly define and provide protections for sensitive data, requiring consumer consent for processing such data. CPA further regulates personal data revealing racial/ethnic origin, religious beliefs, and data of children under 13, among other data types. 

Beyond the complex legal compliance ramifications, staying updated on state privacy laws is essential for fostering consumer trust and loyalty. Data breaches and mishandling of personal information can significantly damage a company’s reputation and erode customer confidence. By proactively adhering to privacy laws and demonstrating a commitment to protecting consumer data, companies can differentiate themselves in a competitive market, build stronger customer relationships, and ultimately drive long-term business success. 

Photo by Sora Shimazaki on pexels.com.

Why Do We Need This Data? 

For several reasons, personalized data covered by privacy regulations is crucial for revenue optimization in games and digital entertainment. This data enables companies to create highly tailored experiences, improve engagement, and implement effective monetization strategies. 

Personalized data allows companies to deliver targeted advertisements to players based on their preferences, behaviors, and demographics. This increases the relevance of ads or offers, leading to higher click-through rates and conversions.  

In-game purchases and microtransactions rely extensively on user data for personalized offers and dynamic pricing. Understanding player behavior and preferences enables companies to present personalized in-game offers and discounts. For example, a player who has already purchased certain items can be targeted with offers or cross-promotions related to those items, increasing the likelihood of purchase. Personalized data can be used to implement dynamic pricing strategies where prices are adjusted based on the player’s engagement level, spending habits, and other factors. 

Customized content based on personalized data helps player retention and engagement by creating content that resonates with individual players, such as custom game levels, characters, or storylines. This enhances player engagement and prolongs game sessions. Data-driven insights enable the implementation of personalized engagement strategies, such as tailored notifications, rewards, and challenges that keep players coming back. 

Effective audience segmentation relies on personalized data about player behavior, spending patterns, and preferences. This segmentation enables more precise marketing and game design strategies tailored to each group. In addition, understanding the different stages of a player’s lifecycle helps create targeted campaigns to acquire, retain, and reactivate players, optimizing overall revenue. 

Personalized data enables the creation of adaptive gameplay experiences that adjust in real time to match the player’s skill level and preferences, leading to a more enjoyable and engaging experience. It also enables effective cross-promotion of other games and services to the existing player base, optimizing overall revenue from the ecosystem. 

While the collection and use of personalized data are critical for these strategies, compliance with privacy regulations such as the CCPA, VCDPA, and CPA ensures that this data is handled ethically and transparently. Adhering to these regulations protects the company from legal and financial repercussions while also building and maintaining player trust, which is essential for long-term success in the competitive landscape of games and digital entertainment. 

Why Is Privacy Expertise Needed To Comply with Privacy Regulations?

Whether you are just starting to implement privacy compliance or updating your existing approach, you need a comprehensive plan to tackle the subject. First and most importantly, you must have access to legal counsel specializing in privacy law. This may seem obvious given that an important step is writing privacy policies that meet the needs of these laws discussed previously—and any new regulations that may develop.  

Other issues arise, however. Many game development teams look at the requirements for protecting data and assume the solutions are obvious and trivial. We have often encountered the situation when talking to developers: their proffered solution of “I’ll just hash it so we don’t have the customer data anymore. It’s a one-way hash, and since we don’t have the original value anymore, the problem is solved.” 

At this point, you might feel you have succeeded and can move forward with your solution. But you could be wrong. 

This sounds great, but you need to dig a little deeper, and this is where expertise in the minutia of development and compliance pays dividends. For example, the CCPA calls this process “deidentification.” Hashing might not meet the requirement that “information cannot reasonably be associated with an individual.”  

If you consult a privacy attorney, they might point out that hashing is considered “pseudo-anonymization” per the European GDPR laws and is insufficient to be deemed deidentified. You might have to change your solution further to operate with European consumers in a compliant manner. Having this expertise while planning and implementing your privacy compliance program prevents costly re-implementation or being held out of compliance. 

Photo by Marco on pexels.com.

Nine Critical Steps for Approaching Privacy Compliance in Games 

Here are 9 critical steps to follow to ensure your team can achieve privacy compliance across all relevant, changing regulations. Your specific applications, technology, and business processes might change—and this list is not comprehensive—but it is a good place for your organization to start. Review it with your counsel to ensure you have a comprehensive plan. 

  1. Hire a Privacy Attorney: Engage counsel who are experts in consumer privacy laws for the jurisdictions covering all of your targeted customers. 
  2. Conduct Data Mapping and Inventory: Identify and catalog all personal data collected, processed, stored, and shared. This involves understanding data flows, the purposes for data collection, and how data is used. You must document and understand how consumer data is shared within your company and IT infrastructure, with service providers, and with third parties. 
  3. Update Privacy Policies and Notices: Revise privacy policies to ensure they are transparent and compliant with various state requirements. This includes detailing the types of personal data collected, the purposes for data processing, and consumers’ rights under applicable laws, such as the rights to access, correct, delete, and opt out of the sale of their data. 
  4. Implement Consumer Rights Requests or Data Service Requests (DSR): Develop and implement procedures to manage consumer rights requests efficiently. This includes setting up systems for consumers to submit requests, verifying the identity of requesters, and responding to requests within the required time. Laws in different jurisdictions have varying time requirements for handling requests. 
  5. Enhance Data Security Measures: Ensure robust data security measures are in place to protect personal data from unauthorized access, breaches, and theft. This includes encryption, regular security assessments, access controls, and incident response plans to address potential data breaches promptly. 
  6. Review and Update Third-Party Agreements: Evaluate and update contracts with third-party service providers to ensure compliance with state laws. Companies must ensure that third parties processing personal data on their behalf adhere to the same data protection standards and notify the company of any data breaches. 
  7. Employee Training and Awareness: Conduct training programs for employees, particularly those involved in data processing, customer service, and compliance. Employees should be aware of and understand applicable state and international requirements and learn how to appropriately manage consumer data and privacy requests. 
  8. Appoint a Data Protection Officer (DPO): If required by the size and scope of data processing activities, appoint a DPO to oversee compliance with applicable privacy laws and serve as a point of contact for data protection issues and consumer requests. 
  9. Stay Informed on Legal Developments: Regularly monitor updates and changes in privacy laws to ensure you are aware of and meeting ongoing changes in compliance requirements. This includes subscribing to legal updates, attending relevant webinars, and consulting with legal experts as needed. Your counsel should be aware of these changes and keep you informed, but it is advantageous to develop awareness and expertise on your team—you are ultimately responsible for meeting these requirements. 

If you are starting from nothing, you might be overwhelmed by what is required to solve even one of the bullet points above. The first challenge is knowing what laws you need to adhere to and what that requires in terms of people and action on your team. Your best first step is to follow our first recommendation: engage and consult with legal counsel who has privacy expertise. 

Photo by Markus Winkler on pexels.com.

Getting Started on an Effective Privacy Compliance Strategy 

To repeat the advice at the top of our list: first, look to engage and consult with legal counsel. While you are doing that, however, there are several steps you can take to educate your team. 

Usually, an organization would like to take a “one size fits all” approach and might construct and follow a set of policies that adheres to all jurisdictions rather than segregate implementation into different buckets. This was easier before the proliferation of state laws complicated the US legal front.  

Become familiar with online resources to research the privacy landscape. State websites publish the laws and additional information to help you comply. We linked to state-provided resources regarding CCPA, VCDPA, and CPA earlier in this article, and those should be your primary sources for understanding the exact language and intent of the regulations.  

SixFifty’s Comparison of State Consumer Privacy Laws (Updated 2024) provides a handy overview of the privacy laws already in effect, those that have passed but whose effective date is coming up soon, and those being considered in state legislatures. This can help you understand the scope of complexity around compliance with multi-state privacy regulations.  

We find the US State Privacy Law Database provided by Husch Blackwell to be helpful both for the text of the laws and for insightful blog posts on them. Many other law firms provide information and insights, and even a number of solution vendors in the space. Be sure to consider the biases of the source of information you’re looking at, however. 

And when you start to consider how to comply, there are industry solutions to help implement your program. For example, tools are available to help discover and catalog consumer information in your infrastructure. Companies such as DataGuard, Strac, and OneTrust provide tools and solutions that leverage AI to scan your data to find where consumer personal data resides, speeding up your program’s data mapping and inventory processes. 

In the context of Data Service Requests (DSR), if you break down the “Implement Consumer Rights Requests” task, you will find that a significant portion of what it requires is a workflow solution that can receive requests from consumers, organize them into queues for processing with your customer service or compliance department, track status of such requests, including details such as remaining time before the request becomes late per policy or legal requirement. Vendors such as OneTrust, TrustArc, and Transcend provide platforms to automate and streamline these operations. 

The requirements for securing data are part of an enormous and complicated industry of cyber-security that has endless vendors to help with complex data and software security. 

Taking it even further, you can contract with firms for training, perform security assessments, and even subscribe to information regarding changes and updates to privacy laws and requirements. You don’t have to tackle this on your own, and you are best off assembling a cross-functional team to help provide a comprehensive solution and process. 

Next Steps for Addressing Privacy Compliance and Revenue Optimization

This is not a one-and-done process. As long as you’re handling consumer data, you have an ongoing responsibility. Make sure you have a dedicated budget for this continual process, whether processing DSRs or performing a Data Protection Impact Assessment (DPIA) when major new releases or changes in infrastructure happen. Ensure that you have a privacy compliance team with access to the resources required to succeed. 

Complying with privacy laws is your responsibility. The rate of change has accelerated in the past few years, and you need to make sure your organization is on top of privacy and that you become and stay compliant. Get help, get compliant, and keep your consumers safe. 

The Game Data Pros team has significant expertise in handling consumer data appropriately and building revenue optimization solutions that comply with the latest privacy regulations.

I have been involved in security and compliance initiatives for over 20 years. During that time, I was responsible for building and operating payment services that required achieving PCI Level 1 compliance, from initial certification to maintaining ongoing certification. I have also implemented a program of SOC 2 certification for services so that customers would be assured of privacy, security, and availability of SaaS service. Additionally, I have worked with clients on solutions for CCPA, California Privacy Rights Act (CPRA), and GDPR compliance, as well as advising clients on cyber security solutions for both private and public cloud services.

In addition, Game Data Pros Principal Scientist Dr. Julian Runge, along with Garrett Johnson and Eric Seufert, co-published the article Privacy-Centric Digital Advertising: Implications for Research, discussing new privacy-focused digital advertising approaches and their implications for advertising strategy, targeting, and measurement.

To learn more about how Game Data Pros can help your revenue optimization efforts while complying with an increasingly complicated landscape of privacy regulations, contact us.

Disclaimer

Please note that the information provided here should not be construed as legal advice. It is always recommended that you consult with a qualified attorney or legal expert for up-to-date advice tailored to your circumstances and the jurisdiction in which you operate.

What is Compliance in Games?

Posted on by Greg Doane
A hand pointing towards a holographic projection of the word compliance and icons
Image source: https://bit.ly/3fhnAUe

So many factors go into delivering a hit game that compliance seems like the least of worries. One might be forgiven for thinking, “What’s the point in being compliant if the game isn’t successful?”. And the answer is clear: if the game becomes a hit, it’s too late to become compliant. The next thought might be, “So what? We’ll just pay some fines, no big deal, right?”. The reality can be far from what’s imagined. And if the game is not a hit title but violates privacy or other laws, the monetary risk could easily add losses to a publisher’s bottom line.

The federal government and other organizations have levied vast fines in the past several years. Take, for instance, the Epic Games settlement with the Federal Trade Commission with a price tag over half a billion dollars. How many companies can survive that, and what would that do to a title’s profit and loss statement with such an enormous fine? Even if that fine is an outlier, many studios could be at risk for substantial fines. California’s CCPA law has fines of up to $2,500 per violation or $7,500 for each intentional violation. GDPR specifies fines for less severe infringements could result in a fine of up to €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These laws must be followed, and they have teeth in the form of hefty penalties when violated.

This article will introduce the reader to some but not all of the subject matter and primarily focus on the US market. It will also highlight some relevant international considerations, such as for the EU, UK, and Japan. It should help with thinking through questions about a publisher’s risk. If nobody in your organization has the documentation to back up the statement “We’re compliant,” your organization is at risk. If no compliance officer is designated, your organization is at risk. Later articles will cover how to assess an organization’s state of compliance, follow changes in regulations in the field, and delve deeper into subjects such as data privacy compliance.

Compliance Overview

The compliance landscape for video games has changed significantly since the first games were released in the 1970s. Initially, there were few requirements for publishing and operating games and few laws or jurisdictions to pay attention to. But the Wild West in games is gone. In today’s world, many legal jurisdictions, along with industry associations and publishing platforms’ terms, must be heeded to operate games successfully and legally.

Generally, the considerations for compliance come from government entities, industry associations, and publishing platforms. Government entities might enforce laws that originate at the national, state, or local levels. Industry associations might exist internationally or nationally. And the publishing platforms, such as Apple, Google, Sony, Microsoft, Steam, and others, have their own publishing requirements that must be adhered to.

When creating a game to be operated in the United States, the many subject areas one must pay attention to include (but are not limited to) those listed below:

  • Age Ratings
  • Accessibility
  • Gambling and Loot Boxes
  • Advertising and Marketing
  • Export Controls and Trade Restrictions
  • Content Regulations
  • Licensing and Distribution
  • Platform Specific Requirements
  • Localization
  • Privacy and Data Protection

Topic Areas

Age Ratings

The early days of the game industry saw copious creativity in new game subjects and designs. However, some titles explored adult topics, including violence, sex, drugs, and others often considered societal vices. Pushback from parents, church leaders, and legislators motivated the industry to create an organization to rate game content, largely to self-regulate and head off politicians from passing laws to regulate the industry. The Entertainment Software Rating Board was formed (ESRB) and today is responsible for rating games that developers and publishers submit. The ratings assess age-appropriateness and indicators of the type of sensitive content the game title explores.

Several major publishing platforms, including Microsoft Xbox, Sony PlayStation, and Nintendo, generally require an ESRB rating on the game titles before they can be published for distribution. Several of the major PC distribution platforms, including Steam and Epic, don’t require the ESRB rating but do provide their own content description systems whereby the game developer will disclose the content of their game. Mobile platforms like Apple App Store and Google Play Store also have their own age and content rating systems.

Note that other organizations play a role in Europe, Japan, and other regions, such as Pan European Game Information or Computer Entertainment Rating Organization.

Accessibility

Accessibility in video games pertains to designing and implementing game features that ensure all players, including those with disabilities, can have a satisfactory gaming experience. This includes a range of considerations, from visual aids like subtitles and colorblind modes to auditory cues for those with hearing impairments. Accessibility also encompasses mechanics like remappable controls for those with motor disabilities or the inclusion of alternative communication tools for online games in compliance with regulations like the 21st Century Communications and Video Accessibility Act (CVAA). These features aim to make video games more inclusive, allowing a broader audience to engage with and enjoy the titles.

Gambling and Loot Boxes

In the United States, gambling laws are primarily state regulated. Most states generally disallow gambling, although sometimes carving out exceptions for lotteries, horse racing, or card rooms. Numerous complex state laws must be navigated, and even some multi-state agreements.

Loot boxes in video games have garnered significant scrutiny due to their similarity to gambling mechanics. In the US, they are generally not governed by the same laws as gambling and are therefore permitted. Some states have proposed regulations that have not yet been enacted. The gaming industry is, however, utilizing content ratings to raise awareness, especially for parents, of game content that could be considered gambling.

Internationally, multiple countries have ruled that gambling laws encumber loot boxes, and therefore care must be taken when publishing in those jurisdictions.

Advertising and Marketing

Advertising and marketing within video games, often referred to as “advergaming” or “in-game advertising,” are subject to various regulations, both general (related to advertising standards) and specific (related to the nature of video games). In-game advertising must follow the same laws as other advertising formats in the US. For example, in-game ads must not be misleading or deceptive. This principle is enshrined in U.S. law and is overseen by the Federal Trade Commission (FTC). This means that any claims made within an ad must be substantiated. Additionally, FTC has guidelines for endorsements and testimonials. If a video game includes any endorsements (like a celebrity avatar promoting a product within the game), these guidelines need to be followed. For instance, any material connections between the endorser and the advertiser must be disclosed. If there’s a promotional consideration (like if a brand paid to be featured in a game), this might need to be disclosed, especially if it affects the gameplay or player decisions. Finally, if a game contains advertising for alcohol or tobacco, it needs to ensure that it follows relevant laws and industry guidelines, such as not targeting minors.

Note that advertising and marketing concerns overlap with privacy concerns covered in the later section of this article on privacy and data protection. In-game ads might collect user data to serve targeted ads. If so, this data collection must comply with privacy laws.

Export Controls and Trade Restrictions

When publishing internationally, the United States has some regulations that must be followed. Consideration under the Export Administration Regulations should be paid attention specifically where encryption is used in a game’s network, chat, or other systems. Unless the game uses novel encryption, the methods are likely allowed under exemptions for mass market or publicly available encryption rules.

Another very important consideration is the Office of Foreign Assets Control (OFAC) regulations. These require companies to follow US sanctions against specific countries, terrorists, drug traffickers, and other threats. Like all U.S. entities and individuals, video game companies must ensure they’re not doing business with sanctioned countries, entities, or individuals. This means not selling games in certain countries or not allowing transactions within games from sanctioned individuals or entities.

Content Regulations

In the United States, video games are protected under the First Amendment as a form of expression, meaning the government has limited ability to regulate their content. In 2011, the Supreme Court ruled in Brown v. Entertainment Merchants Association that video games are protected speech under the First Amendment. This gives developers and publishers broad discretion on what content to include in their game titles by law.

However, the major publishers all have a set of terms and rules that might prohibit certain content on a given publisher platform. The Apple App Store, for instance, has many rules regarding content and can be read in their app store review guidelines.

Many countries other than the United States carefully regulate content and must be considered when publishing in those regions.

Licensing and Distribution

Although not unique to video games, consideration for intellectual property rights via copyright, trademark, or patent law must be taken when publishing in the United States.

No games are developed 100% stand-alone, with no reliance on 3rd party code or libraries. Therefore, licensing agreements with technology providers will have terms that must be adhered to, relating to anything from disclosure notices to payment terms to platforms allowed. Additionally, content is often licensed from other parties, and terms governing the usage of that content must be adhered to. This could include game genres approved, allowing the IP owner to review the game for compliance with the contract terms, or constraining which regions the content may be distributed into.

Another consideration in virtually all games today is an End User License Agreement (EULA) that serves as a contract between the user and the publisher. These typically are long eye-charts of terms governing the use of the game, the rights of the individual, allowed usage, and more. There is some effort at the government level to require human-readable EULAs and questions about enforceability in general.

Platform Specific Requirements

Platform vendors such as Microsoft and Sony have requirements for games to be considered for publishing. Developers and publishers need to meet these requirements, which can run the gamut from technical requirements to age ratings to privacy to monetization. Additionally, the game title must undergo a certification process before game release. Mobile game platforms such as Apple and Google have similar requirements and processes; therefore, the development and publishing process will need to plan, develop, and test for compliance.

Localization

Unlike other countries, few laws require specific localization in the United States. That said, providing language alternatives to English can increase the audience within the US, given the large population of foreign-speaking residents.

In publishing games internationally, however, localization is a much bigger consideration. Many countries mandate that games be available in the local languages. Beyond just language, cultural norms often must be met regarding themes such as violence, sexual content, and religious references. Certain content is illegal in other countries, which would be allowed in the United States.

Privacy and Data Protection

Over the last decade, much focus has been placed on privacy in online applications. The ability to track a consumer’s activity across many websites and applications has been a powerful tool for targeting advertising and analytics. There has been a surge of pushback on this unfettered data collection, with laws being passed in multiple jurisdictions to establish privacy rights for individuals. Europe led the way with the General Data Protection Regulation (GDPR) regulations stipulating privacy rights for consumers, a framework for companies to follow to ensure applications respect those rights and to ensure consumer data security when companies collect it. The regulations have some teeth in the penalties that corporations may face if they are not following the regulation, so close attention must be paid, or game publishers may be left with large liabilities.

California has modeled laws similar to GDPR in the US by passing the California Consumer Privacy Act (CCPA). It contains similar Information Rights Requests (IRRs) to the GDPR regulations, but there are subtle differences in what exceptions are allowed to retain data after a user has requested their data be deleted. The law allows California’s Attorney General to investigate and fine corporations violating CCPA regulations. And the penalties can be severe, creating large liability for corporations out of compliance. To fully support these regulations, a publisher must provide timely processes allowing consumers to request access to data the publisher is keeping about a consumer or to act on a consumer delete request. Given the different touchpoints, compliance crosses corporate departments and functions from development to cybersecurity to customer support.

Platform providers such as Apple have also entered the privacy advocacy, as seen with the introduction of the AppTrackingTransparency framework. This has given the consumer more control over what data is shared with online sites and application vendors. But it has also thrown a wrench into the gears of mobile marketing functions and the ad attribution processes.

Summary

Invest now to become compliant and stay compliant. These regulations, rules, terms, and conditions should be considered early in the game design process, as they can impact game design. If loot boxes are critical to the game design, and the game is intended to be published globally, changes must be accommodated for some national markets due to gambling regulations. Another example incorporating data privacy and protection settings will affect the game’s user interface, and backend systems will need to add to their design the ability to delete user data upon request. This type of consideration has not traditionally been a requirement for development teams and is often antithetical to the desire to preserve all data for analytics purposes. It must be part of the product design up front.

Assessing where one’s organization stands regarding compliance is not a one-time task. This recurring assessment crosses the product management, development, cyber security, customer service, legal, and other teams. Laws change, and tracking and adapting your processes, technology, and techniques to accommodate the changes is critical. Staying compliant is an ongoing effort. Get help if needed; neglecting this will incur significant risk to the organization.

Disclaimer

Please note that the information provided here is for general informational purposes only and should not be construed as legal advice. I am not a lawyer and am not qualified to provide legal guidance or interpretations of specific laws or regulations. The information presented may not be comprehensive, up-to-date, or applicable to your specific situation. It is always recommended that you consult with a qualified attorney or legal expert for advice tailored to your individual circumstances and the jurisdiction in which you operate.

 Like our blog? Join our substack.

Employment Application

    Resume Upload:
    (Allowed file types: pdf, doc, rtf)

    Cover Letter Upload:
    (Allowed file types: pdf, doc, rtf)