Privacy Laws Move Forward. Have You Kept Up?

Did you know Facebook has paid over $2 billion in fines related to an inadvertent violation of privacy laws in just two US states? This violation occurred not due to some nefarious, back-room data exploitation but as a side effect of trying to provide an enhanced user experience for a well-loved customer-facing feature. If this is the impact of a privacy violation in just Texas and Michigan, imagine what the potential total costs if other states (and the rest of the world) take a closer interest in consumer privacy compliance and start levying fines.

The days of operating under the radar, without a clear view of the implications of regulatory compliance—even if your intentions are pure as the driven snow—are over.

Apps as a service are certainly here to stay—people want them! Heavy competition for customer mind- and wallet-share is so intense that clever use of big data to optimize user experience is an absolutely critical component to the survival of any service offering in the space.

There is not a GM alive today who would willingly take a percentage of his feature development budget and set it aside willingly to do compliance work on his own. This is why proactive governments like those in California and the European Union have introduced laws like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) with stiff fines for companies that do not do the right thing for their customers. The penalties for ignoring or violating these consumer rights protections are incredibly severe and give really good justification for large and thriving businesses to allocate some of their development budgets to ensure that these penalties never show up on their P&L statements. Welcome to the wonderful world of compliance!

So, what’s a service provider to do?

The criticality of privacy compliance in games and digital entertainment cannot be overstated. From the outset, teams must embed privacy considerations into the core architecture of their products. This encompasses everything from data minimization principles to robust encryption protocols. As games and other digital experiences transition from concept to market, publishers must navigate a labyrinth of regulatory frameworks, ensuring that every touchpoint with consumer data adheres to the latest legal standards in all relevant markets.  

Moreover, the live operations (live ops) phase of a game, characterized by continuous updates and player engagement, presents ongoing challenges and opportunities in privacy management. Here, the ability to segment audiences effectively and optimize revenue streams depends on data, which is complicated by compliance practices. Sophisticated audience segmentation allows for personalized player experiences, which in turn drive higher engagement and monetization rates. However, this intricate balancing act can only be maintained through meticulous adherence to privacy laws, ensuring that player data is used ethically and transparently. 

The cost of ignoring privacy regulations and requirements can include crippling fines, legal issues, and a tarnished brand reputation in a market where trust is a valuable currency. GDPR fines are based on percentages of global revenue! The fines could easily drive your business to insolvency!

Successful revenue optimization strategies are inextricably linked to how well a company adheres to privacy and compliance regulations. In an era where data breaches and privacy violations are met with swift backlash, companies prioritizing data protection are better positioned to leverage analytics and personalized marketing without compromising player trust. By fostering a culture of compliance, game publishers can explore monetization strategies such as in-game advertising and microtransactions with the confidence that their practices will withstand regulatory scrutiny. 

Privacy and compliance are not just regulatory hurdles but foundational elements of a successful game publishing strategy. From initial design and development to live ops and revenue optimization, these considerations shape the user experience, influence player trust, and ultimately determine the financial success of a game. As privacy laws continue to evolve, staying ahead of the curve is essential for game companies aiming to maintain their competitive edge and foster long-term relationships with their player base. 

Privacy Compliance Starts with Understanding Relevant Regulations 

The landscape of data privacy is evolving rapidly in the US, with individual states enacting various privacy laws to protect consumer personal information, such as the previously mentioned CCPA. In addition, regulations such as GDPR and the Digital Markets Act (DMA) include critical privacy compliance mechanisms that must be understood by anyone hoping to do business in the EU.

For game companies, staying abreast of these laws is an important matter of legal compliance and a crucial component of maintaining consumer trust and safeguarding brand reputation. Ignoring these regulations can result in potentially severe financial penalties and legal challenges—or, at a minimum, significant reputational harm—making it imperative for businesses to stay informed about and responsive to privacy law developments. 

Let’s examine some recent developments in state-level privacy laws across the US and consider why there is no one-size-fits-all solution for compliance. 

The California Consumer Privacy Act (CCPA) took effect in 2020 to give consumers more control over their personal information by providing new rights, such as the right to know what personal data is being collected, the right to request deletion of personal data, and the right to opt out of the sale of personal data. It set a high standard for data privacy in the US, granting California residents robust new rights over their personal information.  

The CCPA was drafted and enacted in response to growing concerns over consumer privacy and the protection of personal data. Key factors included concerns about:

• Increased data collection related to the Internet, social media, and digital services.
• High-profile data breaches, such as those affecting Equifax and Yahoo, highlight the vulnerabilities in data security and the potential risks to consumer privacy.
• A lack of existing comprehensive privacy legislation.

Before the CCPA, there was no comprehensive privacy law in the United States that addressed the collection, use, and sharing of personal data. Existing laws were fragmented, and consumer advocates believed they did not adequately protect consumers. 

Following California’s lead, Virginia, Colorado, and Connecticut also implemented comprehensive privacy laws, each with unique requirements and enforcement mechanisms. Companies must navigate this patchwork of regulations to ensure compliance and avoid substantial penalties. 

For instance, the Virginia Consumer Data Protection Act (VCDPA) (an overview is available from the Attorney General of Virginia’s office) and the Colorado Privacy Act (CPA) include provisions for consumer rights to access, correct, and delete personal data and opt out of data processing for targeted advertising.  

While these regulations share broad similarities, it is critical to understand their differences unless you are targeting customers in only one very specific market. These data privacy laws have some key differences. 

For example, evaluating the scope and applicability of each regulation for your business is complicated. CCPA applies to businesses operating in California that have gross annual revenues above $25 million, buy or sell data of 50,000 or more consumers, households, or devices, or derive 50% or more of annual revenue from selling consumers’ personal information. VCDPA applies to businesses that control or process data of at least 100,000 Virginia consumers annually or control or process data of 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. CPA likewise applies to similar numbers of Colorado residents or businesses that derive revenue or receive a discount on the price of goods or services from selling personal data and controlling or processing data of 25,000 or more consumers. 

As another example, CCPA does not have explicit provisions for sensitive data but covers personal information broadly. VCDPA and CPA explicitly define and provide protections for sensitive data, requiring consumer consent for processing such data. CPA further regulates personal data revealing racial/ethnic origin, religious beliefs, and data of children under 13, among other data types. 

Beyond the complex legal compliance ramifications, staying updated on state privacy laws is essential for fostering consumer trust and loyalty. Data breaches and mishandling of personal information can significantly damage a company’s reputation and erode customer confidence. By proactively adhering to privacy laws and demonstrating a commitment to protecting consumer data, companies can differentiate themselves in a competitive market, build stronger customer relationships, and ultimately drive long-term business success. 

Why Do We Need This Data? 

For several reasons, personalized data covered by privacy regulations is crucial for revenue optimization in games and digital entertainment. This data enables companies to create highly tailored experiences, improve engagement, and implement effective monetization strategies. 

Personalized data allows companies to deliver targeted advertisements to players based on their preferences, behaviors, and demographics. This increases the relevance of ads or offers, leading to higher click-through rates and conversions.  

In-game purchases and microtransactions rely extensively on user data for personalized offers and dynamic pricing. Understanding player behavior and preferences enables companies to present personalized in-game offers and discounts. For example, a player who has already purchased certain items can be targeted with offers or cross-promotions related to those items, increasing the likelihood of purchase. Personalized data can be used to implement dynamic pricing strategies where prices are adjusted based on the player’s engagement level, spending habits, and other factors. 

Customized content based on personalized data helps player retention and engagement by creating content that resonates with individual players, such as custom game levels, characters, or storylines. This enhances player engagement and prolongs game sessions. Data-driven insights enable the implementation of personalized engagement strategies, such as tailored notifications, rewards, and challenges that keep players coming back. 

Effective audience segmentation relies on personalized data about player behavior, spending patterns, and preferences. This segmentation enables more precise marketing and game design strategies tailored to each group. In addition, understanding the different stages of a player’s lifecycle helps create targeted campaigns to acquire, retain, and reactivate players, optimizing overall revenue. 

Personalized data enables the creation of adaptive gameplay experiences that adjust in real time to match the player’s skill level and preferences, leading to a more enjoyable and engaging experience. It also enables effective cross-promotion of other games and services to the existing player base, optimizing overall revenue from the ecosystem. 

While the collection and use of personalized data are critical for these strategies, compliance with privacy regulations such as the CCPA, VCDPA, and CPA ensures that this data is handled ethically and transparently. Adhering to these regulations protects the company from legal and financial repercussions while also building and maintaining player trust, which is essential for long-term success in the competitive landscape of games and digital entertainment. 

Why Is Privacy Expertise Needed To Comply with Privacy Regulations?

Whether you are just starting to implement privacy compliance or updating your existing approach, you need a comprehensive plan to tackle the subject. First and most importantly, you must have access to legal counsel specializing in privacy law. This may seem obvious given that an important step is writing privacy policies that meet the needs of these laws discussed previously—and any new regulations that may develop.  

Other issues arise, however. Many game development teams look at the requirements for protecting data and assume the solutions are obvious and trivial. We have often encountered the situation when talking to developers: their proffered solution of “I’ll just hash it so we don’t have the customer data anymore. It’s a one-way hash, and since we don’t have the original value anymore, the problem is solved.” 

At this point, you might feel you have succeeded and can move forward with your solution. But you could be wrong. 

This sounds great, but you need to dig a little deeper, and this is where expertise in the minutia of development and compliance pays dividends. For example, the CCPA calls this process “deidentification.” Hashing might not meet the requirement that “information cannot reasonably be associated with an individual.”  

If you consult a privacy attorney, they might point out that hashing is considered “pseudo-anonymization” per the European GDPR laws and is insufficient to be deemed deidentified. You might have to change your solution further to operate with European consumers in a compliant manner. Having this expertise while planning and implementing your privacy compliance program prevents costly re-implementation or being held out of compliance. 

Nine Critical Steps for Approaching Privacy Compliance in Games 

Here are 9 critical steps to follow to ensure your team can achieve privacy compliance across all relevant, changing regulations. Your specific applications, technology, and business processes might change—and this list is not comprehensive—but it is a good place for your organization to start. Review it with your counsel to ensure you have a comprehensive plan. 

1. Hire a Privacy Attorney: Engage counsel who are experts in consumer privacy laws for the jurisdictions covering all of your targeted customers. 
2. Conduct Data Mapping and Inventory: Identify and catalog all personal data collected, processed, stored, and shared. This involves understanding data flows, the purposes for data collection, and how data is used. You must document and understand how consumer data is shared within your company and IT infrastructure, with service providers, and with third parties. 
3. Update Privacy Policies and Notices: Revise privacy policies to ensure they are transparent and compliant with various state requirements. This includes detailing the types of personal data collected, the purposes for data processing, and consumers’ rights under applicable laws, such as the rights to access, correct, delete, and opt out of the sale of their data. 
4. Implement Consumer Rights Requests or Data Service Requests (DSR): Develop and implement procedures to manage consumer rights requests efficiently. This includes setting up systems for consumers to submit requests, verifying the identity of requesters, and responding to requests within the required time. Laws in different jurisdictions have varying time requirements for handling requests. 
5. Enhance Data Security Measures: Ensure robust data security measures are in place to protect personal data from unauthorized access, breaches, and theft. This includes encryption, regular security assessments, access controls, and incident response plans to address potential data breaches promptly. 
6. Review and Update Third-Party Agreements: Evaluate and update contracts with third-party service providers to ensure compliance with state laws. Companies must ensure that third parties processing personal data on their behalf adhere to the same data protection standards and notify the company of any data breaches. 
7. Employee Training and Awareness: Conduct training programs for employees, particularly those involved in data processing, customer service, and compliance. Employees should be aware of and understand applicable state and international requirements and learn how to appropriately manage consumer data and privacy requests. 
8. Appoint a Data Protection Officer (DPO): If required by the size and scope of data processing activities, appoint a DPO to oversee compliance with applicable privacy laws and serve as a point of contact for data protection issues and consumer requests. 
9. Stay Informed on Legal Developments: Regularly monitor updates and changes in privacy laws to ensure you are aware of and meeting ongoing changes in compliance requirements. This includes subscribing to legal updates, attending relevant webinars, and consulting with legal experts as needed. Your counsel should be aware of these changes and keep you informed, but it is advantageous to develop awareness and expertise on your team—you are ultimately responsible for meeting these requirements. 

If you are starting from nothing, you might be overwhelmed by what is required to solve even one of the bullet points above. The first challenge is knowing what laws you need to adhere to and what that requires in terms of people and action on your team. Your best first step is to follow our first recommendation: engage and consult with legal counsel who has privacy expertise. 

Getting Started on an Effective Privacy Compliance Strategy 

To repeat the advice at the top of our list: first, look to engage and consult with legal counsel. While you are doing that, however, there are several steps you can take to educate your team. 

Usually, an organization would like to take a “one size fits all” approach and might construct and follow a set of policies that adheres to all jurisdictions rather than segregate implementation into different buckets. This was easier before the proliferation of state laws complicated the US legal front.  

Become familiar with online resources to research the privacy landscape. State websites publish the laws and additional information to help you comply. We linked to state-provided resources regarding CCPA, VCDPA, and CPA earlier in this article, and those should be your primary sources for understanding the exact language and intent of the regulations.  

SixFifty’s Comparison of State Consumer Privacy Laws (Updated 2024) provides a handy overview of the privacy laws already in effect, those that have passed but whose effective date is coming up soon, and those being considered in state legislatures. This can help you understand the scope of complexity around compliance with multi-state privacy regulations.  

We find the US State Privacy Law Database provided by Husch Blackwell to be helpful both for the text of the laws and for insightful blog posts on them. Many other law firms provide information and insights, and even a number of solution vendors in the space. Be sure to consider the biases of the source of information you’re looking at, however. 

And when you start to consider how to comply, there are industry solutions to help implement your program. For example, tools are available to help discover and catalog consumer information in your infrastructure. Companies such as DataGuard, Strac, and OneTrust provide tools and solutions that leverage AI to scan your data to find where consumer personal data resides, speeding up your program’s data mapping and inventory processes. 

In the context of Data Service Requests (DSR), if you break down the “Implement Consumer Rights Requests” task, you will find that a significant portion of what it requires is a workflow solution that can receive requests from consumers, organize them into queues for processing with your customer service or compliance department, track status of such requests, including details such as remaining time before the request becomes late per policy or legal requirement. Vendors such as OneTrust, TrustArc, and Transcend provide platforms to automate and streamline these operations. 

The requirements for securing data are part of an enormous and complicated industry of cyber-security that has endless vendors to help with complex data and software security. 

Taking it even further, you can contract with firms for training, perform security assessments, and even subscribe to information regarding changes and updates to privacy laws and requirements. You don’t have to tackle this on your own, and you are best off assembling a cross-functional team to help provide a comprehensive solution and process. 

Next Steps for Addressing Privacy Compliance and Revenue Optimization

This is not a one-and-done process. As long as you’re handling consumer data, you have an ongoing responsibility. Make sure you have a dedicated budget for this continual process, whether processing DSRs or performing a Data Protection Impact Assessment (DPIA) when major new releases or changes in infrastructure happen. Ensure that you have a privacy compliance team with access to the resources required to succeed. 

Complying with privacy laws is your responsibility. The rate of change has accelerated in the past few years, and you need to make sure your organization is on top of privacy and that you become and stay compliant. Get help, get compliant, and keep your consumers safe. 

The Game Data Pros team has significant expertise in handling consumer data appropriately and building revenue optimization solutions that comply with the latest privacy regulations.

I have been involved in security and compliance initiatives for over 20 years. During that time, I was responsible for building and operating payment services that required achieving PCI Level 1 compliance, from initial certification to maintaining ongoing certification. I have also implemented a program of SOC 2 certification for services so that customers would be assured of privacy, security, and availability of SaaS service. Additionally, I have worked with clients on solutions for CCPA, California Privacy Rights Act (CPRA), and GDPR compliance, as well as advising clients on cyber security solutions for both private and public cloud services.

In addition, Game Data Pros Principal Scientist Dr. Julian Runge, along with Garrett Johnson and Eric Seufert, co-published the article Privacy-Centric Digital Advertising: Implications for Research, discussing new privacy-focused digital advertising approaches and their implications for advertising strategy, targeting, and measurement.

To learn more about how Game Data Pros can help your revenue optimization efforts while complying with an increasingly complicated landscape of privacy regulations, contact us.

Disclaimer

Please note that the information provided here should not be construed as legal advice. It is always recommended that you consult with a qualified attorney or legal expert for up-to-date advice tailored to your circumstances and the jurisdiction in which you operate.