So many factors go into delivering a hit game that compliance seems like the least of worries. One might be forgiven for thinking, “What’s the point in being compliant if the game isn’t successful?”. And the answer is clear: if the game becomes a hit, it’s too late to become compliant. The next thought might be, “So what? We’ll just pay some fines, no big deal, right?”. The reality can be far from what’s imagined. And if the game is not a hit title but violates privacy or other laws, the monetary risk could easily add losses to a publisher’s bottom line.
The federal government and other organizations have levied vast fines in the past several years. Take, for instance, the Epic Games settlement with the Federal Trade Commission with a price tag over half a billion dollars. How many companies can survive that, and what would that do to a title’s profit and loss statement with such an enormous fine? Even if that fine is an outlier, many studios could be at risk for substantial fines. California’s CCPA law has fines of up to $2,500 per violation or $7,500 for each intentional violation. GDPR specifies fines for less severe infringements could result in a fine of up to €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These laws must be followed, and they have teeth in the form of hefty penalties when violated.
This article will introduce the reader to some but not all of the subject matter and primarily focus on the US market. It will also highlight some relevant international considerations, such as for the EU, UK, and Japan. It should help with thinking through questions about a publisher’s risk. If nobody in your organization has the documentation to back up the statement “We’re compliant,” your organization is at risk. If no compliance officer is designated, your organization is at risk. Later articles will cover how to assess an organization’s state of compliance, follow changes in regulations in the field, and delve deeper into subjects such as data privacy compliance.
Compliance Overview
The compliance landscape for video games has changed significantly since the first games were released in the 1970s. Initially, there were few requirements for publishing and operating games and few laws or jurisdictions to pay attention to. But the Wild West in games is gone. In today’s world, many legal jurisdictions, along with industry associations and publishing platforms’ terms, must be heeded to operate games successfully and legally.
Generally, the considerations for compliance come from government entities, industry associations, and publishing platforms. Government entities might enforce laws that originate at the national, state, or local levels. Industry associations might exist internationally or nationally. And the publishing platforms, such as Apple, Google, Sony, Microsoft, Steam, and others, have their own publishing requirements that must be adhered to.
When creating a game to be operated in the United States, the many subject areas one must pay attention to include (but are not limited to) those listed below:
- Age Ratings
- Accessibility
- Gambling and Loot Boxes
- Advertising and Marketing
- Export Controls and Trade Restrictions
- Content Regulations
- Licensing and Distribution
- Platform Specific Requirements
- Localization
- Privacy and Data Protection
Topic Areas
Age Ratings
The early days of the game industry saw copious creativity in new game subjects and designs. However, some titles explored adult topics, including violence, sex, drugs, and others often considered societal vices. Pushback from parents, church leaders, and legislators motivated the industry to create an organization to rate game content, largely to self-regulate and head off politicians from passing laws to regulate the industry. The Entertainment Software Rating Board was formed (ESRB) and today is responsible for rating games that developers and publishers submit. The ratings assess age-appropriateness and indicators of the type of sensitive content the game title explores.
Several major publishing platforms, including Microsoft Xbox, Sony PlayStation, and Nintendo, generally require an ESRB rating on the game titles before they can be published for distribution. Several of the major PC distribution platforms, including Steam and Epic, don’t require the ESRB rating but do provide their own content description systems whereby the game developer will disclose the content of their game. Mobile platforms like Apple App Store and Google Play Store also have their own age and content rating systems.
Note that other organizations play a role in Europe, Japan, and other regions, such as Pan European Game Information or Computer Entertainment Rating Organization.
Accessibility
Accessibility in video games pertains to designing and implementing game features that ensure all players, including those with disabilities, can have a satisfactory gaming experience. This includes a range of considerations, from visual aids like subtitles and colorblind modes to auditory cues for those with hearing impairments. Accessibility also encompasses mechanics like remappable controls for those with motor disabilities or the inclusion of alternative communication tools for online games in compliance with regulations like the 21st Century Communications and Video Accessibility Act (CVAA). These features aim to make video games more inclusive, allowing a broader audience to engage with and enjoy the titles.
Gambling and Loot Boxes
In the United States, gambling laws are primarily state regulated. Most states generally disallow gambling, although sometimes carving out exceptions for lotteries, horse racing, or card rooms. Numerous complex state laws must be navigated, and even some multi-state agreements.
Loot boxes in video games have garnered significant scrutiny due to their similarity to gambling mechanics. In the US, they are generally not governed by the same laws as gambling and are therefore permitted. Some states have proposed regulations that have not yet been enacted. The gaming industry is, however, utilizing content ratings to raise awareness, especially for parents, of game content that could be considered gambling.
Internationally, multiple countries have ruled that gambling laws encumber loot boxes, and therefore care must be taken when publishing in those jurisdictions.
Advertising and Marketing
Advertising and marketing within video games, often referred to as “advergaming” or “in-game advertising,” are subject to various regulations, both general (related to advertising standards) and specific (related to the nature of video games). In-game advertising must follow the same laws as other advertising formats in the US. For example, in-game ads must not be misleading or deceptive. This principle is enshrined in U.S. law and is overseen by the Federal Trade Commission (FTC). This means that any claims made within an ad must be substantiated. Additionally, FTC has guidelines for endorsements and testimonials. If a video game includes any endorsements (like a celebrity avatar promoting a product within the game), these guidelines need to be followed. For instance, any material connections between the endorser and the advertiser must be disclosed. If there’s a promotional consideration (like if a brand paid to be featured in a game), this might need to be disclosed, especially if it affects the gameplay or player decisions. Finally, if a game contains advertising for alcohol or tobacco, it needs to ensure that it follows relevant laws and industry guidelines, such as not targeting minors.
Note that advertising and marketing concerns overlap with privacy concerns covered in the later section of this article on privacy and data protection. In-game ads might collect user data to serve targeted ads. If so, this data collection must comply with privacy laws.
Export Controls and Trade Restrictions
When publishing internationally, the United States has some regulations that must be followed. Consideration under the Export Administration Regulations should be paid attention specifically where encryption is used in a game’s network, chat, or other systems. Unless the game uses novel encryption, the methods are likely allowed under exemptions for mass market or publicly available encryption rules.
Another very important consideration is the Office of Foreign Assets Control (OFAC) regulations. These require companies to follow US sanctions against specific countries, terrorists, drug traffickers, and other threats. Like all U.S. entities and individuals, video game companies must ensure they’re not doing business with sanctioned countries, entities, or individuals. This means not selling games in certain countries or not allowing transactions within games from sanctioned individuals or entities.
Content Regulations
In the United States, video games are protected under the First Amendment as a form of expression, meaning the government has limited ability to regulate their content. In 2011, the Supreme Court ruled in Brown v. Entertainment Merchants Association that video games are protected speech under the First Amendment. This gives developers and publishers broad discretion on what content to include in their game titles by law.
However, the major publishers all have a set of terms and rules that might prohibit certain content on a given publisher platform. The Apple App Store, for instance, has many rules regarding content and can be read in their app store review guidelines.
Many countries other than the United States carefully regulate content and must be considered when publishing in those regions.
Licensing and Distribution
Although not unique to video games, consideration for intellectual property rights via copyright, trademark, or patent law must be taken when publishing in the United States.
No games are developed 100% stand-alone, with no reliance on 3rd party code or libraries. Therefore, licensing agreements with technology providers will have terms that must be adhered to, relating to anything from disclosure notices to payment terms to platforms allowed. Additionally, content is often licensed from other parties, and terms governing the usage of that content must be adhered to. This could include game genres approved, allowing the IP owner to review the game for compliance with the contract terms, or constraining which regions the content may be distributed into.
Another consideration in virtually all games today is an End User License Agreement (EULA) that serves as a contract between the user and the publisher. These typically are long eye-charts of terms governing the use of the game, the rights of the individual, allowed usage, and more. There is some effort at the government level to require human-readable EULAs and questions about enforceability in general.
Platform Specific Requirements
Platform vendors such as Microsoft and Sony have requirements for games to be considered for publishing. Developers and publishers need to meet these requirements, which can run the gamut from technical requirements to age ratings to privacy to monetization. Additionally, the game title must undergo a certification process before game release. Mobile game platforms such as Apple and Google have similar requirements and processes; therefore, the development and publishing process will need to plan, develop, and test for compliance.
Localization
Unlike other countries, few laws require specific localization in the United States. That said, providing language alternatives to English can increase the audience within the US, given the large population of foreign-speaking residents.
In publishing games internationally, however, localization is a much bigger consideration. Many countries mandate that games be available in the local languages. Beyond just language, cultural norms often must be met regarding themes such as violence, sexual content, and religious references. Certain content is illegal in other countries, which would be allowed in the United States.
Privacy and Data Protection
Over the last decade, much focus has been placed on privacy in online applications. The ability to track a consumer’s activity across many websites and applications has been a powerful tool for targeting advertising and analytics. There has been a surge of pushback on this unfettered data collection, with laws being passed in multiple jurisdictions to establish privacy rights for individuals. Europe led the way with the General Data Protection Regulation (GDPR) regulations stipulating privacy rights for consumers, a framework for companies to follow to ensure applications respect those rights and to ensure consumer data security when companies collect it. The regulations have some teeth in the penalties that corporations may face if they are not following the regulation, so close attention must be paid, or game publishers may be left with large liabilities.
California has modeled laws similar to GDPR in the US by passing the California Consumer Privacy Act (CCPA). It contains similar Information Rights Requests (IRRs) to the GDPR regulations, but there are subtle differences in what exceptions are allowed to retain data after a user has requested their data be deleted. The law allows California’s Attorney General to investigate and fine corporations violating CCPA regulations. And the penalties can be severe, creating large liability for corporations out of compliance. To fully support these regulations, a publisher must provide timely processes allowing consumers to request access to data the publisher is keeping about a consumer or to act on a consumer delete request. Given the different touchpoints, compliance crosses corporate departments and functions from development to cybersecurity to customer support.
Platform providers such as Apple have also entered the privacy advocacy, as seen with the introduction of the AppTrackingTransparency framework. This has given the consumer more control over what data is shared with online sites and application vendors. But it has also thrown a wrench into the gears of mobile marketing functions and the ad attribution processes.
Summary
Invest now to become compliant and stay compliant. These regulations, rules, terms, and conditions should be considered early in the game design process, as they can impact game design. If loot boxes are critical to the game design, and the game is intended to be published globally, changes must be accommodated for some national markets due to gambling regulations. Another example incorporating data privacy and protection settings will affect the game’s user interface, and backend systems will need to add to their design the ability to delete user data upon request. This type of consideration has not traditionally been a requirement for development teams and is often antithetical to the desire to preserve all data for analytics purposes. It must be part of the product design up front.
Assessing where one’s organization stands regarding compliance is not a one-time task. This recurring assessment crosses the product management, development, cyber security, customer service, legal, and other teams. Laws change, and tracking and adapting your processes, technology, and techniques to accommodate the changes is critical. Staying compliant is an ongoing effort. Get help if needed; neglecting this will incur significant risk to the organization.
Disclaimer
Please note that the information provided here is for general informational purposes only and should not be construed as legal advice. I am not a lawyer and am not qualified to provide legal guidance or interpretations of specific laws or regulations. The information presented may not be comprehensive, up-to-date, or applicable to your specific situation. It is always recommended that you consult with a qualified attorney or legal expert for advice tailored to your individual circumstances and the jurisdiction in which you operate.
Greg Doane