What Interactive Digital Entertainment Companies Are Doing to Prepare for the California Consumer Privacy Act
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.
The California Consumer Privacy Act (“CCPA”) is a first of its kind law in the United States. The CCPA is a bold attempt at a comprehensive privacy regime. It provides a sweeping definition of “personal information” and applies to many for-profit companies that do business in California. For purposes of interactive digital entertainment (think mobile games, augmented reality applications, virtual reality content, etc.), the definition of “doing business in California” includes businesses whose content is downloaded in California.
Interactive digital entertainment companies face unique challenges under the CCPA. For example, offering free-to-download content is considered a “sale” of personal information. The CCPA directly targets this bargain with its specific requirements, by contrast to other existing privacy laws, including the notorious General Data Protection Regulation (“GDPR”). CCPA defines a “sale” very broadly to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Even for companies whose interactive digital entertainment is not free-to-download, the CCPA poses unique compliance challenges that are not satisfied solely by relying on existing GDPR compliance programs.
This article looks at some industry-specific steps that interactive digital entertainment companies should take to get ready for the implementation of the law and helps you benchmark what your peers are doing. Companies covered by the CCPA have until January 1, 2020 to achieve compliance.
Is Moving Your Business Out of California A Reasonable Response? No, the authors do not recommend moving out-of-state solely to try to avoid the CCPA.
More than one company representative asked us this question with all sincerity. Some did so because they had already chosen to ignore or do the bare minimum to comply with GDPR and are not set-up to point to their GDPR efforts as “good enough” for purposes of the CCPA. Privacy compliance is no small undertaking.
However, the momentum – both in terms of new laws and consumer expectations – is moving in the direction of requiring or providing more transparency and consumer choice when it comes to the use of consumer data.
Moreover, just as GDPR impacted U.S. companies doing business with EU citizens, CCPA applies to more than just California companies. It covers for-profit organizations doing business in California, collecting consumers’ information (either directly or through a third party acting on its behalf), and, either alone or jointly with others, determining the purposes and means of processing the consumers’ personal information who also satisfy one of three numeric thresholds. Suffice it to say that doing business in California is not the same has having your business located in California. With that in mind, remember that on its own California is one of the largest economies in the world. Thus, in the digital space at least, not doing business in California not an option.
Should you collect less data? Not necessarily.
Certainly, many companies are taking a second-look at the types of data that they collect and whether such collection is necessary to the business. However, what is defined as “personal information” under the CCPA is broad and encompassing. It includes any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This broad definition includes the sorts of consumer profile and preference information that many behavioral advertisers would like to have.
The CCPA’s broad definition also sweeps up the kinds of information that advertisers want to obtain from augmented and virtual reality content. Personal information includes such data types as “biometric information,” “geolocation data,” and “audio, electronic, visual, thermal, olfactory, or similar information.”
Thus, one thing that we are seeing more of than an assessment of “do I really need an e-mail address” is “how else might I monetize my interactive digital content.”
Another response we are seeing is that companies are reconfiguring how they collect, store, and use data. The CCPA does not restrict the sale of de-identified personal information. Thus, companies are looking at ways to implement de-identification of data and implement technical safeguards and processes to ensure that data cannot be re-identified.
So, rather than simply collecting less data (which might be a good idea for other reasons), you should take another look at how you collect, store, and process data and benchmark those actions against your business model and the CCPA.
Are there any processes that you should focus on changing first? Yes. Many companies indicated that they were too small to implement everything that the CCPA requires, even if the CCPA applied to them. These companies are trying to do as much as they can to get compliant and are focusing on some of the consumer-facing aspects of the CCPA.
Remember that unlike GDPR, the CCPA focuses on the sale of consumer data. So, it is prudent to start on the path of compliance to consider whether you need to “sell” consumer data to achieve your business goals. If you decide that you do, you should focus on satisfying the requirements of the CCPA as to the “sale” of data.
For example, although the CCPA allows businesses to sell personal information, the business must provide people over sixteen with the right to opt-out of a sale of their data. The CCPA requires the business to place a clear and conspicuous active link on the top right of the business’s homepage stating “Do Not Sell My Personal Information” that, when clicked, will take the consumer to a mechanism to opt-out of the sale of their data. There can be no consequences for a consumer who makes this choice.
However, for anyone under the age of sixteen, the business must require an opt-in for a sale; for children under thirteen, there must be a mechanism for the parent to provide that opt-in. This treatment of a sale of a child’s data requires the business to first determine if it will even sell such data and, if not, determine how it will segregate (or age-gate) between consumers over and under sixteen and/or thirteen years of age.
Moreover, because of the opt-out and opt-in rights, a business selling personal information must also determine, internally, how it will operationalize these options. For businesses that have non-California consumers and depend upon the sale of personal information for revenue, it may be prudent to consider a California-specific right to opt-out or even a California-specific version of the homepage.
A related process issue to consider is whether for all privacy related questions the business wants to age-gate at sixteen instead of thirteen years of age (most child privacy protection statutes treat children over and under thirteen years of age differently). For many games and augmented and virtual reality content, age-gating at sixteen instead of thirteen could result in a significant impact to the business. So, this may be yet another reason to consider California-specific rights or to move away from the “sale” of personal information.
Any company doing business in California that processes consumers’ personal information (remembering how broadly that is defined) should sit down with a lawyer to determine what, if anything, they should or must do to negate risk to the business.
The first step is, of course, determining whether the CCPA even applies to your business. If it does, then the second step is determining what changes, if any, you will implement.
In addition to some of the specific issues discussed above, these considerations should also include:
- Preparing and providing CCPA notices
- Providing opt-in and opt-out where appropriate
- Establishing processes to allow for the deletion of data
- Establishing processes to provide consumers their data upon request and in a “readily useable format”
- Reviewing agreements with service providers to ensure compliance with CCPA and the policies and procedures you implement
- Training your personnel on any changes or new processes
Your CCPA analysis should begin now because the steps to achieve compliance may not be simple and may require a significant investment of time to get compliant by January 1, 2020.
With gratitude to Kari Kelly, attorney at Kelly Corporate Counsel, for Co-Authoring this Article.