Gamasutra is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
August 3, 2021
arrowPress Releases
If you enjoy reading this site, you might also want to check out these UBM Tech sites:


Privacy and Games – GDPR, Brexit, And Privacy Shield.. Oh My!

by Roy Smith on 08/01/16 10:22:00 am

The following blog post, unless otherwise noted, was written by a member of Gamasutra’s community.
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.


It’s been another wild few months in the Privacy space since my last post.  Bringing everyone up to date:

GDPR is now the law

The new European Union privacy law called ‘General Data Protection Regulation’ (GDPR) is now in effect, replacing the 20 year old ‘Data Protection Directive’.  This privacy law is being called the ‘biggest legal change of the digital age ’, and for good reason. Companies that capture private user data (called ‘Data Controllers’) from EU citizens are now required to get explicit, informed consent (no more TOS consent or default opt-ins) and they are required to give users the ability to view the captured data, get a copy of it, and revoke their consent and trigger complete erasure with the same ease that they initially gave it.

This is a big deal because unlike COPPA, which only deals with privacy of children under 13, GDPR requires data controllers to do this for EVERY USER that is a EU citizen.  The GDPR also has a child privacy aspect that is similar to COPPA but does not have COPPA’s numerous loopholes. An added complexity is the fact that GDPR allows each EU member state to choose the age of consent for child privacy, with the default age being 16.  Before they voted to leave the EU (more on that later), the UK announced they would stay with 13 as the age of consent.

Another big change with GDPR is its focus on third party companies that process private user data, such as ad networks that use private data to optimize and target ads. GDPR brings third parties (called Data Processors in GDPR lingo) into the same regulatory requirements as Data Controllers.  And since virtually none of the databases they currently have were created using GDPR-compliant user opt in, the entire Ad tech business is gearing up to comply with GDPR in time for enforcement day, May 28, 2018.

Regarding enforcement, my opinion is that within the EU there are 28 different countries, some of which will diligently enforce privacy while others will not. This situation is very different from the US COPPA law which was never aggressively enforced by the FTC, to the point that trade groups have begun self-policing COPPA. GDPR is going to be enforced, and the penalties are very real and potentially career-ending.

Game developers who do not have any users in EU countries do not have to worry about GDPR. Or do they? Perhaps not in the short term, but I believe because of its huge reach, GDPR will become the model for online privacy regulations around the world.

What about Brexit?

There have been dozens of blog posts asking how Brexit affects game publishers. If the UK wishes to continue trading with the EU (and I’m pretty sure it does), it will have to create privacy laws that are as good as, or better than GDPR in order to be accepted as a trading partner.  The most obvious solution here would be for the UK to copy GDPR word-for-word which would fulfill the ‘as good as’ requirement and reduce compliance complexity for all parties involved.  But as we know, government doesn’t always do the obvious so this remains a question mark.  There is a 2 year transition period that starts once the UK triggers Article 50 to formally leave the EU, and it hasn’t done that yet.  My advice would be to focus on GDPR compliance with the knowledge that whatever the UK comes up with will be similar.

Alrighty then, what about Privacy Shield?

Just for clarity, Privacy Shield is the name for the new online data protection treaty between the EU and US that was negotiated following the previous ‘Safe Harbor’ treaty being struck down in fall 2015.  Two weeks ago, following several months of additional negotiation, the US and EU agreed to the new treaty, called ‘Privacy Shield’.  Max Schrems, the advocate who helped kill Safe Harbor is expected to challenge Privacy Shield in the same way. Since Privacy Shield interlocks with GDPR and existing US privacy laws, US game publishers should begin designing for GDPR type privacy with games in production now.

So to summarize this update, here are my quick thoughts on how these issues will impact game publishers : 

GDPR – Huge, unavoidable, you must start dealing with it now to have quality GDPR compliant products.

Brexit – Not really a factor, new UK privacy law is likely to be very GDPR-like unless UK goes rogue with even tougher privacy regs. 2 year clock hasn't started yet.

Privacy Shield – Not really a factor, likely to be challenged again in 1 year, too important to fail.

Related Jobs

Square Enix Co., Ltd.
Square Enix Co., Ltd. — Tokyo, Japan

Experienced Game Developer
Fred Rogers Productions
Fred Rogers Productions — Pittsburgh, Pennsylvania, United States

Digital Production Coordinator
Microsoft — Redmond, Washington, United States

Senior Software Engineer
Disbelief — Chicago, Illinois, United States


Loading Comments

loader image