GDPR Compliance

[juliet]

Hello,

I am a game owner trying to gather information about GDPR compliance.

All the articles I read about it are extremely vague.

So now things like people revealing their mental health status or political party affliliation are now somehow considered personally identifying information?

It's starting to get ridiculous.

On my games, some info is already encrypted. And I don't have a problem encrypting other things.  But there doesnt seem to be a solid definition of which data is PII.

SO I was wondering what other game owners have as their strategy, or if anyone has some decent articles that can give specifics and not generalities,

Thanks in advance.

 

[Makazu]

Curious to hear what others have to say as well. This is all a bit reminiscent of the 2257 thing that shook the adult industry in the early 2000's. Suddenly there were requirements that you had to have ID records on file for every "model" that appeared on your page, even in ads. Tons of confusion, and industries popping up to take advantage. In the end, IIRC, it settled out to be more practical than onerous.

I'm hoping to see similar here, as I think this is more aimed at protecting users from the big data mining companies that abuse the data than someone storing information useful to manage the user's account. I imagine if they close their account, you may have to remove some info, but if they purchased things from you for example, then I'd hope  you are within right to store that transaction info -- so long as you aren't selling/sharing it.

 

[Syntax]

The GDPR is very vague, but maybe some food for thought can clear it up a bit. As a general rule, the GDPR is considered to cover the following areas: 

• Basic identity information such as name, address and ID numbers
  
• Web data such as location, IP address, cookie data and RFID tags
  
• Health and genetic data
  
• Biometric data
  
• Racial or ethnic data
  
• Political opinions
  
• Sexual orientation
  

Obviously that does seem like a lot but especially for games it's not a huge impact. 

First look at what information you're collecting. And by that I don't mean what are users willingly posting publicly on your forums but are you REQUESTING users fill our their political opinion, sexual orientation, etc. 

Second look at what information you're using. Are you selling information or compiling information for a specific use? Are you collecting metadata that would imply certain things(like political opinion based on article 'likes' or something)?

Most virtual pet sites will need very few changes for this if any. 

• If you're collecting users names and addresses...
  
  consider reworking the system to use usernames.
  
• I can't think of a reason to collect an address unless you're using an e-commerce system in which case you can use other services who will collect and store that information for you. 
  

[*] If you're collecting IP addresses...

• 
  It may be necessary to encrypt this to stay compliant.
  

[*]If you're using cookies...

• 
  Sessions? 
  
• Encrypt anything you save in cookies
  

For additional covering of bases, provide a 'privacy policy' that explains what you do with the information you collect, and who has what access to what information that might be thought to be private (such as mods being able to see your private messages or personal notes).

Finally, always consider having some sort of contract with anyone who may potentially access your users data intentionally that could essentially put any leak or security blame on them if it properly their fault. This means vendors, subcontractors, employees, etc. If they need access to the data(for example to optimize a database) make sure you have an NDA or some other sort of contract that will put them in a legal bind if they were to choose to misuse the data. Properly encrypted data will somewhat mitigate this risk however. 

 

[juliet]

First look at what information you're collecting. And by that I don't mean what are users willingly posting publicly on your forums but are you REQUESTING users fill our their political opinion, sexual orientation, etc. 

Thank you for your clarifications!  The above quote is my main concern at this point. My games have numerous social interactive features....forums, chats, game mail, comments, etc where users may reveal any of this new vague PII data.  But we do not request it and store it for any reason. 

So I'm really rather wondering if this stuff needs encrypted.

Because I keep reading articles and it's all rather vague as to how this law actually works.

So for example:  If this means:  A website specifically requests your race/gender/political affiliation/etc. and stores it.

versus

A user randomly mentions it in the forums.

Do both situations need encryption, or only the former?

 

[Syntax]

Thank you for your clarifications!  The above quote is my main concern at this point. My games have numerous social interactive features....forums, chats, game mail, comments, etc where users may reveal any of this new vague PII data.  But we do not request it and store it for any reason. 

So I'm really rather wondering if this stuff needs encrypted.

Because I keep reading articles and it's all rather vague as to how this law actually works.

So for example:  If this means:  A website specifically requests your race/gender/political affiliation/etc. and stores it.

versus

A user randomly mentions it in the forums.

Do both situations need encryption, or only the former?

Only the former.

Information shared publicly of oneself does not need to be encrypted. The only thing with forums/chats/etc you may want to think about is dealing with the removal of info if the original poster would like it removed or removing info one user posted that was personally identifying another user. Either way encryption isn't necessary unless you're specifically collecting or compiling this info. 

Many social media sites collect this info either directly or indirectly to help target ads to you or use it for large data analysis to predict trends and behavior. If the messages in your forums, chats, etc. are simply being stored for historical/public reference that should be fine. 

 

[juliet]

That helps tremendously, thank you.

 

[Design1online]

There is a solid definition of PII, maybe that will help you:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

 

[Deloryan]

Don’t forget to attend your users about the personal info when they create a username in the terms of service. 

Tell them that its their own responsibility to make sure the username, avatar, banner, profile etc don’t trace back to their real identity. And if they still do it anywats, that its their responsibility, not yours. But that you also won’t sell/share that information to third parties either. 

You don’t need to encrypt those things, as they should not add it in there in the first place. 

Some other things:

- players should be able to delete their account (along with all their data that’s connected to it)

- they should be able to get the data you have on them from you (like how it works on FB now for example, you could also just drop it in a csv that can be opened in excel)

- design for privacy first. So no automatically checked checkboxes for newsletters for example. 

- you need to state what you are using the info for. So if you want to send them newsletters about game info, but also use their email to send freebies. You need 2 checkboxes. So they can sign up for either, or both. You need to give them the choice now. 

 

[hurricaneviolet]

The one thing that I haven't seen mentioned here yet that will affect games, is the age requirement. From the GDPR website:

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

I'm curious how other people are planning to address this.

We used to have a parental verification system for people under 13 (which was complicated and frustrating, and also mostly useless since HP is almost entirely adults), but when we put ads up, we completely blocked anyone under the age of 13 from signing up rather than dealing with the more complex issue of serving ads to people protected by COPPA.

But I'm hesitant to block people under the age of 16 since 90% of HP's audience comes from the US, Canada, and Australia where the age is 13. I could bring back the parental consent system if I need to, but again, with it being unnecessary for most of the people who would even sign up who were under 16, makes me not like that option either.

 

[Design1online]

Check the fine print, a lot of places will let you become "compliant" which means you follow certain rules so you don't have to ask for parental permission and verification. It means you jump through more hoops about what data you keep and you have to run background checks on employees that have access to your data but usually it is possible -- otherwise there would never be any kids sites out there!

 

[Design1online]

Also, I will tell you from personal experience, if you are not a company or have a physical location in the EU they cannot hold you to following the GDPR compliance. If you are a US company you must comply with US laws but you do not have to comply with any other countries laws. If someone from the EU tries to sue you for being GDPR non-compliant it is really hard to make any type of case if you're not an EU corporation. I had a similar issue with Ubisoft in the past because they are a French company and I'm a US company -- it was basically impossible to bring any kind of case against them and my lawyer told me I would have to spend well over 100k to even get it through the US court systems.