Esports and the GDPR: Navigating Data Privacy Rights Under the New Regime

Taking effect on May 25, 2018, the EU General Data Protection Regulation (GDPR) is the most impactful change to data privacy regulation in decades. The GDPR was enacted to help protect all personal information of EU individuals and is applicable to any organization, regardless of location, that intentionally offers goods or services to the EU, monitors the behavior of EU individuals (“data subjects”), or processes and holds the personal data of data subjects residing in the EU.

As anyone who has ever registered the latest copy of Overwatch or FIFA knows, millions of end-using gamers share their personal information in order to gain access to developer content. Given the changes promulgated by the GDPR, this has broad-reaching implications for all data collecting entities, including, but not limited to:

• Video game studios, which create and own the video games and control access to and use of their product.
• Streaming services, which broadcast content.
• Internet providers which provide access to the content
• Operators of online message boards, and franchise owners (collectively, the “Data Collectors”).

Data Collectors, in particular, will have to revamp their existing end-user policies with a particular focus on provisions addressing data monitoring, access, consent, data portability, and mandatory breach notification.

While the GDPR extends into many other sectors, its effects within the video game industry have already been felt. Citing the high cost of complying with the GDPR, the servers for Super Monday Night Combat, the massive online battle arena (MOBA) title by Uber Entertainment, were taken offline permanently, and Uber Entertainment offered $10K of in-game currency for users to spend before the game ended. Uber Entertainment’s multiplayer back-end system was not GDPR compliant, and the cost to make it compliant exceed the budget allocated to the game.

Fines for non-compliance with GDPR may be hefty and increase with the nature and severity of the violation. A lower level violation can cost the greater of up to €10M or 2% of the violator’s worldwide annual revenue, while upper-level infractions can garner the greater of up to €20M or 4% of worldwide revenue.

Unlike traditional sports, where anyone is free to produce a sporting event without having to pay royalties to the inventor of the sport, sanctioned esports events can only occur with the approval of the video game studios. Even unsanctioned esports events are only possible if an end user has registered their copy of the game. Furthermore, most popular esports games require an internet connection in order to play against others. As a result, a significant amount of personal data is being transmitted and processed by Data Collectors annually. Data Collectors collect and use this data for a number of reasons, including resource allocation based on where the most players are playing at a particular moment and weeding out negative behavior by banning toxic players.

Given the popularity of esports in Europe, it is not a question of if Data Collectors should become GDPR compliant, but how quickly can they do so.

So what should Data Collectors do in the face of the GDPR? For starters, they should consider the need for a data protection officer (“DPO”). The GDPR requires that a DPO be appointed within organizations that engage in large-scale systemic monitoring or large scale processing of sensitive personal data.

Given that Data Collectors engage in global systemic monitoring and processing of personal data coupled with the millions of dollars at stake for non-compliance, such organizations should appoint a DPO if they have not already done so. The DPO must understand the nuances of GDPR and be able to respond to inquiries from EU regulatory authorities.

A critical gatekeeping issue under the GDPR is getting consent from persons or other data subjects to collect personal data, GDPR compliance depends on the development and use of appropriate consent forms.

To that end, Data Collections should consider the following when developing GDPR-compliant consent forms:

1. Request the minimum amount of information necessary. When considering what kind of information is required, Data Collectors should bear in mind that the GDPR has two classifications for personal data: personal data and sensitive personal data. Personal data includes names, contact information, and IP addresses. Sensitive personal data includes ethnic original, religious beliefs, and sexual orientation. While the difference may seem negligible, personal data and sensitive personal data cannot be used or maintained the same way. As a result, requests for information should be limited to a specific purpose, and used and maintained for that specific purpose.
2. Draft clear and concise language. In lieu of the standard boilerplate language that would make even the most experienced legal practitioner confused, terms and conditions for consent should be in laymen’s terms that explain which organizations, including third parties, will have access to any personal data. Additionally, such terms and conditions should stand alone, not be buried among other terms and conditions.
3. Make it easy to withdraw consent. Data subjects should be able to easily withdraw consent. Data Collectors should include a provision that (i) states the consent can be withdrawn at any time for any reason and (ii) provides instructions on how consent can be withdrawn.
4. Ensure consent is given purposefully. While it is not mandatory, it is considered best practice to deploy a double opt-in mechanism to ensure that consents were “freely given, specific, informed, and unambiguous.”
5. Revise and renew consent frequently. While it would be easy to rely on the initial consent granted by data subjects, as GDPR interpretation and enforcement takes shape, Data Collectors should look to the terms and conditions of the consents obtained and assess the need to revise. If they need to be revised, Data Collectors will have to obtain a new consent under revised terms and conditions. Even if Data Collectors determine that their consents do not need to be revised, they should have data subjects renew their consents.

Because the GDPR era is in its infancy, what is necessary to ensure GDPR-compliance may shift drastically in the coming years and will require an ongoing commitment from Data Collectors to evolve with how EU regulatory authorities interpret and enforce the GDPR, specifically how they dole out fines. Stay tuned for the second installment of this ongoing series.

This article was originally published by The Esports Observer.