This article is a guest post written for The Esports Observer and as such, the opinions, analysis, and content contained within this article does not necessarily reflect the views of The Esports Observer.
In this series of articles on the potential impact of the EU General Data Protection Regulation (“GDPR”) on the esports industry, the first installment addressed obtaining consent from “data subjects” (i.e., gaming/esports consumers). The second installment addressed the GDPR requirements related to processing the personal data of gaming/esports consumers. This final installment discusses how the GDPR’s effects have been felt outside of the EU, as the regulations may have created a shift in the global data protection regulatory framework, and indeed, even in consumer expectations.
In May 2018, California did something that it has long been known to do; enact a law that the rest of the country wouldn’t even dream of placing in front of their state legislatures. This time around, California decided to ride the wave that the GDPR started, and as a result, the California Consumer Privacy Act (“CCPA”) was passed, with compliance obligations slowly rolling out in January 2020, and government enforcement starting to become effective around July 2020.
At a high level, the CCPA creates transparency and protection for individuals, from businesses who collect or sell their “personal information” (defined extremely broadly). The CCPA forces organizations to be transparent with respect to their data policies by giving the public the right to know what type of information is being collected, whether it is being sold, and to whom. People will even be able to tell companies to stop selling their personal information. The CCPA also creates more protection for individuals by creating punishments for businesses, as the California Attorney General will be able to fine violators of the new regulations, and consumers will be able to recover statutory or actual damages from companies for data breaches resulting from unreasonably insufficient security procedures and practices.
While companies in the esports and gaming industry have undoubtedly been dealing with the side effects of the GDPR for at least the last few months, the CCPA presents some new-found regulatory compliance and civil liability issues to the esports industry. To illustrate this point and the potential impact the CCPA may have on the esports industry, let’s take recent events and appreciate what may have happened had the CCPA already been in place.
In early January 2018, a local California newspaper called the Sacramento Bee was the subject of a ransomware attack. In exchange for control and access to the data stored on the hijacked servers, the hacker demanded a ransom payment of Bitcoin from the newspaper. The servers in question contained approximately 19M voter records (nearly all of which were regulated public information that had been previously exposed), as well as the names, home addresses, email addresses, and phone numbers of over 50K Sacramento Bee subscribers. What’s the kicker here? The Sacramento Bee reportedly had measures in place to prevent this kind of attack, but a necessary firewall was mistakenly left disabled as a result of a third-party vendor’s performance of some routine IT maintenance.
The newspaper ultimately decided to delete the databases, as opposed to paying the ransom, however, the real damage had already been done as the newspaper’s reputation had been smudged like wet ink. Fortunately for the Sacramento Bee, the heavy financial repercussions of a breach under the CCPA were not yet in play. Had the newspaper been punished under the CCPA, it could have been fined by the California Attorney General $2,500 USD for each “negligent violation” and $7,500 for each “intentional violation.” On top of this, under the CCPA, the 50K subscribers could have each sued the newspaper for actual damages, or statutory damages between $100 and $750, whichever was greater.
Achieving compliance and avoiding situations such as the above will be easier said than done, however, especially when considering the broad definition of “personal information” adopted by the CCPA, and other CCPA-required measures to be adopted by companies before January 2020. Just take a look back at the GDPR to see just how difficult a task 100% compliance with a strict data security regulatory regime really is. At the time the GDPR went into effect, very few companies were fully GDPR compliant. A little over six months into this new data privacy regime, it is estimated that 70% of global companies are still failing to comply with requests for personal data within the required one-month time period.
Even if a particular game developer, esports team organization, or content/events provider was able to avoid the implementation of GDPR-compliant policies regarding data retention and processing (either because they don’t serve EU-based consumers or because the deliberate decision was made to stop doing so), the unfortunate news is the proverbial can was simply kicked down the road. While the regulations surrounding the GDPR are prevention-centric, and the mandates of the CCPA are more reactionary-based, the fact of the matter is that many of the preparations for the two are the same. Businesses still need to identify and organize the types of data that they collect, how it is collected, why it is collected, where it is kept, how it is processed, and whether and to whom the data is sold/shared.
However, this is not to say that GDPR-compliance equates to CCPA-compliance. For example, while the CCPA has adopted a similar definition of “personal information” as the GDPR, the CCPA arguably reaches more information sources than the GDPR as the act covers not just “persons,” but “households” and “devices” too. Additionally, esports-related companies may be particularly interested in collecting/selling player metrics such as keystroke patterns, recognition/click speed, and logon/logoff times. This type of biometric data that tracks player movement and patterns can be uniquely identifiable and the CCPA treats this biometric data just like other “personal information” (unlike the GDPR). It’s not just “player data” either that will bring esports companies into the CCPA fray. When consumers sign up for streaming services, obviously their names and emails are protected, but potentially their time spent watching certain streamers and their favorite channels too. If a company merely hosts tournaments and events, then the company recording who’s checking in on social media could also potentially create CCPA exposure. The CCPA effect will inevitably be felt far and wide in the esports industry.
Possibly the biggest reason for esports-related companies to get ahead of the curve here is the right of private action that the CCPA enables. The fact that the consumer is not only enabled, but incentivized to pursue statutory or actual damages as a result of unreasonably protected data being breached means that gaming companies cannot rely on a “soft opening” of the CCPA, which has seemingly been the case with the GDPR, because while government may be slow to act, consumers who feel as though they’ve been wronged are typically quick to seek restitution.
Even though some esports-centered companies may have been able to avoid implementing heavy-handed GDPR-focused policies to date, the same will almost be impossible with the CCPA. This is because, among two other independently qualifying characteristics, esports companies will be subject to the CCPA if they receive personal information concerning at least 50,000 Californians (less than 0.1% of the state’s population). One of the other two independently qualifying characteristics of the CCPA will also likely cast a fairly broad net in terms of capturing businesses that need to comply with the CCPA; businesses with $25M or more in revenue. It remains to be seen, however, whether this $25M applies to just revenue derived from California, the U.S., or even worldwide sales.
Therefore, esports companies of even modest sales and reputation should not lightly assume that the CCPA will not apply to them. One successful project can drastically shift a company’s profile and consumer base, as recent overnight esports sensations have shown, meaning that an esports company that does not initially meet the “50k Californians” or the “$25M in revenue” thresholds could do so overnight as a result of their own success. Finally, even the third independent qualifying characteristic could apply to esports-companies depending on their business model; whether or not the company makes at least half of its revenue from the sale of Californian consumer data. As a result, the exposure to U.S. companies, and esports-centric companies the world over, to CCPA regulations and enforcement is going to dwarf the current exposure of these same companies to the GDPR.
The moral of the story here is that despite the ambiguities that exist within the CCPA, and the cost of implementing compliant data policies, esports companies should be taking immediate steps to move towards compliance. If your gaming or esports company is just starting today, then they are already behind the ball. This is especially true in light of the fact that a consumer request of “are you processing my data?” must be met with a response, in 45 days or less, that indicates the types of data collected over the past year, who it is shared with, and why it is processed. This means that the burden of compliance doesn’t start in January 2020, it starts now! So start preparing for the CCPA immediately, unless you like having to pay fines to both the consuming public and state government.
Article Link: https://esportsobserver.com/ccpa-esports-2019/