Which challenges does the EU General Data Protection Regulation (GDPR) pose for the online gaming industry?
The challenges posed by GDPR include conflicting regulatory requirements, abuse of data subject rights by players, and data sharing challenges when participating in ad networks. In response, the European Gaming and Betting Association (EGBA) has recently launched a consultation on its draft Code of Conduct for compliance with the GDPR.
In this article, we will explore common data protection mistakes and challenges, and propose industry-specific solutions for compliance with the GDPR in accordance with best practice and the proposed EGBA Code of Conduct.
What steps can you take to minimize your GDPR exposure?
1. Run a data mapping exercise for each of your games
A first challenge for operators that maintain complex environments is gaining an overview of and identifying all data flows relating to personal data, especially when participating in ad networks. General compliance obligations include maintaining a record of processing activities and privacy notices as well as having a lawful basis for each data processing operation.
The gaming industry is a heavily regulated sector, meaning that operators are subject to the many obligations imposed on them by national gaming laws and license conditions, anti-money laundering (AML) laws, rules for responsible gambling, and codes of practice. In practice, this means that certain categories of data must be retained for a longer time than would otherwise be permitted by the GDPR. The diversification of data necessary to simultaneously meet and balance the delete vs. retain requirements of AML, gaming laws and other legal retention obligations which vary from country to country creates extra workload, including implementing changes to their current processes and systems to meet the requirements.
2. Identify your lawful basis for processing and manage players’ consent
Online player acquisition, profiling, the use of cookies and tracking currently form a large part of gaming operators’ marketing strategies. In order to be able to provide games free of charge, many operators rely on so-called ad networks. Most of these activities require the explicit consent of players as a lawful basis. The withdrawal of consent to data processing is fully permitted by the GDPR, whereas operators are not allowed to refuse to provide the service without such consent (unless the data is necessary for the operations or for compliance with legal and regulatory requirements).
The GDPR sets a high standard for consent, namely that it must be “freely given, specific, informed and unambiguous”. In practice, this means the following for consent mechanisms:
- Clear affirmative action: Consent must always be given through an active motion or declaration, e.g. “unticked” opt-in boxes.
- Freely given: Operators cannot offer players various incentives and better user experience in exchange for their participation in marketing operations.
- Subject to review: Consent should be understood as an ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away. Consent must be subject to review, and should not be considered valid after four years.
- Granular: Where possible, operators should offer granular opt-in options to consent separately to different types of processing.
- Documented: Operators should keep extensive records of consent. Evidence must be kept of when the consent was provided or withdrawn, how the consent was received or withdrawn, and what information the player received at this stage (e.g. which version of the privacy policy).
- Named: Operators should name the organisation, brand, group of companies and any third parties who will be relying on the consent in a role of controller.
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service. For example, it is not necessary to market to a player, or use their personal data in a data mining exercise, in order to provide them with a betting account.
- Easy to withdraw: This means operators should have simple and effective management mechanisms in place. Where processing is based on consent, the withdrawal of consent will also involve the personal data processed by processors or subprocessors in relation to the consent.
When consent is used as a legal basis for processing personal data, operators should ensure players are able to withdraw consent at any time. Some common mechanisms for withdrawing consent include the following:
- Marketing emails: Where players have opted-in to receive marketing emails, they can use the unsubscribe link at the bottom of each marketing email.
- Marketing SMS messages: Texting ‘STOP’ to a number given in a text message.
- Preference management centre: Players can sign into their accounts and manage their consent by visiting their preference centre.
3. Solve the data portability function
Games providers may have to implement challenging software modifications when developing procedures in order to ensure that players can exercise their data protection rights under the GDPR. The right to data portability is an especially tricky one.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Under Art. 20 GDPR, players have the right to have an operator send their personal data to another data controller by various means such as direct download or data transmission via API. This right applies only to data for which the processing is based on consent or on a contract, where the processing is carried out by automated means and when the data has been provided by the player to the operator. The following data should be considered to be comprised by the right to data portability:
- Personal data submitted by the player upon registration.
- Personal data which the player passed on to the operator in the course of any dealings between player and operator.
- Personal data which was generated by the operator from observation of the player’s activity (e.g. activity logs, history of website usage, etc).
However, the right to data portability does not include personal data where the justification for processing is not consent or contract, for example data which is processed for legitimate interests or legal obligation. Exempt data may therefore include, but is not limited to:
- Results of an algorithmic analysis of players’ gaming behaviour.
- Players’ data processed as part of the operators’ AML obligations.
What will the future bring for the gaming industry?
The success of any gaming operator depends also on its ability to leverage personal data and accordingly, operators in this sector are significantly affected by the recent changes brought about by the GDPR. The EGBA represents a first major step towards the standardized approach to handling players’ data. Mapping the data flows per game, embedding mechanisms to manage consent and segregating data which is not subject to data portability are key steps for operators to tackle GDPR compliance.