Online Gaming and the Responsibility to Protect Privacy (Part 1)
Co-authored with Jonathan Smith, privacy consultant and lawyer.
Feature image by Indivisible Gaming
The world of video games has undergone a massive transformation, bringing with it new opportunities for gamers, gaming companies, advertisers, marketers and a host of other entities in the industry. As online gaming continues to thrive, the industry must earn the trust of its consumers to maintain its success. As custodians of gamers’ personal data, gaming companies have a responsibility to protect gamers’ privacy and ensure proper safeguards are in place to mitigate against breaches. Online gaming, which includes eSports, is a multibillion-dollar industry with over 250 million players worldwide. Individuals or teams competitively play online video games, such as Fortnite (an action-packed survival game where 100 players fight to be the last one standing) and League of Legends (a competitive, team-based game), on a network against local or international players. Players can purchase in-game content and customize their experience. The interconnectedness of online gaming has created a large community among gamers. Players livestream themselves playing games on platforms such as Twitch, where millions of subscribers pay to watch the live streamed action. Players and viewers are able to communicate with each other in real time through social platforms connected to the games. The eSport tournaments attract stadiums full of fans to watch teams compete. Winning teams can earn millions of dollars. The success of professional gamers has incentivized countless others to invest time and money in hopes of becoming a gaming celebrity.
Why personal information is collected
While the gaming industry is thriving and is only expected to grow, gaming companies are collecting personal information about gamers, which may lead to serious privacy and cybersecurity implications that are often overlooked. Through interconnectivity and tracking technologies, gaming companies can collect users’ profiles, IP addresses and geographical locations. Gaming companies request access to gamers’ social networking sites, such as Facebook, which allow gamers to easily connect with other players or fans. Linking a game to an external social media site grants the gaming company access to personal information contained in the social platform, such as contact lists and photos. Through the use of cameras, sensors, microphones and social interaction, gaming companies collect biometric data too. Credit card information is also collected for purchases. The personal data collected is often shared with third parties for processing or for profit. Online gaming and the responsibility to protect privacy - The Lawyer's Daily Page 1 of 3 https://www.thelawyersdaily.ca/articles/9473/print?section=business 1/8/2019 So, what are the privacy and security implications?
Identification & profiling
By collecting personal data about gamers and viewers, gaming companies can use that data to predict the interests of individuals and offer more products or services. Similarly, gaming companies can disclose aggregate data to third-party advertisers. Although aggregate data is de-identified, gaming companies need to be mindful of the ability re-identify, through the use of artificial intelligence, by linking a game profile to social networking platforms, which contains sensitive personal information. Advertisers are able to target online gaming communities and reach a group that might otherwise prove to be difficult. The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy legislation for private organizations, prohibits gaming companies from inappropriately collecting, using, or disclosing personal information. The Office of the Privacy Commissioner of Canada (OPC) recently released guidance on inappropriate data practices, reinforcing prohibited ways of using data analytics, including profiling and categorizing of individuals that could lead to discrimination or unfair/unethical practices. Before gaming companies disclose personal information to third parties, such as advertisers, they should do their due diligence to ensure these parties comply with privacy regulations. As data stewards, gaming companies cannot outsource their responsibility over gamers’ data, even when the data is in the hands of third parties.
Consent
PIPEDA is a consent-based legislation. Gamers must provide consent to have their personal data collected, used, or disclosed. The new consent guideline released by the OPC emphasizes the importance of obtaining “meaningful consent.” Gaming companies must reveal to gamers what data they collect, how they use it and who they share it with. This information should be contained in a company’s privacy policy which should be easy for the reader to understand. A layered approach to seeking informed consent is recommended by the OPC. Seeking consent should be an ongoing process where gamers are informed of what they are consenting to, including the risks involved, as they move through the platform. Many online games attract gamers who are minors. Minors (children under the age of 13) cannot be expected to provide meaningful consent for the use of their personal information, therefore consent must be obtained from their parents or guardians. Children over the age of 13 can provide consent to use their personal information. However, gaming companies need to be sensitive about what they are asking children to consent to and how they seek their consent. Gaming companies should provide parents or guardians the option of controlling their child’s access to the game and ability to chat with other account holders. This is the first of a two-part series.
This article was originally posted on Lawyer’s Daily.