Online Gaming Industry Needs More "Privacy by Design"

Written By Sharon Bauer

*Co-authored with Jonathan Smith, privacy consultant and lawyer.

This is a second part of a two-part series.

The world of video games has undergone a massive transformation. As online gaming continues to thrive, the industry much earn the trust of its consumers to maintain its success.

Data Minimization and Retention.

When collecting data, gaming companies should minimize the data they collect to only what is required to fulfill the purpose for which they are collecting the information.

It is not so simple for gamers who wish to delete their profile from a gaming platform. Even when an account is deleted, many gaming companies and social platforms retain the gamers’ personal information and lack proper retention and destruction policies. Gaming companies should not retain personal data if that data is no longer needed to fulfill the purpose for which it was originally collected. By retaining excess personal data, gaming companies expose themselves to a heightened liability risk should they be breached.

GDPR

The European Union’s General Data Protection Regulation (GDPR), which came into force in May 2018, set a prescriptive privacy landscape for gaming companies whose gamers are in the EU. To ensure compliance with GDPR, most gaming companies need to redesign their data management practices, including data mapping, data inventory, data portability, and transparency into their data handling practices. Failure to comply may result in significant fines. Compliance is proving to be a very costly endeavour for many gaming companies. Some companies removed their games as the risk of non-compliance outweighed the benefit of being in the market. It is now important, more than ever, for gaming companies to incorporate privacy considerations into the design of their games and not let it be an afterthought; a process known as privacy by design, which is mandatory under the GDPR and will likely be incorporated into PIPEDA in the coming years.

Cybersecurity

Gaming companies need to be proactive in ensuring the data they collect is secure against cyber-attacks, which are increasing in sophistication. Mitigating against vulnerabilities and risks is becoming more challenging as gaming companies introduce new technologies and collaborate with multiple platforms.

Cyber-attacks not only occur for the purpose of stealing personal information and selling it in the blackmarket. The competitive nature of games and the millions of dollars at stake, has bad actors trying to gain access to gamers’ accounts to steal in-game item purchases or compromise opponents’ accounts.

The gaming industry experienced its fair share of cyber-attacks including the 2011 and 2015 breaches that affected millions of Xbox and PlayStation gamers. The unauthorized users gained access to gamers’ names, addresses, email addresses, usernames, passwords, and security questions. The information obtained allowed access to gamers’ multiple accounts. A class-action lawsuit against Sony ensued and a $15 million preliminary settlement was agreed to by Sony.

Cybersecurity needs to be top of mind for the gaming industry, which will experience scrutiny with each breach, especially in light of PIPEDA and GDPR’s mandatory breach reporting provisions. PIPEDA requires a breached organization to report a breach to the OPC and notify all affected individuals if the breach results in a real risk of significant harm to an individual. It is advisable for gaming companies to obtain cyber insurance to protect themselves against ransomware as well as liability, legal and remediation costs. In addition to the financial stakes, breaches result in irreparable reputational harm, which could lead to a company’s demise.

In trying to find ways to address security issues, the use of blockchain and cryptocurrency have been considered. Although it is too early to tell if blockchain and cryptocurrency will resolve some of the security concerns, the online gaming industry, in particular eSports, is a good use-case. The gaming industry is still agile, which makes it easier to implement a new method such as blockchain. Gamers are young, tech savvy and generally open to exploring alternative methods of interaction. Given their demographic, many gamers may already be familiar with cryptocurrency, making the inclusion of blockchain a reasonable evolution.  

 

Conclusion

As the gaming industry continues to transform and finds new ways to become interconnected, privacy and security need to be incorporated into the initial design of the gaming products and services. It cannot be an afterthought. Gamers, especially those in eSports, are tech savvy and understand the risks involved in revealing their personal data. Online gaming companies must be proactive in demonstrating to gamers that they take privacy and security seriously. By doing so, they will gain the trust of gamers, and thrive in a competitive industry while other companies will lose credibility if privacy and security are not prioritized.

Sharon Bauer
Previous

Personal Data and Privacy for Motor Vehicle Litigation and Law Firms
Next

Online Gaming and the Responsibility to Protect Privacy (Part 1)