The gaming industry is constantly evolving creatively, technologically, and commercially and with these innovations come new challenges. The sector is becoming more heavily regulated, especially in the area of consumer protection, online safety and data protection.
To maximise opportunity and create marketable products, it's vital to get the small print and use of personal data right. Games businesses need to take a proactive approach to consumer and data protection.
Play is our annual review of the key issues facing the games industry, and in this section, we summarise the challenges around small print and data. The full guide is available here.
Terms and conditions
Terms and conditions form a contract between the game publisher and the player. They deal with the conditions on which the game is supplied, limit the publisher's liability, and cover data protection, consumer protection compliance, and other regulatory issues (for example, around in-game currencies).
End-User Licence Agreement (EULA)
The EULA is a contract with the players setting out rules on how they may use the game together with other provisions, covering things like the publisher's liability, intellectual property, and regulations on user-generated content.
Privacy and cookies policy
Issues to consider
- Consumer protection rules: providers of downloadable digital content need the user to acknowledge that it has been supplied to them. This voids their cancellation right, with additional specific information needing to be provided at various stages of any purchasing process.
- In-game purchases and in-game currency: it is vital to make it clear to players that in-game purchases are available at the outset, particularly if game experience depends on making them. Being upfront and transparent is critical.
- Enforceability: it is not enough to have terms and conditions buried somewhere deep in the game. Players need to be presented with clear terms and conditions at the right time in the process if the terms are to be enforceable. This is particularly important when capturing consent both to the EULA and the privacy and cookies policies (there are specific requirements around consent for data protection and cookies).
- Incoming changes: the EU is bringing in new consumer protection laws which differ from those in the UK. Game providers will need to be aware of different requirements across markets.
The value of player data continues to soar, and publishers collect, use, and share information on a significant scale across an increasingly connected network of devices and players. Data collected may include personal contact details, device information, and details obtained from gameplay and tracking online habits.
The ability to consume, analyse and utilise this data brings enhanced value to businesses and convenience to players. It also raises privacy concerns as much of this data will be personal – the collection and use of which is regulated. It is essential for businesses in the games industry to ensure privacy compliance, not only to comply with legal obligations but to build and maintain player trust and protect investor value.
Key legal considerations under current UK and EEA law
- Transparency: it is essential to be upfront with players about what personal data is being collected and used for, including whether it has been shared with third parties or transferred out of the UK.
- Lawful basis and valid prior consent: consent must be freely given, specific, informed, and unambiguous indication of the individual's wishes.
- UK data protection fee: most UK based publishers will need to register annually with the Information Commissioners Office and pay a fee between £40-£2,900.
- Transferring personal data outside the UK/EEA: a publisher will need to take one of a number of possible compliance steps to ensure personal data is protected if it is transferred from the UK or the EEA to 'third countries' which do not adequately protect the data.
- Security: personal data must be kept secure, and risks should be assessed and reviewed regularly.
- Children: with increasing scrutiny in this area, you need to be extra careful when processing children's data, potentially carrying out a Data Protection Impact Assessment (DPIA) before the processing operation. You need to be more transparent, more considered, and more accountable with children's data and communications (for more information about The Children's Code and processing children's data, see the full guide).
- Social media policy: interaction with social media companies should be carefully considered to ensure that players are explicitly informed about how their data will be used.
- Marketing and communications: in the UK and EEA, players have an absolute right to opt out of marketing communications at any time. Player consent is needed before any communications, using an opt-in and unsubscribe function across all marketing communication.
- Mobile games: the key to ensuring data protection compliance in apps is addressing privacy issues at the development stage. At this stage, it is decided both how the personal data of players will be collected and how the information will be presented to players.
Find out more
These are just some of the considerations around consumer and data protection; find out more in our Play guide.