How GDPR is affecting the games you love

The gaming industry had to comply with the EU's privacy rules, too.

Updated ·7 min read

The tech world has been bracing for a new set of European privacy rules that go into effect: the General Data Protection Regulation, better known as GDPR. Companies will have either changed how they handle their EU users' personal data or face serious fines. The regulations are intentionally broad, which has led them to affect industries that aren't typically thought of as trafficking in user information -- like gaming. That means gamers are protected by GDPR while playing online or posting in forums. But in complying with the EU regulations, gaming companies are nervous that they'll inadvertently run afoul of the new law's vaguely written rules.

The GDPR replaces the 1995 EU Data Protection Directive, forcing every company around the globe to abide by strict rules when handling European subjects' personal data. The regulations were adopted to protect EU residents and arm them with awareness about how companies use their information. While GDPR addressed tech companies that have dealt with and make money off user data, like Facebook and Google, the expansive definition of "personal data" -- everything from names and email addresses to biometrics and IP addresses -- means that gaming companies have had to comply, too. And that has cost them time and money to avoid incurring fines.

This is good for gamers in the EU, who will have a much better idea what information is collected when they play, buy products or use services. Game enthusiasts outside Europe will benefit, too, as some organizations, like Razer, treat the GDPR as a privacy bellwether and adopted it globally.

Like most protective measures, we might never know if adopting new regulations ends up preventing a disaster. "One of the things that GDPR may do is head off potential future privacy scandals that might not even happen because of the law," said Jay Stanley, senior policy analyst at the National ACLU. He cited Vizio's incident using smart TVs to track users' behavior without their knowledge as an example, a scandal that cost the company a $2.2 million fine from the FTC.

"Like all programs and apps, there's potential in games for mischief when it comes to collecting valuable personal information for users," he said. "We don't know exactly how much this European law will affect the practices in America, but it can't hurt, and there's a good chance it'll offer some protections."

It's unclear how much effort it's taken the gaming industry to adapt to GDPR: No companies contacted by Engadget disclosed how much it cost to comply. Like other tech companies, though, they've had to understand how user data moves through their operations, adjust their permissions to explicitly ask for consent when collecting info and in some cases, appoint their own data-protection officer.

"Companies have to document their data flows, register with privacy shield, get an EU representative, set up a bunch of updated data-processing agreements, get trained on how to respond to consumer requests that include GDPR jargon, etc...," privacy lawyer Shaq Katikala wrote in a Reddit AMA last month. In his job working for law firm Morrison/Lee, he's helped shepherd companies and studios through the GDPR compliance process. "The vast majority of the GDPR work I do for clients isn't fixing terrible scandals, it's all this administrative stuff that GDPR requires."

Some older services and long-running games have been closed after companies determined the costs to update them outweigh the benefits. Uber Entertainment's Monday Night Combat made just enough money to keep its servers going, but upgrading the Ubernet-based back-end to comply with GDPR wasn't worth the cost, the game's company CEO Jeremy Ables told Engadget. The company chose to shut the game down.

Likewise, Edge of Reality's free-to-play shooter Loadout was shuttered because the company lacked the resources to update the aging game. Online gaming company WarpPortal announced it would close off service to EU players for the 16-year-old MMO Ragnarok Online on May 25th. And keeping them online without complying with GDPR is risky: Under the new regulations, authorities can fine offenders up to €20 million or 4 percent of the company's annual global turnover, whichever is larger.

GDPR was adopted by the European Parliament in April 2016, giving companies two years to either comply or cancel services in the EU. In some cases, companies are buying themselves a bit more time by temporarily suspending European operations until they've gotten all their operational ducks in a row, said Katikala.

"My biggest concern with GDPR is that it's moving very fast and the terms still need to be defined," Katikala told Engadget. "Without answers, even honest companies can only go so far without further guidance."

Even outfits within the EU had trouble working out how to comply with GDPR. Scandinavian game companies met in Helsinki several times to navigate compliance, according to Jari-Pekka Kaleva, senior policy analyst at Finnish trade association Neogames. "I think everyone now is starting to be aware of GDPR and what it means, but there are still companies that have open questions they need to understand. So it's a step-by-step process," he told Engadget last week.

That confusion has ratcheted up anxiety in gaming companies. Studios have scrambled to make sure they're compliant by mapping their flow of user data and updating their terms of service (ToS). Some very small indie game-making outfits never even had a ToS document, so they've needed to create one. More established companies like NVIDIA have updated their privacy centers and policies with clearer language and new features, as the regulations require. A few, like peripheral and computer maker Razer, have launched dedicated GDPR resource sites for consumers to understand their expanded data rights under the new law.

But complying with GDPR hasn't been significant enough to do more than kill a few old games, so your favorite publisher is probably safe. Some game studios, especially those producing offline single-player games, haven't had to do more than tweak their ToS. Large game publishers and companies that do deal with personal data have teams of lawyers that have been working behind the scenes for months, if not years.

Still, the games industry will have to continue reckoning with privacy regulations as other countries outside the EU are considering adopting their own versions of the GDPR. Gamers will have more access to and a better understanding of how companies use their information. But the new regulations' effects on actual games will likely be subtle. For one, it will be much harder for companies to use player info to study or market to them without their knowledge.

Big studios sometimes collect information on how players move in their games and use that to refine gameplay, which is called telemetrics. GDPR's new transparency requirements will require companies to be more explicit about how they're studying gamer activity. But most of GDPR's benefits to players may be invisible to them. The rules apply to any entity that handles personal data, which means game companies are theoretically on the hook for third parties they provide player data to. Studios have had to audit hosting providers and advertisers, and dropped those that might violate the new regulations, Katikala said. This could prevent players' information from being resold by unscrupulous companies.

Gaming companies probably weren't the GDPR's first target, but given the law's broad language, they've also needed to comply to do business with EU users. The result is better privacy protections for gamers both in and out of Europe, and clarity on how their data works. But if these new policies end up guarding information from falling into the wrong hands, it will have been worth the effort for the gaming industry to avoid a data breach.