Navigating Video Game Privacy Law
Updated: May 22, 2019
Privacy law encompasses the laws that deal with regulating and using people’s personal information which can be collected by governments, individuals or third parties. In the world of video games and online gaming, privacy law comes into play due to End User License Agreements or EULA. EULA’s are license agreements between a software product and a user that dictate the terms under which the product can be used and often have clauses allowing for the collection of private user information.
Privacy law varies drastically based on where you live, so it’s important for you to know what type of privacy law governs your location. If you live in Europe, you’re covered by the General Data Protection Regulation (GDPR) which was passed in 2016 to protect citizens’ privacy. In the United States, privacy law is a bit different.
Video Game Privacy Law in Europe and gdpr
The GDPR makes it clear that data can only be collected if an explicit “unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her” is given.
The GDPR places three requirements on a company collecting data.
First, the product user must be informed about his or her right to withdraw consent at any time.
Second, withdrawing consent must be as easy as giving consent.
Finally, consent has to be unanimous, meaning it was either through a written statement or a clear affirmative act. Moreover, renewed consent is needed for every new usage of the data. That means if the company wants to start collecting a new type of statistic or data after you originally gave consent, they would have to get you to consent again to the changes.
Video Game Privacy Law in the United States
The laws regarding privacy law in the United States are much less generous from a user standpoint and less consistent than European law. U.S. regulations on the issue are a hodgepodge of varying statutes and state laws, but do have some basic principles throughout.
Most states data privacy laws are based off the idea of Personally Identifiable Information, or PII.
Personally Identifiable Information (PII) and Video Games
PII originates from the 1984 Cable Communications Policy Act that prevented cable operators from collecting any PII from subscribers without consent and required they inform subscribers what they would do with their information. However, the act never defined what PII is. As a result, today there are three approaches the state’s take to defining PII.
The first is the tautological approach which defines PII as any information which identifies a person. The advantage of this approach from a user standpoint is that it’s broad in defining what kind of information is PII. On the flip side, it doesn’t do anything to create a more clear definition of PII.
The second approach is the non-public approach which focuses on what kind of information is not PII. The approach suggests that if something is not public information, something that couldn’t be found in the public domain, then it’s PII. This line of thinking comes from a pre-internet mindset in which not everything was accessible so easily online. Today, if everything found online is no longer PII, there would be very little information to be protected.
The final approach to defining PII is the specific-types approach. This approach is used in Massachusetts and defines PII as a person’s first and last name, or first initial and last name in combination with either a social security number, drivers’ license number, financial account number or banking card number. This downside to this interpretation is that it is restrictive and doesn’t allow for leeway.
Understanding Privacy Laws and Video Games
Understanding privacy laws is crucial to protecting yourself from parties that may seek to collect your private information. Privacy laws have major consequences in the video games and online gaming world as a result of EULA's that software companies require users to sign and can vary greatly depending on the location. Europeans have comparably better protection under the GDPR which requires individuals are made aware of and consent to any information being collected. Meanwhile, American privacy law is governed by varying interpretations of what Personally Identifiable Information is and makes it easier for companies to collect private information . Understanding what the privacy law is where you live and how it works is critical in protecting your information.