GDPR FAQS

Join Ricky on his journey through the Interactive physics based world filled with unique dynamic obstacles and plenty of puzzles to solve. Explore the multi layered maze and find out what is really at stake!

GDPR FAQS

Did you play our demo? Any suggestions? Leave feedback or…

Join Ricky on his journey through the Interactive physics based world filled with unique dynamic obstacles and plenty of puzzles to solve. Explore the multi layered maze and find out what is really at stake!

GDPR FAQS

Did you play our demo? Any suggestions? Leave feedback or…

 

Will you update your terms in relation to GDPR?

 

Yes. Both our terms and conditions and privacy policy have already been updated in preparation for GDPR. These are available on our web site www.contra-concept.com. Continuing to use Ricky Runner or Contra Concept constitutes acceptance of these updated policies.

 

 

What is GDPR?

 

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

 

 

When does GDPR go into effect?

 

May 25th 2018.

Ricky Runner / Contra Concept will be compliant with GDPR on this date – our internal work, as well as work with legal counsel to put this in place has been ongoing since the end of 2017.

 

 

What kind of data does Ricky Runner or Contra Concept collect?

 

We collect personal data from two categories of individuals:

  • Game developers – users who gets inspired with Contra Concept
  • Players – the players of games tracked with Contra Concept

 

 

What is personal data?

 

According to GDPR, personal data is:

“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”

This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.

The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.

 

 

What is our status under GDPR?

 

Because we both store, process, and enable gamers / users / our clients to use the data we collect (i.e. via segmentation, A/B tests, etc.) we are both a data processor and a data controller under GDPR.

 

 

Are we allowed to collect this data?

 

Yes, as long as the user (gamers / users / our clients) has consented to their data being collected and used for analytics and marketing purposes.

 

 

How do we get consent to collect this data?

 

The way we obtain consent differs by the type of audience.

  • For game developers and proffesionals we will ask for consent when they sign up or log into the service – this will be in the form of accepting our new privacy policy and terms of service which detail the types of data we collect and the ways they are used. This consent must be provided on an opt-in basis.
  • For players the game developers must ask for consent when the game opens, before any data has been sent to us (or to other data controllers and processors). The consent they ask for from their players must include that their data will be used for analytics and marketing purposes. Most game developers should also have publicly available privacy policies and terms of service that can be reviewed by users.

Under GDPR, consent is: “Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data”.

 

 

Why do we need consent for marketing purposes from players?

 

Consent for marketing purposes is essential to power some Contra Concept / Ricky Runner features – such as Segments, A/B testing, and the Command Center. While we do not know if a segment, experiment, or config will be used for marketing purposes, their intended use cases are for game developers / gamers / users / our clients to alter their games in ways that can market in-app purchases to their users, or enable them to show ads to their users, which are all marketing activities.

 

 

 

What about individuals under the age of 16?

 

Parental consent will be required to process the personal data of children under the age of 16 for online services. Here is an example from the draft guidance on consent, for how this could be implemented:

“[Example 17] An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps: Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent: Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian. Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility. Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber. If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps.”

 

 

Do we store records of consent?

 

  • For game developers – we will store a record of consent in our user DB and management system.
  • For players – we will not do so when GDPR comes into effect, but we may decide to do so at a later date, through an SDK and/or API. However, due to the slow adoption of SDKs and to the lifecycle of games (i.e. end of life games in particular), SDK-collected consent will not be initially sufficiently accurate for us to either blacklist or suspend a game developer / gamers / users / our clients. Any such decisions will be made as a result of an audit only.

 

 

 

Can we transfer personal data outside of EU territories?

 

Yes, if appropriate safe guards are in place. Our data resides in AWS which is part of the EU-US Privacy Shield. The Privacy Shield “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.”

 

 

Do we have any restrictions on data retention?

 

According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.

GDPR specifies:

“You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).

Your company/organisation should establish time limits to erase or review the data stored.

By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).

Your company/organisation must also ensure that the data held is accurate and kept up-to-date.”

 

 

When will we remove data?

 

In our new privacy policy which was updated on April 27th 2018, we have clearly specified the period for which the data will be retained.

For player data the retention period will be at most 24 months – we will start to remove raw game events older than 24 months in preparation for GDPR.

The removal of raw data older than 24 months will start April 23rd 2018.

For game developer’s data – the interval may vary depending on whether the account is still active.

 

 

How can you prepare for GDPR?

 

GDPR will require consent from all European users. This consent should in most cases be collected inside your game’s user interface. You can at this time prepare by developing UI for collecting said consent when your game is first launche