The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
May 25th 2018.
Ricky Runner / Contra Concept will be compliant with GDPR on this date – our internal work, as well as work with legal counsel to put this in place has been ongoing since the end of 2017.
We collect personal data from two categories of individuals:
According to GDPR, personal data is:
“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”
This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.
The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.
Because we both store, process, and enable gamers / users / our clients to use the data we collect (i.e. via segmentation, A/B tests, etc.) we are both a data processor and a data controller under GDPR.
Yes, as long as the user (gamers / users / our clients) has consented to their data being collected and used for analytics and marketing purposes.
The way we obtain consent differs by the type of audience.
Under GDPR, consent is: “Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data”.
Consent for marketing purposes is essential to power some Contra Concept / Ricky Runner features – such as Segments, A/B testing, and the Command Center. While we do not know if a segment, experiment, or config will be used for marketing purposes, their intended use cases are for game developers / gamers / users / our clients to alter their games in ways that can market in-app purchases to their users, or enable them to show ads to their users, which are all marketing activities.
Parental consent will be required to process the personal data of children under the age of 16 for online services. Here is an example from the draft guidance on consent, for how this could be implemented:
“[Example 17] An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps: Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent: Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian. Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility. Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber. If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps.”
Yes, if appropriate safe guards are in place. Our data resides in AWS which is part of the EU-US Privacy Shield. The Privacy Shield “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.”
According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.
“You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
Your company/organisation must also ensure that the data held is accurate and kept up-to-date.”
For player data the retention period will be at most 24 months – we will start to remove raw game events older than 24 months in preparation for GDPR.
The removal of raw data older than 24 months will start April 23rd 2018.
For game developer’s data – the interval may vary depending on whether the account is still active.
GDPR will require consent from all European users. This consent should in most cases be collected inside your game’s user interface. You can at this time prepare by developing UI for collecting said consent when your game is first launche