How mobile gaming companies are dealing with GDPR

Posted on May 29, 2018 by Eric Benjamin Seufert

The EU's General Data Protection Regulation transitioned into the enforcement phase on May 25th (the regulation was originally adopted in April 2016). As pretty much every human with an inbox became aware last week, many companies updated their privacy policies to comply with the new set of laws and sent updates to users about those changes. What was striking about the start of the regulation's enforcement phase was how much remains unclear about what, exactly, compliance looks like: the wording of the regulation was ostensibly intentionally left nebulous so as to retain a focus on its spirit and not its temporal letter. Given that class-action lawsuits against Facebook and Google, totaling $8.8 billion in damages sought, were filed on the first day of the GDPR's enforcement period by an Austrian privacy activist, it does seem likely that litigation will sharpen the edges of the regulation sooner rather than later.

For web-based media outlets, the process of implementing GDPR for user-facing content is a fairly straightforward removal of all tracking and advertising scripting and cookies in the case of non-consent over data collection; apparently USA Today's page content load dropped from over 5MB to about 500KB with all of this stripped away in its "GDPR version". For web-based companies that actually process user data, like online retailers, the process of complying with GDPR is less straightforward owing to the intricacies of data management and the allowance of right to be forgotten and right to access. But compliance for mobile companies is even more complex: tracking and advertising functionality is deeply embedded into any app that tracks user progress or monetizes via ads, and this functionality can't simply be stripped away in the case that a user doesn't provide data collection consent. Most apps need to be fundamentally altered in order to comply with GDPR.

It's interesting to observe how different mobile-focused companies have approached GDPR compliance. Luckily, Ohad Barzilay, the VP of Product at Ilyon Dynamics, former COO of Mytopia, and active Mobile Dev Memo slack team contributor, surveyed some of the most popular mobile games and inventoried the changes they have implemented to comply with GDPR:

Consent

Some companies have instituted a hard gate at the start of their games that prevents further interaction with the app without agreeing to a privacy policy:

Supercell did not implement a hard gate within Clash Royale; rather, they inserted news of a privacy update into the news feed.

Right to be Forgotten and Right to Access

King, the developer behind the Candy Crush franchise, seems to have put a manual process for deletion and retrieval of user data in place.

Supercell instructs users who wish to have interest-based targeting turned off for them to disable that functionality at the device level through limit ad tracking and have created the ability to opt out of targeted in-game offers via game settings:

Gram Games, the developer behind 1010! and Merged!, does allow users to continue to play Merge Farm! without consenting to data collection. It also allows users to see the data that the game has collected about them and to delete that data from within the app:

The number of approaches taken in complying with the GDPR is a testament to how unclear its directives are. Certainty around how to comply, what exactly constitutes personal data / personally identifiable information, the level of functionality to which a user is entitled without consenting to data collection, etc. will doubtless come with time, but for now, many different paths have been cut toward compliance.

Photo by Dayne Topkin on Unsplash