Level Up Your Data Privacy Game: Gaming Companies as Data Controllers
In the dynamic world of gaming, protecting personal data is paramount. This article delves into how game companies navigate their responsibilities as data controllers. From ensuring transparent data processing and securing user consent to addressing common regulatory challenges, the article emphasizes the crucial role of ethical practices in building trust and compliance. Discover how these measures safeguard user privacy and uphold industry standards in gaming.
17.07.2024
Gaming companies are growing significantly every day and this growth is accompanied by various responsibilities. One of these responsibilities is the protection of personal data. The gaming industry has many obligations regarding the collecting and processing of user data, which are important both legally and ethically. Gaming companies should proceed in a transparent manner and pay close attention to the security of consent and the data processed. If gaming companies fail to take the necessary steps to comply with legal obligations regarding the protection of personal data, they may face fines and other sanctions. Additionally, data breaches can lead to reputational damage and reduced customer confidence.
Many gaming companies are aware of their obligations regarding the protection of personal data and frequently comply with these obligations. However, there are still many companies in the industry that are not sufficiently aware of this issue and do not take the necessary steps.
Responsibilities of Data Controllers in Personal Data Processing
Any operation performed on personal data -such as obtaining, recording, storing, altering, rearranging, disclosing, transferring, making accessible, classifying or preventing its use whether in whole or in part, by automatic or non-automatic methods as part of a data recording system- until the data is deleted, destroyed or anonymized, is considered personal data processing under the Personal Data Protection Law No. 6698 (‘‘Law’’).
In order to process personal data, the conditions listed in the law or explicit consent must be present. The data controller should first evaluate whether the purpose of the personal data processing activity meets one of the conditions other than explicit consent. If it does not, explicit consent must be obtained for the continuation of the data processing activity.[1]
In this respect, the concept of “data controller” gains importance. A data controller is defined as the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. Legal entities are directly deemed “data controllers” within the scope of their activities related to the processing of personal data and the legal responsibilities specified in the relevant regulations belong to the legal entity itself.[2] Gaming companies and game developers should also be considered data controllers in this respect.
According to Article 12 of the Law, the data controller is obliged to prevent the unlawful processing of personal data, prevent unlawful access to personal data and ensure data preservation. In order to fulfil these obligations, the data controller must take all necessary technical and administrative measures to ensure an appropriate level of security.[3] Additionally, the data controller must conduct or have conducted the necessary audits within its institution or organization to ensure the implementation of the Law’s provisions.
Moreover, data controllers and data processors cannot disclose personal data to third parties or use it for purposes other than processing. If personal data is obtained unlawfully by others, the data controller is obliged to notify the relevant person and the Personal Data Protection Authority (“Authority”) as soon as possible, and within 72 hours at the latest. The Authority may disclose this situation on its website or by any other method it deems appropriate. Data processors, if authorised, are also responsible for these obligations.
Types of Personal Data Processed in the Gaming Industry
Gaming companies process various types of personal data, including:
- Basic personal data: name, surname, date of birth, gender, fingerprint and facial images, e-mail address and phone number;
- Demographic data: age, gender, language preference, country and region;
- Other personal data: profile photo, ID, time spent in the game, device information, interactions with other users, credit card information for game access and purchases.
Domestic and international data protection legislation stipulates that data minimization should be ensured if processing personal data is not mandatory. If processing is required, the obligation to inform must be fulfilled through a prepared clarification text. According to Article 10 of the Law, data subjects must be informed by the data controller or authorized persons when personal data is acquired.
When processing personal data, the general principles in Article 4 of the Law should be taken into consideration.
These principles are:
- Compliance with the law and good faith.
- Being accurate and, where necessary, up-to-date.
- Processing for specific, explicit and legitimate purposes.
- Being relevant, limited and proportionate to the purpose for which they are processed.
- Being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Pursuant to these principles, data subject must be informed about the identity of the data controller or its representative (if any), the purposes for processing personal data, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the data subject’s rights under the Law.
When obtaining explicit consent, it should be in accordance with the personal data processing conditions specified in Articles 5 and 6 of the Law or in cases where personal data cannot be processed without consent.[4] Clarification texts, explicit consent texts and cookie policies to be prepared within the scope of the Law must be available from the moment of login to the game or website and should be easily accessible to each user.
Common Deficiencies and Regulatory Decisions in the Gaming Industry
As the importance of personal data increases, decisions on data breaches are becoming increasingly detailed. The justifications provided in special cases involving gaming companies often serve as guidelines for compliance. Personal Data Protection Authorities worldwide typically focus on a few key areas, imposing sanctions and penalties accordingly. Particularly, transferring data abroad and third-party software usage are focal points, alongside failures to meet legal obligations.
In a recent decision, the Authority found that explicit consent requirements were not met and that data transfer abroad did not comply with the conditions specified in the legal regulations. Consequently, a prominent gaming company was fined 750,000 TL, and a compliance audit was mandated.[5] Following this decision, the company must prepare a coherent clarification text and cookie policy that respect users’ free will.
The Authority processes numerous user complaints, primarily concerning companies’ inadequate fulfilment of their clarification obligations. Users often lack clarity on why their data is collected and how it will be processed, prompting them to file complaints with the Authority.[6]
Another common violation in decisions is the failure to implement technical measures outlined in Article 12 of the Law. Adhering to the implementation guide published by the Authority in this regard is crucial for compliance.[7]
Importance of Default Privacy Settings in Games
Default settings within games should be designed with consideration for all age groups. Gaming companies have a critical responsibility to protect children's privacy rights and must implement adequate measures accordingly.
In multiplayer games, text and voice communication among users can pose risks, especially for sensitive age groups like children, when matched with third parties. It is essential to take necessary precautions to shield children from exposure to harmful situations such as bullying and threats.
Furthermore, robust verification methods should be established to prevent unauthorized in-game purchases by children, necessitating parental or cardholder consent.
Building User Trust and Ethical Responsibility
Like any industry, safeguarding personal data is paramount in the gaming industry. Gaming companies must comply with ethical responsibilities in data processing to establish and maintain user trust.
Fundamental principles such as transparency, consent, security, limitation and access/correction underpin user trust and data processing practices. Ethical and responsible data processing entails openly informing players about what data is collected, for what purposes and how it is used. Security measures should be in place to protect personal data from unauthorized access, use, disclosure, alteration or destruction. Personal data should only be collected and processed for specific, explicit and legitimate purposes. Players should have the right to access, correct or delete their personal data and to restrict its processing
Gaming companies should develop and implement data processing policies and procedures guided by these ethical principles. They should also manage risks such as data breaches or security incidents effectively. By adhering to ethical and responsible data practices, gaming companies can earn user trust and lead the industry.
Conclusion
Protection of personal data is crucial in the gaming industry. Gaming companies must adhere to both legal requirements and ethical standards when collecting and processing user data. This includes obtaining explicit consent, ensuring data security and fulfilling the obligation to provide clear information to users.
Data controllers must not only fulfil their legal duties, but also take proactive steps to safeguard user privacy and prevent data breaches. In this respect, it is essential to transparently inform users and present privacy policies clearly. By doing so, gaming companies can comply with legal regulations enhance customer trust and safeguard their reputation in the industry.
References
Aydınlatma Yükümlülüğünün Yerine Getirilmesi Rehberi (Only in Turkish). (2019, March). Retrieved from kvkk.gov.tr: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7a55e4d4-0cc3-4d4e-800c-ee78ce5ce88a.PDF
Kişisel Veri Güvenliği Rehberi (Teknik ve İdari Tedbirler) (Only in Turkish). (2018, January). Retrieved from kvkk.gov.tr: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf
Kişisel Verileri Koruma Kurulunun 16.04.2020 tarih ve 2020/286 sayılı Karar Özeti (Only in Turkish). (2020, April 16). Retrieved from kvkk.gov.tr: https://www.kvkk.gov.tr/Icerik/6763/2020-286
Kişisel Verileri Koruma Kurulunun 23/12/2022 tarihli ve 2022/1358 sayılı Karar Özeti (Only in Turkish). (2022, December 23). Retrieved from kvkk.gov.tr: https://www.kvkk.gov.tr/Icerik/7595/2022-1358
Kişisel Verileri Koruma Kurulunun 28/09/2023 Tarihli ve 2023/1645 Sayılı Karar Özeti (Only in Turkish). (2023, September 28). Retrieved from kvkk.gov.tr: https://kvkk.gov.tr/Icerik/7765/2023-1645
Kişisel Verilerin İşlenme Şartları (Only in Turkish). (n.d.). Retrieved from kvkk.gov.tr: https://www.kvkk.gov.tr/Icerik/4190/Kisisel-Verilerin-Islenme-Sartlari
Veri Sorumlusu ve Veri İşleyen (Only in Turkish). (n.d.). Retrieved from kvkk.gov.tr: https://www.kvkk.gov.tr/Icerik/4195/Veri-Sorumlusu-ve-Veri-Isleyen
[5] (Kişisel Verileri Koruma Kurulunun 28/09/2023 Tarihli ve 2023/1645 Sayılı Karar Özeti (Only in Turkish), 2023)
-
Kemal Altuğ Özgün
Managing Partner
-
Burak Bayrak
Associate
-
Beste Bayrak
Legal Trainee