The online gaming industry these days is more social, innovative, and commercially lucrative than ever before. Online gaming platforms of all shapes and sizes have access to state-of-the-art development talent, marketing, platform tools and choices to develop, launch, and commercialize games. This evolution of the industry, while creating lucrative potential, brings with it increasing legal scrutiny. Pertinently, the data that players provide when signing up for an online game has not only become more commercially valuable, but is also subject to greater regulation by lawmakers across the world.
India has notified its much-awaited Digital Personal Data Protection Act, 2023 (“DPDPA”) which is set to redefine the data privacy and protection regime in the country. The DPDPA has been notified but is not yet in force. Like the EU’s General Data Protection Regulation (“GDPR”) the Central Government is likely to give industry a transition period to comply with the provisions of the act. With the industry set to brace for impact, personal data processing across sectors will now have to adhere to the principles laid down in the DPDPA.
The online gaming sector deals with multiple types of personal data. Depending on the nature of the game, players disclose data(sets) revealing identifiable information about themselves and others, which online gaming platforms in turn process in the context of their business activities. Common examples include names, gamer tags, e-mail addresses, sex/gender, age and – depending on whether in-game transactions and/or membership fees are at play – credit card and other payment details. As such, online gaming will be one of the sectors where the impact of the DPDPA and its compliance obligations will be felt the most.
This article will address three issues that will become increasingly relevant for the online gaming industry under the upcoming DPDPA- legal basis for processing, obligations of online gaming platforms as data fiduciaries and in-game marketing of additional content.
Legal basis for processing: consent, performance of a contract or legitimate interest
Data fiduciaries, which would include online gaming platforms, under the DPDPA must only process personal data for a lawful purpose and, barring limited exceptions must only do so based on consent or for certain legitimate uses.
Consent obtained from a data principal under the DPDPA must be free, specific, informed and unambiguous and should be provided through clear affirmative action while being limited to the personal data that is necessary for the specified purpose. The burden of proof that these criteria have been fulfilled will fall upon the data fiduciary, which is likely the online gaming platform. Consent as a legal basis may be best avoided in case processing activities of personal data are essential for the games’ (technical) functioning; consent would then not be given freely, but rather as a conditionality. Online gaming platforms should provide separate options for giving consent for individual processing activities.
The legitimate or lawful purposes/interests of the online gaming platform or a third party appointed by it constitute another ground for lawful data processing under the DPDPA. For online gaming platforms to rely on this legal basis, the processed data needs to be limited to what is strictly necessary for fulfilling the legitimate interest and must stand in proportion to the data subjects’ interests. Examples of where legitimate purposes could be used include storing user correspondence for quality improvement, the collection of meta-data to improve server strengths and in-game function measurement for product improvement.
Under the DPDPA a data principal has the right to withdraw his or her consent as well. Users of online gaming platforms will have to be afforded the same right and should ideally be able to withdraw their consent as easily as they gave it. In practice, this would imply that online gaming platforms should ensure that consent must be obtainable and withdrawable through the same user interface-for example the games setting or options menu- and preferably taking the same action wherewith consent was first initially acquired. Withdrawal of consent should ideally be free of charge and without any risk of a decrease in the quality of service for the user.
Obligations of Online Gaming Platforms as Data Fiduciaries
Under the DPDPA, data principals have been accorded five key rights- Right to Access Information about Personal Data, Right to Correction and Erasure of Personal Data, Right of grievance redressal and to nominate.
Data fiduciaries must mandatorily comply with requests made by data principals for the enforcement of these rights. Online gaming platforms should provide their users with an easy way to communicate and action requests relating to these rights. Platforms could consider adding a request/redressal feature and building internal capacity and dedicated resources to respond to such requests within the prescribed timelines.
Online gaming platforms often process personal data that is used to make decisions about users such as to block a user based on a review of their behaviour within a game or when they transfer personal data to other data fiduciaries or data processors. Online gaming platforms will have to ensure data completeness, accuracy and consistency in these cases. Platforms should consider implementing tools such as audit logs to track modifications to databases to maintain data quality and integrity. Further, online gaming platforms should ensure that contracts with data processors mandate the same level of data security to be maintained by them while processing user personal data. Online gaming platforms would do well to have data retention and erasure protocols in place that are universally accepted. Unless legally required the default modus operandi should be to purge personal data if a user withdraws consent or requests erasure.
Certain online gaming platforms may be classified as Significant Data Fiduciaries based on factors such as the number of users, the quantum of transactions processed and even the negative perception of online gaming amongst the public. Online gaming platforms will then have to comply with obligations applicable to significant data fiduciaries under the act such as appointing a data protection officer, undertaking data protection impact assessment, periodic audits etc.
In-game marketing to Children, and others.
The DPDPA has clear prohibitions with regard to directing targeted marketing towards children, and requires verifiable consent to be obtained from their parents for processing.
This becomes particularly relevant when it comes to consent that is obtained from underage gamers. The under-18 age group forms a massive chunk of the user base for a lot of online gaming platforms in India. Under the DPDPA online gaming platforms can only process the personal data of a child only after verifying their age and obtaining the consent of their parent or guardian. Though age-gating is a required facet of any data protection regime, it might lead to a dip in the number of users under the age of 18 for online gaming platforms. The multiple levels of verification for teenagers, or even adults, could potentially hinder business prospects. Furthermore, in terms of users, in cases where online gaming platforms have to take explicit consent, the repetitive nature of such processes may lead to consent fatigue. This will most likely affect free-to-play online gaming platforms as the majority of their user base comes from the 13-18 age group.
Several online games these days offer additional in-game content for sale, such as booster packs and/or loot box mechanics, functional or aesthetic items, and access to distinct levels, game modes and/or maps. This content is often promoted through in-game commercials during loading screens or in-game stores. This may, in some cases, fall foul of the prohibition against targeting children.
Meta-data collected indirectly from users- such as time spent playing, measurements of playing sessions, and in-game currency spending patterns are often used by online gaming platforms to optimize when, what and to whom certain in-game marketing is shown to whom. If such metadata enables the online gaming platform to identify the user, it will be treated as personal data and such processing of personal data (often termed as profiling) will be subject to the provisions of the DPDPA. Online gaming platforms will need a legal basis for such a processing activity as it is unlikely that it will be considered necessary for the performance of the service i.e., offering the game to users. The level of profiling could determine if an online gaming platform can rely on lawful purpose or legitimate uses as the legal basis. However, in case of extensive profiling consent may be required, as the user’s/data principal rights will likely outweigh the business interests of the online gaming platform.
What Comes Next
What online gaming platforms have to accept is that processing of their user data now comes with clear legal responsibilities under the DPDPA. The DPDPA and surrounding information technology and fin-tech rules and regulations will now play a key role in determining the full set of legal obligations and compliances that apply to online gaming platforms in terms of processing user personal data from the moment a user signs up for a game, to the monitoring of online conduct as well as the in-game marketing exploitation.