Let’s start off with some FRONT END questions…
Q1. What’s the best way to capture data in a compliant way?
Being able to capture the details of those engaged with your brand and keep the conversation going is priority number one. We’ve found that one of the best ways to incentivise data capture with our games is to offer a competition, the main changes to the current regulation within GDPR is that you need to have the consumer’s explicit consent if you want to add them to your marketing mailing list. They need to understand exactly what they are signing up for and what is going to happen to their information once they have. The competition terms and conditions must be completely separate to any marketing activation to avoid any ‘confusion, coercion or penalty for refusal’, meaning you can’t automatically send marketing communications based on data used to enter a competition, and you certainly can’t refuse access to the competition if they choose not to sign up. Big, no no! When it comes to asking for permission to send them further information about your products or services, you must always give the option to ‘Opt In’ rather than an ‘Opt Out’ tick box or indeed a pre-ticked box. It must also be very clear what you will do with the data you receive, in an easily accessible data policy that makes sense and is not an indecipherable bible of technical or legal jargon. The magic word here is CLARITY. Here’s an example of what our standard score submission screen will look like going forward. We can supply a template privacy policy for you to amend or we can link to your own existing version.
Q2. What will all this mean for our data capture? Will we capture less email addresses?
Inevitably yes, but this is one of the fundamental principles behind GDPR. The new regulation gives back control to the data owner. The player. The user. Your audience. You. And those willing to share their data openly are much more valuable to a brand than those who have been duped into it through a series of dark patterns. They are already engaged, connected and trust the brand and are open to further conversations – quality over quantity.
Q3. What about a re-engagement package, where the player receives email notifications about game results and friends’ scores?
Great question. While it could be argued that any communications directly related to the game and competition would come under ‘legitimate interest’, to ensure compliance we feel it best to include an explicit opt-in for this too. To understand how this will work, let’s set the scene from a players’ perspective… You’ve finished your game, and begin submitting your details to the leaderboard. You input your name and email, tick the opt-in boxes and hit the submit button. The next screen asks if you would like to receive email notifications when you get knocked off the leaderboard or are beaten by a friend (which obviously you’d need to rectify immediately!). To get the best engagement, this message needs to be as compelling as possible, assuring players that their email address won’t be used for any other purpose and they can unsubscribe at any point. Our message system automatically stops emails being sent out to people who have unsubscribed.
Now we’ve cleared those up, let’s go technical and dive into some BACK END questions…
Q4. What data does the game collect?
Our games collect personal data and behavioural data. According to GDPR, personal data is any information relating to an identified or identifiable individual; meaning information that could be used, on its own or in conjunction with other data, to identify an individual. Once a player submits their score to the leaderboard the personal data that the game collects is a first name, last name, email address and communications opt-in preferences. Behavioural data is information about the how the game has been played, how many times, for how long, etc. This is mostly collected by Google Analytics where it is anonymous, but we also store some of this information in the game database for administrative purposes.
Q5. Where is all the data stored and is it secure?
If we’re hosting a game for you, all submitted game data is stored on a secure and encrypted database, hosted on cloud based servers within the EU. Going forward, all the games we host will also come with an SSL certificate as standard, ensuring all submitted user data is encrypted to give your players instant peace of mind with that secure https URL. You will have access to the leaderboard data from the game’s admin panel, allowing you to download the information in order to draw competition winners. You will also be able to determine who has requested further information along with a record of the date and time in which they opted in, so you can confidently add those people to your marketing lists. You can also delete those who didn’t opt-in in accordance to your own privacy policies. We will keep hold of data backups for a maximum of 2 months after the campaign ends, in accordance with our own policy.
Q6. Do the games use cookies?
Yes they do. Like most online websites and apps, the games use cookies to make everyone’s life easier. We use them to remember player details on the score submission page so that players don’t have to re-type their details over and over again. We also use them to help track behavioural information, for example with Google Analytics. We have recently incorporated a cookie notice at the start of the game which links to a cookie policy too. Again, you can use and adapt our version or we can link to your own.
Q7. What about the ‘right to erasure’ – how does this work?
Another of the main changes to legislation is the right to request what data a company holds on you and the right to request that it’s deleted without trace, like you never existed! Within your game privacy policy, you will need to provide contact details so that a player can get in touch and request a copy of the information in a readable user friendly format, with a clear policy on how they can update or delete them. You will be responsible for processing these requests but you will be able to manually delete these players via the game admin panel.
Q8. Is that it? Any more for any more?
Maybe! Truth be told, there aren’t many who really know how this is all going to pan out. There are no precedents here, and best-practices are yet to be defined. But so long as we are being clear, concise and transparent with the way we are requesting and processing people’s data, we should be on a good footing. If you have any questions we haven’t answered or anything is unclear, please let us know and we’ll do our best to answer them. For more information please email us at hello@peekandpoke.com .
Serious face disclaimer: We are not lawyers! This article is based on our opinion and understanding of the new GDPR regulation and shouldn’t be construed as legal advice. OK? Cool, game on!
