Branded Games and GDPR.

In a post-GDPR world, we answer some of your compliance questions!

Posted by Cari on 09.05.18

I’m sure you’re all aware of the new GDPR regulation and that you’re preparing for the big ‘switch over’ on May 25th. We won’t get into the nitty gritty of GDPR regulation here, I’m pretty certain the internet does not need another blog about fines and penalties. And this is not a ‘checklist to compliance’ either; there are plenty of other trusted information sources out there doing just that. We found the ICO website itself particularly helpful in breaking down its 99 articles and this WIRED article provides a clear and concise overview in a non-scare-mongering way! We’ve had a number of requests about how best to ensure compliance with regards to our games, for both the front end (data capture and competition best practice) and the back end (data storage, management and hosting). So here are our responses to your GDPR FAQs for compliance with your games. We hope you find it useful. Let us know if you think we’ve missed anything – like everyone else, we’re learning too! This is a bit of a beast so if you want to jump around to a relevant question go ahead! We’ll cover…

What is the best way to capture data?

Will we get less marketing opt-ins?

How do you gain permissions for your re-engagement game email notifications?

What data does the game collect?

Where is it stored and is it secure?

Do the games use cookies?

Who’s responsible for data queries and deletion?


So let’s start us off with some FRONT END questions….

Q1. What’s the best way to capture data in a compliant way?

Being able to capture the details of those engaged with your brand and keep the conversation going is priority number one. We’ve found that one of the best ways to incentivise data capture with our games is to offer a competition, the main changes to the current regulation within GDPR is that you need to have the consumer’s explicit consent if you want to add them to your marketing mailing list. They need to understand exactly what they are signing up for and what is going to happen to their information once they have. The competition terms and conditions must be completely separate to any marketing activation to avoid any ‘confusion, coercion or penalty for refusal’, meaning you can’t automatically send marketing communications based on data used to enter a competition, and you certainly can’t refuse access to the competition if they choose not to sign up. Big, no no! When it comes to asking for permission to send them further information about your products or services, you must always give the option to ‘Opt In’ rather than an ‘Opt Out’ tick box or indeed a pre-ticked box. It must also be very clear what you will do with the data you receive, in an easily accessible data policy that makes sense and is not an indecipherable bible of technical or legal jargon. The magic word here is CLARITY. Here’s an example of what our standard score submission screen will look like going forward. We can supply a template privacy policy for you to amend or we can link to your own existing version.

Q2. What will all this mean for our data capture? Will we capture less email addresses?

Inevitably yes, but this is one of the fundamental principles behind GDPR. The new regulation gives back control to the data owner. The player. The user. Your audience. You. And those willing to share their data openly are much more valuable to a brand than those who have been duped into it through a series of dark patterns. They are already engaged, connected and trust the brand and are open to further conversations – quality over quantity.

Q3. You have a re-engagement package, where the player receives email notifications about game results and friends scores etc. How do you gain permission for that and how does that comply?

Great question. While it could be argued that any communications directly related to the game and competition would come under ‘legitimate interest’, to ensure compliance we feel it best to include an explicit opt-in for this too. To understand how this will work, let’s set the scene from a players’ perspective… You’ve finished your game, and begin submitting your details to the leaderboard. You input your name and email, tick the opt-in boxes and hit the submit button. The next screen asks if you would like to receive email notifications when you get knocked off the leaderboard or are beaten by a friend (which obviously you’d need to rectify immediately!). To get the best engagement, this message needs to be as compelling as possible, assuring players that their email address won’t be used for any other purpose and they can unsubscribe at any point. Our message system automatically stops emails being sent out to people who have unsubscribed.

Now we’ve cleared those up, let’s go technical and dive into some BACK END questions;

Q4. What data does the game collect?

Our games collect personal data and behavioural data. According to GDPR, personal data is any information relating to an identified or identifiable individual; meaning information that could be used, on its own or in conjunction with other data, to identify an individual. Once a player submits their score to the leaderboard the personal data that the game collects is a first name, last name, email address and communications opt-in preferences. Behavioural data is information about the how the game has been played, how many times, for how long, etc. This is mostly collected by Google Analytics where it is anonymous, but we also store some of this information in the game database for administrative purposes.

Q5. Where is all the data stored and is it secure?

If we’re hosting a game for you, all submitted game data is stored on a secure and encrypted database, hosted on cloud based servers within the EU. Going forward, all the games we host will also come with an SSL certificate as standard, ensuring all submitted user data is encrypted to give your players instant peace of mind with that secure https URL. You will have access to the leaderboard data from the game’s admin panel, allowing you to download the information in order to draw competition winners. You will also be able to determine who has requested further information along with a record of the date and time in which they opted in, so you can confidently add those people to your marketing lists. You can also delete those who didn’t opt-in in accordance to your own privacy policies. We will keep hold of data backups for a maximum of 2 months after the campaign ends, in accordance with our own policy.

Q6. Do the games use cookies?

Yes they do. Like most online websites and apps, the games use cookies to make everyone’s life easier. We use them to remember player details on the score submission page so that players don’t have to re-type their details over and over again. We also use them to help track behavioural information, for example with Google Analytics. We have recently incorporated a cookie notice at the start of the game which links to a cookie policy too. Again, you can use and adapt our version or we can link to your own.

Q7. What about the ‘right to erasure’ – how does this work?

Another of the main changes to legislation is the right to request what data a company holds on you and the right to request that it’s deleted without trace, like you never existed! Within your game privacy policy, you will need to provide contact details so that a player can get in touch and request a copy of the information in a readable user friendly format, with a clear policy on how they can update or delete them. You will be responsible for processing these requests but you will be able to manually delete these players via the game admin panel.

Q8. Is that it? Anymore for anymore?

Maybe! Truth be told, there aren’t many who really know how this is all going to pan out. There are no precedents here, and best-practices are yet to be defined. But so long as we are being clear, concise and transparent with the way we are requesting and processing people’s data, we should be on a good footing. If you have any questions we haven’t answered or anything is unclear, please let us know and we’ll do our best to answer them. For more information please email us at

Serious face disclaimer: We are not lawyers! This article is based on our opinion and understanding of the new GDPR regulation and shouldn’t be construed as legal advice. OK? Cool, Game on!

Subscribe to our newsletter?

    Get insights and tips for using games in your marketing straight to your inbox. Plus, be the first to play our newest games and get seasonal special offers for our off-the-shelf games service, Piknik.

    Related content