I’m sure you’re all aware of the new GDPR regulation and that you’re preparing for the big ‘switch over’ on May 25th. We won’t get into the nitty gritty of GDPR regulation here, I’m pretty certain the internet does not need another blog about fines and penalties. And this is not a ‘checklist to compliance’ either; there are plenty of other trusted information sources out there doing just that. We found the ICO website itself particularly helpful in breaking down its 99 articles and this WIRED article provides a clear and concise overview in a non-scare-mongering way! We’ve had a number of requests about how best to ensure compliance with regards to our games, for both the front end (data capture and competition best practice) and the back end (data storage, management and hosting). So here are our responses to your GDPR FAQs for compliance with your games. We hope you find it useful. Let us know if you think we’ve missed anything – like everyone else, we’re learning too! This is a bit of a beast so if you want to jump around to a relevant question go ahead! We’ll cover…
So let’s start us off with some FRONT END questions….
Inevitably yes, but this is one of the fundamental principles behind GDPR. The new regulation gives back control to the data owner. The player. The user. Your audience. You. And those willing to share their data openly are much more valuable to a brand than those who have been duped into it through a series of dark patterns. They are already engaged, connected and trust the brand and are open to further conversations – quality over quantity.
Great question. While it could be argued that any communications directly related to the game and competition would come under ‘legitimate interest’, to ensure compliance we feel it best to include an explicit opt-in for this too. To understand how this will work, let’s set the scene from a players’ perspective… You’ve finished your game, and begin submitting your details to the leaderboard. You input your name and email, tick the opt-in boxes and hit the submit button. The next screen asks if you would like to receive email notifications when you get knocked off the leaderboard or are beaten by a friend (which obviously you’d need to rectify immediately!). To get the best engagement, this message needs to be as compelling as possible, assuring players that their email address won’t be used for any other purpose and they can unsubscribe at any point. Our message system automatically stops emails being sent out to people who have unsubscribed.
Now we’ve cleared those up, let’s go technical and dive into some BACK END questions;
Our games collect personal data and behavioural data. According to GDPR, personal data is any information relating to an identified or identifiable individual; meaning information that could be used, on its own or in conjunction with other data, to identify an individual. Once a player submits their score to the leaderboard the personal data that the game collects is a first name, last name, email address and communications opt-in preferences. Behavioural data is information about the how the game has been played, how many times, for how long, etc. This is mostly collected by Google Analytics where it is anonymous, but we also store some of this information in the game database for administrative purposes.
If we’re hosting a game for you, all submitted game data is stored on a secure and encrypted database, hosted on cloud based servers within the EU. Going forward, all the games we host will also come with an SSL certificate as standard, ensuring all submitted user data is encrypted to give your players instant peace of mind with that secure https URL. You will have access to the leaderboard data from the game’s admin panel, allowing you to download the information in order to draw competition winners. You will also be able to determine who has requested further information along with a record of the date and time in which they opted in, so you can confidently add those people to your marketing lists. You can also delete those who didn’t opt-in in accordance to your own privacy policies. We will keep hold of data backups for a maximum of 2 months after the campaign ends, in accordance with our own policy.
Q8. Is that it? Anymore for anymore?
Maybe! Truth be told, there aren’t many who really know how this is all going to pan out. There are no precedents here, and best-practices are yet to be defined. But so long as we are being clear, concise and transparent with the way we are requesting and processing people’s data, we should be on a good footing. If you have any questions we haven’t answered or anything is unclear, please let us know and we’ll do our best to answer them. For more information please email us at firstname.lastname@example.org
Serious face disclaimer: We are not lawyers! This article is based on our opinion and understanding of the new GDPR regulation and shouldn’t be construed as legal advice. OK? Cool, Game on!