The online gaming industry, encompassing users from diverse age groups and income levels, has emerged as one of the world's leading entertainment sectors. However, this industry processes vast amounts of sensitive data, posing significant threats to consumer privacy. The data collected includes inferences about a user's device information, network connection, age, gender, emotions, skills, interests, consumption habits, and personality traits. Given the complexities involved in processing such detailed and personal player metrics, it is imperative to ensure the highest possible transparency at every stage of the data lifecycle to maintain accountability and control over data. While we await the robust and comprehensive rules, let's navigate through key aspects related to online gaming sector and the critically acclaimed game-changer Act of 2023:
Reconceived Consent Architecture: Online gaming platforms that collects biometric, behavioral, social, and geolocation player data should obtain user consent specifically and separately from the consent acquired to process personal information and KYC details. Since a majority of the online gaming industry's consumer falls under 18 years old category, platforms must seek parental consent through verification mechanisms and prevent the tracking of personal data of minors or children. Once collected, data should only be processed for predictive analytics, revenue generation, and other such legitimate interests. Furthermore, consent should be obtainable and withdrawable through the same user interface, such as the settings or options menu, and via the same action with due considerations wherein the withdrawal of consent should not result in a degraded gaming experience for the user.
Compliant Cross Border Data Transfer: Gaming companies that transfer data to a cloud service or data center must ensure that the computing infrastructure is located in a jurisdiction with a data protection regime that is as stringent as or more stringent than the Digital Personal Data Protection Act, 2023 ("the Act"). Agreements with transnational data processors should include stipulations and standards to ensure that data-in-transit is afforded the same level of security that gaming companies maintain while processing personal data of users.
Data Fiduciaries and Significant Data Fiduciaries ("SDFs"): Data Fiduciaries (Gaming companies) will have to follow stricter guidelines and policies when processing the data of users, considering that a large portion of the users in the gaming industry are minors. A new challenge which will be faced by a large number of Data Fiduciaries is transnational sharing of data, as a significant amount of game developers are foreign companies. Seeking consent of users will be another aspect that Data Fiduciaries will have to focus on, due to the large number of minor users of games and video game consoles.
Processing of Children's Data: One of the major concerning aspects under the gaming sector is processing of children's data wherein verifiable consent of parent/guardian is required, so as to evade the consequences of tracking, behavioral monitoring and targeted advertisement. The gaming platforms requires to inform the users with notices and incorporate mechanism for age confirmation. However, the manner and mechanism in which the same is anticipated and apprehended is to be clarified in details in the upcoming rules.
Grievance Redressal: Mechanisms for grievance redressal will have to be more accessible and well defined, especially for parents of minor users, in cases of breach of data and the data protection policies of gaming companies. Considering that a large number of users are minors, the best way companies can secure the personal data of such users is by creating policies in strict adherence to the DPDP Act, 2023, and also self-regulating, to ensure no sensitive data of any user has been leaked.
Conclusion
The gaming industry, in the past decade has seen an exponential growth among the masses, wherein the user base of online gamers in India contributes to a major fraction worldwide. With the rise of online games and the dependency of modern video games on the internet for various reasons such as software updates and bug fixes, the need to process the data of users becomes an important aspect of the industry. That said, with the enactment of the DPDP Act, 2023, gaming companies and developers will now be required to maintain higher standards of data privacy and data protection, as gaming is considered as one of the most convenient and accessible form of entertainment, especially with the advent of video games being created and optimized for mobile phones. Hence, the legislative intent behind the 2023 Act is to cultivate and encourage the practice of informed, specific consent and transparent processing of wide range of data. The Act calls for adaptation of elaborate measures by the industry players and stakeholders, wherein the far reaching aspect of content moderation is also under consideration by the legislators, and the approach has seen a drastic shift from being a mere compliance activity to harboring significant confidence and trust among the diverse stakeholders.
Originally published 2 September 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.