Playing with privacy? Privacy and cybersecurity considerations in esports
This article has been written by Sheppard Mullin’s Privacy and Cybersecurity Team Leader Liisa Thomas and its Privacy and Cybersecurity Lead Associate Julie Kadish, on behalf of the law firm. This piece was edited by Esports Insider.
The world of competitive video gaming implicates a complicated patchwork of privacy laws, and esports companies need to keep in mind some key issues when assessing privacy and cybersecurity obligations. Understanding these obligations is all the more important as esports continues to be a quickly growing international trend.
Image credit: Shutterstock
As sophisticated hardware and software have created enhanced features changing the game industry, so too has the opportunity emerged to collect more data from users. Interactions between game publishers and users used to be relatively unknown. Now, with the ability to collect more data about identified users, game publishers and platforms can create more customised and exciting experiences for players.
Specific privacy and cybersecurity considerations in the esports landscape may vary based on whether a company is a game publisher, versus a platform provider, league, or event host.
Below are some of the key questions to think through to assess issues related to data use (privacy) and cybersecurity in esports. Armed with the answers to these questions, companies — with the help of its privacy lawyers — can begin to assess their legal obligations and address regulatory requirements.
There are many different laws that impact the ability to collect information. Typical questions to consider for compliance with these laws include whether appropriate notices or disclosures been provided. There are several other questions that esports companies should keep in mind, including:
Do the notices (in the game, online, or otherwise at the point of collection) accurately describe what information is collected? This includes data collected from linked social media profiles.
Is the type of information collected regulated by specific laws (biometric) or industry standards (cardholder data)?
Are you collecting only data that is truly needed for the game or hardware to operate (data minimisation)?
Can users and league members exercise choice over the data that is collected?
As a publisher or a platform, are you collecting information online from children under the age of thirteen? If so, then the Children’s Online Privacy Protection Act (COPPA) applies and more questions need to be asked. This includes whether you have obtained parental consent (or determined if you fall within a (narrow) exception.
Image credit: Shutterstock
There are also many things that govern how information can be used, including laws, the representations made to persons about how information would be used, and sometimes, contractual obligations. To guide this analysis, esports companies can think about questions such as:
Want to send marketing-related text messages to users about an upcoming live stream of a league event? If so, then do you have a consent process and back-end functionality to process opt-outs?
As a game developer, does the publisher agreement limit how information can be used?
Many companies want to find ways to share or monetise the data they collect. Unfair and deceptive trade practices laws (like Section 5 of the FTC Act and similar state laws) impact a company’s ability to share user information. This means esports companies need to examine the promises made about how they would treat information, whilst also asking themselves questions like:
Were attendees at a league event told that information would never be shared with third parties?
What measures are in place to ensure that information is not shared?
Also, companies that share data may have requirements to allow users to opt out of such sharing.
Laws to protect information may apply to esports stakeholders based on certain types of information collected, and/or because a company collects information from residents of the impacted state. Some of these state laws call for specific measures in a data security programme. For example, a written information security policy, employee training, or vendor contractual requirements. Other laws may generally require ‘reasonable security’ measures. With this in mind, esports companies can think about what types of preventative measures they have in place. Questions to ask include:
Is there a written information security programme? Are employees trained on how to follow it?
What measures are in place to deal with a potential data incident?
Remember that these laws often protect more than the typical ‘personal’ information, including usernames and passwords.
For stakeholders in the esports industry, the data opportunities must be balanced against a complex web of privacy laws. Outside of regulation, the approach and philosophy a company takes on trust and safety, data ethics, and design inclusivity may also impact user privacy.
New immersive experiences in esports using virtual and augmented reality technology heighten the need for a workable privacy and cybersecurity framework in this space. The challenge lies in applying these concepts to technology that did not exist when the laws were drafted. Using these questions can help esports companies begin to assess its legal obligations.
This article is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney client relationship. Please contact your Sheppard Mullin attorney contact for additional information.
Disclaimer: This piece has been supported by Sheppard Mullin.