• Photo hi-tech shield of cyber security. digital data network protection

Almost 2/3rd of the Mobile / PC / Laptop users play games online like PUBG, Minecraft these days and the reach is increasing rapidly. As online gaming grows, the scale of user vulnerability & data breach also goes up.

Gamers feel happy when playing online but little do they know about precautions needed to safeguard their personal data. The chances of falling prey to cyber criminals is real. The gamers unknowingly exchange personal information with peers, which results in personal data risk.

Let us now look at OTM (Organizational & Technical Measures) to safeguard the gamers.

Checklist for Individuals who play games online:

  • Understand the privacy policy

    • Before giving consent to the terms and conditions of registering, go-through & review the privacy policy carefully. Privacy policy information can be very helpful in finding out what information is gathered through the game console and how it is transferred and processed further
    • In case of transfer of your personal info to a third party, assess the extent of protection.
    • Seek parental guidance & advice, if you are a minor.
  • It’s a good idea to create an email address just for gaming so you will quickly know if a gaming service provider is using your information inappropriately. If a gaming-only email address receives an email, you’ll know who shared it without permission.
  • Preference setting & option to remain anonymous

    • When setting up the gaming preference be careful about giving out too much personal details.
    • Keep it minimal.
    • Frivolous profile setting will not only put you in danger also your contacts & co gamers
    • Better to use anonymous name while playing with peers

  • Traversing to other social networks

    • It is best not to synchronize gaming and social sites.
    • If you are keen to do, understand how information will be exchanged.
    • Remember to adjust the settings to limit the information sharing.

  • Request to access your devices

    • Permission to access your devices like camera, microphone or location data can be allowed by you when asked. However, check if you can disconnect the access when required

  • Clicking external links

    • Be careful when clicking on links during in-game chats, especially if you don’t know the other gamer in real life; it could be a phishing attempt.
    • Avoid visiting unverified sites or downloading third-party API’s from unknown sources

  • Anti-virus

    • Install security software’s / Anti-Virus  which can detect malicious links and spams & regularly scan your device  for any malwares

  • Data Retention

    • Evaluate and if needed enquire about provisions regarding data retention, deleting personal information or deactivating accounts after you opt out. Many gaming companies do not cover these in their privacy policies.

  • Financials

    • Do not link your credit or debit card details to a gaming account. Choose monthly payment options that offer safety and security.  
    • Regularly review your bank statements to make sure there aren’t any unverified purchases

Gamer’s privacy information rights

. Right to know how PI (personal information) is processed
. Right to PI rectification
. Right to PI erasure
. Right to refuse data portability of PI to other service providers
. Right to withdraw consent
. Right to object to direct marketing
. Right to lodge a complaint with a supervisory authority in case of PI data breach

Org. & Technical measures that can be taken by Gaming Companies

  • Policy

    • Have an enshrined Data Privacy Policy
    • Data Principles (DP) should have legal basis for processing of data, where relevant & information on the legitimate interest
    • Have a clear Cookie policy & Consent Management Program
    • Opt in & Opt Out forms should not be cumbersome

  • Data Governance

    • Data governance requires organizations to know what data they collect, where it’s stored, how it flows through their gaming apps, and how it’s used. 
    • User data collection should be limited to specified, explicit, and legitimate purposes
    • Conduct DP impact assessment at regular intervals to understand the underlying data risks.
    • Have an up-to-date Consent Management as regulations evolve across all jurisdictions
    • Remain current on third-party SDK privacy policies to ensure end-user consents are compliant

  • Parental Consent for Age-Gate issues. In case of a minor, parent should have options to

    • control child’s content access,
    • review how child’s Personal Info will be shared,
    • get updates on payments,
    • chat with other online gamers,
    • receive regular Dashboard report of child’s online activities,
    • contact help desk details

  • Others

    • Conduct a comprehensive data inventory, classification, and mapping exercise
    • Training should be given to employees who handle consumer inquiries regarding company privacy practices, compliance to Web designers, community managers, back-end developers, and marketing staff should be considered a high priority for privacy training
    • Create a strong password policy & password security (MFA)
    • Use HTTPS protocols in web apps for secured way of transferring user data
    • Implement and adhere to a written data retention policy
    • Have privacy-first approach mind set & strive to achieve it through Privacy-by-Design & Privacy-by-Default
    • Consider using anonymization & pseudonymization while developing gaming apps where possible
    • Have a DP Help Desk (Incident Response) to address user privacy requests

  • DPO

    • Gaming organizations should consider investing in a full time DPO.
    • Have a skilled DPO, who can safeguard the interest of the organizations privacy & protection concerns in all the aspects

  • Avoid target advertising & Promotions using personal info of gamers
  • Use appropriate tools for continuous monitoring of privacy breach

Scenarios under which user personal can be shared to third parties. These should be covered in privacy policy & Consent Management.

  • For Auditing purpose
    • For Regulatory compliance
    • To resolve any service issues faced
    • For any issues related to payment gateways
    • For any research purpose
    • To law enforcement agencies
    • To advertisers
    • To Marketers

By Sekaran Ramalingam.