Go back to menu

If you're not paying for the product, you are the product

How a new business model collides with current regulations

27 April 2017

Free online games have popularised a business model based upon the exploitation of personal data, but as publishers handle more and more complex data, they should be aware of the numerous legal obligations and severe penalties they face in case of a breach.

Personal data gold rush... 

Personal data fuel the entire online industry and video games are no exception. App developers have created digital environments designed to gather as much users' information as possible in order to encourage them to spend money in-game. The outburst in late 2016 of the free game Pokemon Go is yet another example of how personal data are capitalised. 

Data gathering is no new habit for game publishers that routinely process the players' name, age or gender. However, with the evolution of technology, more comprehensive sets of information are collected including locations, patience skills, risk taking habits and discouragement vis-à-vis challenges. These data allow companies to brush a more detailed picture of the users for their classical business partners such as data brokers and targeted advertising companies. They also provide grounds for publishers to implement in-game payment incentives.

Sometimes referred to as "free to play, pay to win" or "freemium", some online games, and especially on mobile devices, are construed to create play sessions using traits of gambling. Free and easy to dive in due to low learning curves, these games first minutes of gameplay usually consist of showing the player what is theoretically achievable. Hooked up, players start their own campaign only to realise that in order to achieve what has been shown, one would have to play for a very long time. Mobile games and social media games create frustration by adding timers to every action, those timers being increasingly long, preventing players to perform simple in-game tasks for hours, sometimes for days. The frustration is balanced with rewards and achievements that can be shared. As pointed by the French data protection authority (the CNIL), "free use is a chimera" and thus, there is an easy way to circumvent the timer system: pay for it. Based upon the system of casino chips, the majority of these games use specific currencies that have to be purchased in order to acquire perks, either ornamental or essential. However, games using augmented-reality like Pokemon Go have now introduced new ways of making money off of free apps, notably through a marketing technique so-called "neuromarketing" that deeply target individuals and guide them to business partners in the real world.

...more and more monitored through data protection  

In the EU, publishers – as long as they process personal data of players – are subject to strict requirements including, individuals' information, data security, and breach notifications (when the General Data Protection Regulation (Regulation 2016-679 or GDPR)) is in place. The EU framework is essentially based upon Regulation 2016-679 (the GDPR) - that has replaced Directive 95/46 and will enter into force in May 2018 - and Directive 2002/58 (the E-Privacy Directive). Under Regulation 2016-679, data controllers (e.g. publishers) are subjects to new sanctions (up to €20 million or 4% of the worldwide annual turnover of the relevant entity) and individuals are granted new rights (e.g. right to object to profiling which constitutes a serious threat to freemium). Freemium publishers must also be aware of the specific requirements applicable to the new sets of data they process, and especially security and retention times regarding sensitive individual habits or bank data. Regarding the new marketing techniques introduced by games based on augmented-reality, publishers must follow the general ban on unsolicited advertising by means of electronic communications (email or SMS) provided by the E-Privacy Directive.

Moreover, as the GDPR sets out an extraterritorial scope and applies to non-EU data controllers as long as they provide goods and services to EU citizens or monitor their behaviour in the EU, non-EU game publishers may be caught by the GDPR. 

In a constantly evolving digital marketing environment, data protection will have to keep the pace moving forward in order to mitigate personal data processing abuses.