Earlier today, I posted an article about what we here at Hypergrid Business are doing to comply with GDPR.
Fines are up to 20 million Euros or 4 percent of total annual global revenues — whichever is higher, and GDPR applies to every company that has European users or customers — no matter where it is located. So we’re paying attention.
Fortunately for us — unlike some of our larger competitors — compliance was pretty straightforward because we don’t do much collecting of data.
But how does GDPR affect those of our readers who have grids?
I’m not a lawyer — so, disclaimer alert! — please do not take the following as legal advice. However, I have been covering privacy issues as part of my day job at CSO magazine (most recent article is How privacy is moving data security to the top of corporate agendas) and I’ve been talking with a lot of legal and compliance experts about this.
Basically, a lot of the rules are common sense, and you should have been doing this all along anyway. The biggest differences is that your users have to opt into any marketing communications, and need to have a way to have their personal contact info deleted from your systems. None of this should be too difficult for a smaller company, especially if you use an outside service for most of these functions.
Here’s some general advice about complying with GDPR:
Only collect as much data as you need
If you want to send someone a package, you need their address. If you’re not sending them any packages, why are you asking for their address? Is it just to send them spam? Or do you have a legitimate reason? Take a good look at the services you provide and decide whether the information is really necessary.
For example, you need your visitors’ IP addresses so that you can send them content. And if they cause trouble, and you have to block them, you’ll need to save those IP addresses so that you can keep the bad guys out.
If you allow people to create accounts, you will need to ask for their email address so that you can send them password resets, or important notices about their accounts.
If avatars come to your grid, and cause trouble, you might want to save their avatar names so that you can keep them out in the future. If they sign up for in-world groups, you’ll need their avatar names in order to send them group messages.
You will need to tell your users what data you collect on them, and why, and how you use that data, and why its necessary for you to have that data for you to continue providing your service.
And you users should have the option of seeing what data you have on them, and you should allow them to delete it.
If you do collect data, put a support email address or contact form on your website to make it clear to your users how to do that.
If you don’t really need the data, ask for permission before collecting it
If you want your users to subscribe to a mailing list, and that list isn’t critical to the service that you provide, then they have to voluntary agree to it.
You can’t just have a “click here if you don’t want it” — that’s an opt-out button. You need one that says “click here if you want it.” They have to actively do something to get on your list.
So if you want to send messages to all your hypergrid visitors telling them about new sales or events on your grid, put up a sign in the welcome area and ask them to click on it to sign up. Don’t just sign them up automatically, then give them the option to cancel later.
Don’t blackmail your users
Say you’re providing an important service to your users, like allowing them to attend music events in a virtual environment. They enjoy that, and want to continue doing it. Don’t force them to accept your stupid mailing list in order to continue being able to log into your grid.
That’s just evil.
If you’re about to send out an email telling your residents that they have to agree to all sorts of privacy invasions in order to continue using your grid — stop that right now.
Instead, send out two separate emails.
The first, telling them about the data that you have to collect in order to provide the service they want.
Then, send them a second email will all the voluntary stuff they can get, like newsletters, and marketing announcements, and get their permission to send that stuff to them.
The same applies to content, too, by the way. For example, in order for them to wear the new dress they created and uploaded to the grid, you have to be able to display that dress, on their avatar, to other users. Otherwise, nobody will be able to see it, and it totally kills the point of uploading content to the grid. If they want to sell the dress on your marketplace, you have to be able to post the picture of the dress so that people can buy it. If you want to promote their content or destinations or events in your social media feeds, you will need to be able to use their content. What’s the point of having an event on your grid, if nobody can find out about it? But if you use their pictures in a different, unrelated context — say, in an advertisement for your land rentals — you should get permission first.
Look at the data you already have, and decide whether you need it
You might need to keep some historic data in order to ensure performance of your grid in the future. Do you really need personally identifiable information there? If you do need to keep that information, do your users have a way to find out that you’re keeping it, what exactly you’re keeping, and if they can delete it?
If you’re a small grid, you’ll probably be able to take care of it manually.
If user John Smith wants to know what you have about them, you should be able to search your database and see what you’ve got.
If you’re using an outside provider, like a grid hosting service, check with them to make sure they can do this for you.
If there’s a flood of requests, and the requests just keep growing, you or your service provider might want to create an automated self-serve process for doing this.
Do you have to block all Europeans from your grid?
I’m going to go out on a limb here — and again, this is not legal advice! — but you probably don’t have to worry about it. As long as you’re getting user permission before doing unnecessary stuff with their information like selling it to a spam outfit, or subscribing them to email newsletters, you should be okay.
You might want to put up a notice on your website about what information your grid collects, and also post a copy of the notice somewhere in your landing area, or do a pop-up instant message for visitors.
But I don’t think you need to just lock Europeans out.
Instead, I believe a better approach is to treat everyone as if they were European. The new regulations are pretty common sense, and you should be complying with them anyway.
Will you get sued?
If you do something really bad that hurts people, then sure. If you collect credit card information, then leave it out there, unencrypted, for any hacker to see, that’s a bad thing. But that’s always been true. Now the penalties are just bigger.
Will the regulators go after you if you violate some minor provision of the law?
Probably not. What I’m hearing from experts is that we’re likely to see a few big test cases first, against the biggest offenders, and that will help clarify the details about how the law will be enforced.
Also, more and more service providers — like Google, and Disqus, and all the cloud hosting companies, and the grid hosting companies — will be improving their processes to make everything easier and more automated.
What about payments?
This is a big one. If your grid sells virtual currency, or sells land, you need to collect payment information from users.
My advice — again, not legal advice — is to use an outside service provider for as much of it as you can.
For example, use PayPal for your land sales, and use Gloebit for your in-world payments. And let those guys deal with protecting bank account information and credit card data and everything else that goes into keeping payments secure.
If you need to keep any of this information for your records, let the users know how and why. For example, you will want to have payment confirmations for your records in case there’s a dispute, or for your tax accounting. But don’t use this information for unapproved purposes, like spam campaigns. Keep the payment information isolated, away from your marketing, and locked down with extra security.
What if it’s a hobby grid?
If you have a hobby grid, and don’t save any historical information on your users, and have an external system like Gloebit to handle your payments, and all your users come in via the hypergrid so you don’t have user account information, then you’re probably not going to have any compliance issues.
Just wipe your logs on a regular basis, so you don’t have old information about, say, access history, lying around. And if you have a mailing list, or in-world group, make sure that your users are signing up for it voluntarily and can leave at any time.
David Kariuki is currently working on an article about how grids are complying with GDPR. If you would like to comment for that story, or suggest questions for him to ask, or tell him what your grid or hosting company or service provider is doing, please email him at [email protected].