Search Unity

  1. Full schedule for #UniteBerlin is now available! Featuring talks on our roadmap, hands-on labs and much more! Check it out!
    Dismiss Notice
  2. Unity 2018.1 has arrived! Read about it here
    Dismiss Notice
  3. Scriptable Render Pipeline improvements, Texture Mipmap Streaming, and more! Check out what we have in store for you in the 2018.2 Beta.
    Dismiss Notice
  4. ARCore is out of developer preview! Read about it here.
    Dismiss Notice
  5. Magic Leap’s Lumin SDK Technical Preview for Unity lets you get started creating content for Magic Leap One™. Find more information on our blog!
    Dismiss Notice
  6. Want to see the most recent patch releases? Take a peek at the patch release page.
    Dismiss Notice

If you live inside EU: Still have own homepage and online features in the game? Or removing those?

Discussion in 'General Discussion' started by Firlefanz73, May 16, 2018.

?

Does a free time / hobby game developer need his own homepage / board / self hosted leaderboards?

  1. Yes

    0 vote(s)
    0.0%
  2. No

    4 vote(s)
    57.1%
  3. Maybe (please don't chose this one)

    3 vote(s)
    42.9%
  1. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    Hello,

    I live in Germany.

    From the 25th May we have new laws for protection of privacy in homepages and online features in games etc.

    I am thinking about deleting my two Homepages because of being afraid I missed something in privacy protection and some evil (yes evil) lawyer tries to sue me (excuse my english) threatens me to bring me to court...

    How do you other game developers handle this? I refreshes my privaty Statements but I am not sure if it fits.

    If I am a Hobby game developer, is it useful to have my own Homepage at all? In my Forum / board nobody writes down something. And my online highscores are a nice Feature, but I guess they are not so important and might be changed to a steam or Facebook leaderboard...

    How do you handle this? Do you think a small free time game developer does Need it's own Homepage and board and self hosted hiscores / leaderboards?

    Thanks for you opinion or ideas on this. :)
     
  2. AndersMalmgren

    AndersMalmgren

    Joined:
    Aug 31, 2014
    Posts:
    1,840
    You mean GDPR? You store user info on your homepage servers? If not your fine. We use Steam features only, and Valve have made sure they comply with GDPR
     
    Kiwasi and Firlefanz73 like this.
  3. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    Yes, I meant exactly that. I have a Website with forum / board and an online hiscore list / leaderboard.
    Because of the new laws I am not sure if I really need them enough to keep them.
     
  4. Ostwind

    Ostwind

    Joined:
    Mar 22, 2011
    Posts:
    2,617
    You don't even have to live in the EU to be affected as all it needs is to your players to be from the EU. American, Aussie etc. developers must also comply :p

    If you only store "player" names and scores you don't really have to do anything. If you have emails, real names and such stored its a different thing.

    BTW I don't think Valve has yet fully implemented all the stuff required by the GDPR. As a user I have not seen such announcement by email nor the user interfaces have all the required features(?)
     
    Kiwasi likes this.
  5. AndersMalmgren

    AndersMalmgren

    Joined:
    Aug 31, 2014
    Posts:
    1,840
    It's hard knowing whats OK and whats not, maybe pay a few hours for a lawyer to look at it?
     
  6. AndersMalmgren

    AndersMalmgren

    Joined:
    Aug 31, 2014
    Posts:
    1,840
    But all the info is stored on their servers, so it cant hit you directly. Which is nice
     
    Kiwasi likes this.
  7. Ostwind

    Ostwind

    Joined:
    Mar 22, 2011
    Posts:
    2,617
    Yep :)
     
  8. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    Yes that's right. I did some changes but I am a bit unsure if it fits perfectly. And since I don't earn Money (or at least not at the Moment, and only very few Money if a game is new) I do not want to spent Money on lawyers. And I am unsure if I want to put more Money into my Websites, which don't seem to be much visited at all.

    Maybe a mixture of IMDB, Facebook or Steam and YouTube is already enough and as good as having own Domains that nobody visits.
     
    Martin_H likes this.
  9. AndersMalmgren

    AndersMalmgren

    Joined:
    Aug 31, 2014
    Posts:
    1,840
    Yeah, we have a very basic page that just points to the difference services like steam, youtube etc
     
  10. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    6,887
    GDPR.... grrrr.
     
    Kiwasi, Ryiah, Socrates and 1 other person like this.
  11. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    Like. grrrrr.
     
  12. Joe-Censored

    Joe-Censored

    Joined:
    Mar 26, 2013
    Posts:
    2,282
    I've read the GDPR, and I don't see anything that impacts non-EU organizations other than articles 44-50. Articles 44-50 apply to data transfers from EU country organizations to non-EU country organizations, not the direct collection of data by non-EU country organizations of EU residents.

    If I'm a non-EU organization, and I don't accept transfers of personal data from EU based organizations, I'm fairly certain that the GDPR can be safely ignored. If I'm wrong, please point to the specific text that applies.

    Text of GDPR:
    https://gdpr-info.eu/

    (I am not a lawyer)
     
    Last edited: May 16, 2018
  13. Ostwind

    Ostwind

    Joined:
    Mar 22, 2011
    Posts:
    2,617
    https://gdpr-info.eu/art-3-gdpr/
     
  14. Joe-Censored

    Joe-Censored

    Joined:
    Mar 26, 2013
    Posts:
    2,282
    Looks like you have to put in more effort than just having EU customers though. You have to do something to show you are targeting the EU for the regulation to apply.

    https://gdpr-info.eu/recitals/no-23/
     
    Last edited: May 16, 2018
  15. Martin_H

    Martin_H

    Joined:
    Jul 11, 2015
    Posts:
    3,518
    In other words "Is having that site worth a couple hundred bucks? If not, then take it down." ?

    I tend to agree, but keep in mind that as soon as you release a domain, chances are a domain squatter will scoop it up and put some bullshit ad-page on it or something like that. A friend of mine once had to buy a domain off such a domain squatter that had registered it shortly after he made a whois query to see if his domain with another extension was still free. They somehow had access to that info, bought the domain before he could, and then offered to sell it to him.



    Does anyone know what freelancers need to do with the info they have stored from their clients? Like their email addresses and postal addresses? Is this data irrelevant if it's all publicly available on the websites of those clients anyway?
     
  16. AndersMalmgren

    AndersMalmgren

    Joined:
    Aug 31, 2014
    Posts:
    1,840
    Yeah if you cant spend that money then maybe it's better to use the as is services?
     
    Martin_H likes this.
  17. christoph_r

    christoph_r

    Joined:
    May 20, 2013
    Posts:
    339
    If you don't save any (personally identifiable!) data about yours users, where's the privacy concern? The only critical part is likely the forum, so if that is not in use anyway, why not just get rid of it.
     
  18. Nlim

    Nlim

    Joined:
    Apr 23, 2018
    Posts:
    11
    Not a lawyer but as far as I understood it, it basicly boils down to the following.

    1.) You are not allowed to share the data without permission. I would guess that if it is publicly made available by the client that it is basicly counts as a permission or at the least you should be able to share the public source.

    2.) On request by the client you have to send him a copy of all the personal data you have stored on him or her which could include Bills and E-Mails. (On a side note I have no clue how system backups are factored into this since checking months or years of backups for potentially deleted data sounds like a nightmare even with an automated system)

    3.) On request you have to delete all the personal data stored from your client but only if it isn´t needed anymore for the business transaction or for other regulations like with book keeping. (Again no clue about the situation with backups)

    4.) You have to make your client aware of what kind of data you store BUT I would guess the kind of data a typical freelancer stores for business transactions doesn´t need special mention since it is needed for billing.

    Again though this is no legal advice - this are just a couple of things I gathered in passing at work about what others mentioned on the topic.
     
    Firlefanz73 and Martin_H like this.
  19. moonjump

    moonjump

    Joined:
    Apr 15, 2010
    Posts:
    2,172
    Apparently every bit of compliance includes backups according to a GDPR specialist who gave a talk at a tech group I attend. There are multiple nightmares.

    I’ve also read that the even stricter GDPR-K applies if your customer base includes kids (not targeted at, just includes), unless you age verify those you want to keep any identifiable data on.
     
    Nlim and Martin_H like this.
  20. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    And in Germany there are many lawyers which make their Money / income just from finding copy-right violations and next will be GDPR violations.

    Then you have to pay them a fee (in my opinion it is blackmail) or they drag you to a court.
    A friend of mine had to pay 3000 Euro just because of one photo on his website.

    And that was before GDPR now it will get a lot worse I bet.
     
  21. christoph_r

    christoph_r

    Joined:
    May 20, 2013
    Posts:
    339
    Based on whose rights would they be suing? Create some sort of "fake clients" that sign up at small websites to test if they comply?
     
  22. Martin_H

    Martin_H

    Joined:
    Jul 11, 2015
    Posts:
    3,518
    Let's just say the German legal system is easy to exploit for financial gain in certain areas of "rule compliance", to the point where some can make a living from doing nothing else, and it's not even illegal. "Sueing" is the wrong word I think, cease-and-desist comes closer, but I can't explain you details either. If you want to read German sources on it, google for "Abmahnung".
     
  23. FMark92

    FMark92

    Joined:
    May 18, 2017
    Posts:
    898
    Usually by living in a free-er country. Other than that it becomes the API's problem. As long as you are not the company that collects personal info, there's no problem. (e.g. SteamAPI)
     
  24. christoph_r

    christoph_r

    Joined:
    May 20, 2013
    Posts:
    339
    I'm well aware of "Abmahnungen". To further explain what I wrote above: In order to be profitable for legal companies, they need to claim a damage (usually for a client they represent, like intellectual property owners such as film companies), based on which they usually ask for a certain (... ambitious) amount of money as a form of out of court settlement. Depending on the contract they have with their client, they may get a share of the settlement or ask for a fee based on the work involved per case etc. Note how this is not a case of lacking compliance with regulations, but rather where (copy) rights of an entity have been violated. So there is someone with a genuine interest to pursue this claim/case, not just for compensatory payment but also to get a grip on piracy.
    Violating regulations (as would be the case here) commonly results in a fee, so what would be the motivation for legal companies to pick this up? The only scenario I could imagine is that legal companies acquire "clients", which would then claim damages in the form of privacy violations (based on the new regulations). That, or a company tries to play dirty and hires a lawyer to bring the violation of a rival to the attention of jurisdiction.
     
  25. Martin_H

    Martin_H

    Joined:
    Jul 11, 2015
    Posts:
    3,518
    You seem to know more about this than I do, I can't contribute anything further.
     
    Nlim likes this.
  26. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    11,388
    I chose "maybe" because an official website is important but an official forum is not due to the popularity of social media like Reddit and how Steam hosts forums for a game. Leader boards have never been necessary but some people love to see their scores compared to others and this can be important depending on your audience.
     
    Firlefanz73 likes this.
  27. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    Thanks you all for your thoughts about this!
     
  28. snacktime

    snacktime

    Joined:
    Apr 15, 2013
    Posts:
    1,381
    The EU can only enforce laws on companies that have a presence in the EU. but indirect pressure will make a lot of companies comply. It does take some brass balls to write a law claiming global jurisdiction over people that are not even citizens. Not really a fan of that kind of overreach regardless of the goal. I would be tempted to mock it in some way. Like putting it right in our TOS that asking to be forgotten will be taken as please delete my account. Not that we would actually do that (the account deletion).
     
  29. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    6,887
    If your accounts have identifying information, they would need to be deleted, or anonymized (which render them permanently useless to player).
     
    christoph_r and Ryiah like this.
  30. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    14,994
    Check the definition of personally identifiable. It normally includes any sort of unique device ID or personal login, which is a requirement if you want to implement any sort of useful leader board, social features, or online saving.
     
    christoph_r and Ryiah like this.
  31. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    11,388
    This. Between their definition and their examples it's very clear that personal data is anything that could be used to identify someone. Just as an example when you log onto these forums the forum system creates a cookie in the browser with a unique identifier to keep you logged on. That unique identifier is personal data.

    https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
     
    christoph_r and Kiwasi like this.
  32. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    I deleted my forum/board yesterday. I dismissed my provider yesterday and will delete my website very soon.

    I am a bit sad since we also had many screensots and media of our older games which I found interesting and I could Show to friends etc easily but it is too less Advantage for too much risk and work from now on.

    I will find new places to be a home of my hobby-developed games ;-)
     
  33. Martin_H

    Martin_H

    Joined:
    Jul 11, 2015
    Posts:
    3,518
    So, if I have only websites that don't use cookies, don't have any logins or contact forms, and don't run any analytics or javascript, then I should be fine, right?
     
    Kiwasi and christoph_r like this.
  34. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    14,994
    Yup.

    Analytics is also fine if you have someone who is compliant provide it for you.
     
    Martin_H and christoph_r like this.
  35. christoph_r

    christoph_r

    Joined:
    May 20, 2013
    Posts:
    339
    @Kiwasi & @Ryiah Good point. I was mainly considering the question in the thread title. In that case, the forums and leaderboard would need to go if you want to be really safe. So, to expand my statement: "If you know what qualifies as identifiable data and you don't collect any, where's the privacy concern?" Based on that, I suppose deleting your website is a bit extreme.
    While I'd hate to be proven wrong, I really don't see a hobby game dev being hit by this, even if you do have forums. Unless some EU agency sets up web crawlers to identify potential violators. But I suppose that'd be too efficient/high tech for EU standards :rolleyes:

    On a slightly off-topic note: As annoying as it may be, I think being strict as to what is considered identifiable makes sense here. If they're ambiguous, enforcing such regulations probably becomes a major headache. A leaderboard is a clear case where the collected data is harmless and the necessity for some sort of privacy policy agreement is inconvenient at best and confusing at worst. However, if you look at which devices have a lot of entries on the board, you may conclude that they like mobile games and try and sell this information to someone looking to target mobile game ads, for example.
    Communicating clearly to users what data is being collected and how it is saved, processed and possibly sold lets people individually decide what's still harmless and (probably more importantly) acceptable for them.

    EDIT:

    As you said, it's only really enforceable on companies that have EU customers. If you want to participate in a market, you have to comply with the standards and regulations set up by the governing entities of that market. That's general practice. It's just that this particular market has not really been regulated much before, so I suppose any sort of effective regulation seem a bit like overreach.
     
    Last edited: May 18, 2018
    Nlim, moonjump and Martin_H like this.
  36. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    11,388
    Removing everything is definitely one approach but it's a very easy way to lose your audience. If you're an indie developer trying to make a living this approach would be an excellent way to destroy your livelyhood. You don't need to go that far. You simply need to provide a way for someone to have their data removed from the system.

    I fully expect all actively developed forum packages to have a solution available by the time this goes live.
     
    Last edited: May 18, 2018
    christoph_r and Kiwasi like this.
  37. christoph_r

    christoph_r

    Joined:
    May 20, 2013
    Posts:
    339
    Right. Allow me to rephrase: "If you don't feel like looking into it any further, that would be the easiest option in order to be safe." And yes, good point about forum packages likely getting updates to deal with the regulations.
     
    Martin_H likes this.
  38. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    Goes live in 7 days.
     
  39. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    11,388
    Yes, but there is at least one major downside to this approach and I've edited my previous response to mention that.
     
    christoph_r likes this.
  40. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    11,388
    Commercial forum software (at least the few that I can remember off the top of my head) is getting compliance about as fast as I was expecting but I haven't dug too deeply into it. XenForo is the forum software powering this community and it appears to be the most compliant right now.

    XenForo:
    https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/

    Invision Power Board (IBP):
    https://invisioncommunity.com/news/product-updates/gdpr-updates-for-invision-community-433-r1087/
    https://invisioncommunity.com/news/...ys-tools-can-help-with-gdpr-compliance-r1052/

    Open source forum software appears to have no support for compliance out of the box and the expectation appears to be that you have to do it manually through SQL commands or download a third party extension. Currently the only one with an extension is Simple Machines.

    SMF:
    https://www.smfhacks.com/index.php?action=downloads;sa=view;down=207

    Finally special mention for the community software that no one in this community likes.

    Lithium:
    https://community.lithium.com/t5/Policies-and-Guidelines/GDPR-Compliance/ta-p/300485
    https://community.lithium.com/t5/Po...a-Destruction-Policy-for-Customer/ta-p/455185
    https://community.lithium.com/t5/Li...GDPR-impact-your-online-community/ba-p/475421
     
    Last edited: May 18, 2018
  41. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    6,887
    I’m not sure why you would need to delete everything, you just need to be able delete users data if they request. Deleting everything seems a little extreme.
     
    Ryiah and Kiwasi like this.
  42. tsibiski

    tsibiski

    Joined:
    Jul 11, 2016
    Posts:
    124
    You could simply block your web servers to people viewing from the affected regions. And if someone is using a VPN to spoof their ip - I am not 100% certain, but from what I have learned, that would preclude one from the liabilities involved. Although I am not a lawyer and cannot assert that, but it is worth getting that confirmation from someone in the know, or your lawyer.

    Either way, Zombiegorilla is right, that seems a little extreme. And you can go a little further to add validation to users creating accounts that asserts that they should give their country of origin, and be honest. And if they lie about not being in an EU country, the liability is on them if you do not follow these data deletion requirements. Although, again, confirm that with a lawyer.
     
  43. Firlefanz73

    Firlefanz73

    Joined:
    Apr 2, 2015
    Posts:
    696
    No thanks. I am not earning Money (with my Hobby made games) and the last thing I want to do is pay a lawyer :)
    Since nearly nobody visits my homepage it is no big Problem to delete it. I already deleted the forums.
     
    Last edited: May 18, 2018