If you live inside EU: Still have own homepage and online features in the game? Or removing those?

Hello,

I live in Germany.

From the 25th May we have new laws for protection of privacy in homepages and online features in games etc.

I am thinking about deleting my two Homepages because of being afraid I missed something in privacy protection and some evil (yes evil) lawyer tries to sue me (excuse my english) threatens me to bring me to court...

How do you other game developers handle this? I refreshes my privaty Statements but I am not sure if it fits.

If I am a Hobby game developer, is it useful to have my own Homepage at all? In my Forum / board nobody writes down something. And my online highscores are a nice Feature, but I guess they are not so important and might be changed to a steam or Facebook leaderboard...

How do you handle this? Do you think a small free time game developer does Need it's own Homepage and board and self hosted hiscores / leaderboards?

Thanks for you opinion or ideas on this.

 

You mean GDPR? You store user info on your homepage servers? If not your fine. We use Steam features only, and Valve have made sure they comply with GDPR

 

Yes, I meant exactly that. I have a Website with forum / board and an online hiscore list / leaderboard.
Because of the new laws I am not sure if I really need them enough to keep them.

 

You don't even have to live in the EU to be affected as all it needs is to your players to be from the EU. American, Aussie etc. developers must also comply

If you only store "player" names and scores you don't really have to do anything. If you have emails, real names and such stored its a different thing.

BTW I don't think Valve has yet fully implemented all the stuff required by the GDPR. As a user I have not seen such announcement by email nor the user interfaces have all the required features(?)

 

It's hard knowing whats OK and whats not, maybe pay a few hours for a lawyer to look at it?

 

But all the info is stored on their servers, so it cant hit you directly. Which is nice

 

Yep

 

Yes that's right. I did some changes but I am a bit unsure if it fits perfectly. And since I don't earn Money (or at least not at the Moment, and only very few Money if a game is new) I do not want to spent Money on lawyers. And I am unsure if I want to put more Money into my Websites, which don't seem to be much visited at all.

Maybe a mixture of IMDB, Facebook or Steam and YouTube is already enough and as good as having own Domains that nobody visits.

 

Yeah, we have a very basic page that just points to the difference services like steam, youtube etc

 

GDPR.... grrrr.

 

Like. grrrrr.

 

I've read the GDPR, and I don't see anything that impacts non-EU organizations other than articles 44-50. Articles 44-50 apply to data transfers from EU country organizations to non-EU country organizations, not the direct collection of data by non-EU country organizations of EU residents.

If I'm a non-EU organization, and I don't accept transfers of personal data from EU based organizations, I'm fairly certain that the GDPR can be safely ignored. If I'm wrong, please point to the specific text that applies.

Text of GDPR:
https://gdpr-info.eu/

(I am not a lawyer)

 

https://gdpr-info.eu/art-3-gdpr/

 

Looks like you have to put in more effort than just having EU customers though. You have to do something to show you are targeting the EU for the regulation to apply.

https://gdpr-info.eu/recitals/no-23/

 

In other words "Is having that site worth a couple hundred bucks? If not, then take it down." ?

I tend to agree, but keep in mind that as soon as you release a domain, chances are a domain squatter will scoop it up and put some bullshit ad-page on it or something like that. A friend of mine once had to buy a domain off such a domain squatter that had registered it shortly after he made a whois query to see if his domain with another extension was still free. They somehow had access to that info, bought the domain before he could, and then offered to sell it to him.



Does anyone know what freelancers need to do with the info they have stored from their clients? Like their email addresses and postal addresses? Is this data irrelevant if it's all publicly available on the websites of those clients anyway?

 

Yeah if you cant spend that money then maybe it's better to use the as is services?

 

If you don't save any (personally identifiable!) data about yours users, where's the privacy concern? The only critical part is likely the forum, so if that is not in use anyway, why not just get rid of it.

 

Not a lawyer but as far as I understood it, it basicly boils down to the following.

1.) You are not allowed to share the data without permission. I would guess that if it is publicly made available by the client that it is basicly counts as a permission or at the least you should be able to share the public source.

2.) On request by the client you have to send him a copy of all the personal data you have stored on him or her which could include Bills and E-Mails. (On a side note I have no clue how system backups are factored into this since checking months or years of backups for potentially deleted data sounds like a nightmare even with an automated system)

3.) On request you have to delete all the personal data stored from your client but only if it isn´t needed anymore for the business transaction or for other regulations like with book keeping. (Again no clue about the situation with backups)

4.) You have to make your client aware of what kind of data you store BUT I would guess the kind of data a typical freelancer stores for business transactions doesn´t need special mention since it is needed for billing.

Again though this is no legal advice - this are just a couple of things I gathered in passing at work about what others mentioned on the topic.

 

Apparently every bit of compliance includes backups according to a GDPR specialist who gave a talk at a tech group I attend. There are multiple nightmares.

I’ve also read that the even stricter GDPR-K applies if your customer base includes kids (not targeted at, just includes), unless you age verify those you want to keep any identifiable data on.

 

And in Germany there are many lawyers which make their Money / income just from finding copy-right violations and next will be GDPR violations.

Then you have to pay them a fee (in my opinion it is blackmail) or they drag you to a court.
A friend of mine had to pay 3000 Euro just because of one photo on his website.

And that was before GDPR now it will get a lot worse I bet.

 

Based on whose rights would they be suing? Create some sort of "fake clients" that sign up at small websites to test if they comply?

 

Let's just say the German legal system is easy to exploit for financial gain in certain areas of "rule compliance", to the point where some can make a living from doing nothing else, and it's not even illegal. "Sueing" is the wrong word I think, cease-and-desist comes closer, but I can't explain you details either. If you want to read German sources on it, google for "Abmahnung".

 

Usually by living in a free-er country. Other than that it becomes the API's problem. As long as you are not the company that collects personal info, there's no problem. (e.g. SteamAPI)

 

I'm well aware of "Abmahnungen". To further explain what I wrote above: In order to be profitable for legal companies, they need to claim a damage (usually for a client they represent, like intellectual property owners such as film companies), based on which they usually ask for a certain (... ambitious) amount of money as a form of out of court settlement. Depending on the contract they have with their client, they may get a share of the settlement or ask for a fee based on the work involved per case etc. Note how this is not a case of lacking compliance with regulations, but rather where (copy) rights of an entity have been violated. So there is someone with a genuine interest to pursue this claim/case, not just for compensatory payment but also to get a grip on piracy.
Violating regulations (as would be the case here) commonly results in a fee, so what would be the motivation for legal companies to pick this up? The only scenario I could imagine is that legal companies acquire "clients", which would then claim damages in the form of privacy violations (based on the new regulations). That, or a company tries to play dirty and hires a lawyer to bring the violation of a rival to the attention of jurisdiction.

 

You seem to know more about this than I do, I can't contribute anything further.

 

I chose "maybe" because an official website is important but an official forum is not due to the popularity of social media like Reddit and how Steam hosts forums for a game. Leader boards have never been necessary but some people love to see their scores compared to others and this can be important depending on your audience.

 

Thanks you all for your thoughts about this!

 

The EU can only enforce laws on companies that have a presence in the EU. but indirect pressure will make a lot of companies comply. It does take some brass balls to write a law claiming global jurisdiction over people that are not even citizens. Not really a fan of that kind of overreach regardless of the goal. I would be tempted to mock it in some way. Like putting it right in our TOS that asking to be forgotten will be taken as please delete my account. Not that we would actually do that (the account deletion).

 

If your accounts have identifying information, they would need to be deleted, or anonymized (which render them permanently useless to player).

 

Check the definition of personally identifiable. It normally includes any sort of unique device ID or personal login, which is a requirement if you want to implement any sort of useful leader board, social features, or online saving.

 

This. Between their definition and their examples it's very clear that personal data is anything that could be used to identify someone. Just as an example when you log onto these forums the forum system creates a cookie in the browser with a unique identifier to keep you logged on. That unique identifier is personal data.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

 

I deleted my forum/board yesterday. I dismissed my provider yesterday and will delete my website very soon.

I am a bit sad since we also had many screensots and media of our older games which I found interesting and I could Show to friends etc easily but it is too less Advantage for too much risk and work from now on.

I will find new places to be a home of my hobby-developed games ;-)

 

So, if I have only websites that don't use cookies, don't have any logins or contact forms, and don't run any analytics or javascript, then I should be fine, right?

 

Yup.

Analytics is also fine if you have someone who is compliant provide it for you.

 

@Kiwasi & @Ryiah Good point. I was mainly considering the question in the thread title. In that case, the forums and leaderboard would need to go if you want to be really safe. So, to expand my statement: "If you know what qualifies as identifiable data and you don't collect any, where's the privacy concern?" Based on that, I suppose deleting your website is a bit extreme.
While I'd hate to be proven wrong, I really don't see a hobby game dev being hit by this, even if you do have forums. Unless some EU agency sets up web crawlers to identify potential violators. But I suppose that'd be too efficient/high tech for EU standards

On a slightly off-topic note: As annoying as it may be, I think being strict as to what is considered identifiable makes sense here. If they're ambiguous, enforcing such regulations probably becomes a major headache. A leaderboard is a clear case where the collected data is harmless and the necessity for some sort of privacy policy agreement is inconvenient at best and confusing at worst. However, if you look at which devices have a lot of entries on the board, you may conclude that they like mobile games and try and sell this information to someone looking to target mobile game ads, for example.
Communicating clearly to users what data is being collected and how it is saved, processed and possibly sold lets people individually decide what's still harmless and (probably more importantly) acceptable for them.

EDIT:

As you said, it's only really enforceable on companies that have EU customers. If you want to participate in a market, you have to comply with the standards and regulations set up by the governing entities of that market. That's general practice. It's just that this particular market has not really been regulated much before, so I suppose any sort of effective regulation seem a bit like overreach.

 

Removing everything is definitely one approach but it's a very easy way to lose your audience. If you're an indie developer trying to make a living this approach would be an excellent way to destroy your livelyhood. You don't need to go that far. You simply need to provide a way for someone to have their data removed from the system.

I fully expect all actively developed forum packages to have a solution available by the time this goes live.

 

Right. Allow me to rephrase: "If you don't feel like looking into it any further, that would be the easiest option in order to be safe." And yes, good point about forum packages likely getting updates to deal with the regulations.

 

Goes live in 7 days.

 

Yes, but there is at least one major downside to this approach and I've edited my previous response to mention that.

 

Commercial forum software (at least the few that I can remember off the top of my head) is getting compliance about as fast as I was expecting but I haven't dug too deeply into it. XenForo is the forum software powering this community and it appears to be the most compliant right now.

XenForo:
https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/

Invision Power Board (IBP):
https://invisioncommunity.com/news/product-updates/gdpr-updates-for-invision-community-433-r1087/
https://invisioncommunity.com/news/...ys-tools-can-help-with-gdpr-compliance-r1052/

Open source forum software appears to have no support for compliance out of the box and the expectation appears to be that you have to do it manually through SQL commands or download a third party extension. Currently the only one with an extension is Simple Machines.

SMF:
https://www.smfhacks.com/index.php?action=downloads;sa=view;down=207

Finally special mention for the community software that no one in this community likes.

Lithium:
https://community.lithium.com/t5/Policies-and-Guidelines/GDPR-Compliance/ta-p/300485
https://community.lithium.com/t5/Po...a-Destruction-Policy-for-Customer/ta-p/455185
https://community.lithium.com/t5/Li...GDPR-impact-your-online-community/ba-p/475421

 

I’m not sure why you would need to delete everything, you just need to be able delete users data if they request. Deleting everything seems a little extreme.

 

You could simply block your web servers to people viewing from the affected regions. And if someone is using a VPN to spoof their ip - I am not 100% certain, but from what I have learned, that would preclude one from the liabilities involved. Although I am not a lawyer and cannot assert that, but it is worth getting that confirmation from someone in the know, or your lawyer.

Either way, Zombiegorilla is right, that seems a little extreme. And you can go a little further to add validation to users creating accounts that asserts that they should give their country of origin, and be honest. And if they lie about not being in an EU country, the liability is on them if you do not follow these data deletion requirements. Although, again, confirm that with a lawyer.

 

No thanks. I am not earning Money (with my Hobby made games) and the last thing I want to do is pay a lawyer
Since nearly nobody visits my homepage it is no big Problem to delete it. I already deleted the forums.