Every February, gaming aficionados from all over the world gather in San Francisco for GDC (the Gaming Developers Conference). The interesting thing about gaming, especially online and mobile gaming, is that users from all over the world can play with and against each other without ever actually meeting; cultural differences, language barriers and distance become irrelevant.
Behind the scenes, however, game developers and gaming companies are increasingly aware of the challenges involved in deploying a game across borders. Regulation in the EU can be particularly onerous, and can vary between countries within the EU. With GDC 2017 fast approaching, we take a look at some of the new obligations for interactive media companies as they operate across Europe.
EU-wide and country-specific regulations
There is good and bad news about European regulation. The good news is that laws are increasingly being harmonized, providing businesses with more clarity and a less fragmented landscape. The bad news is that these are often the minimum standards. Countries can therefore opt to have more stringent regulation in certain areas. We recommend you consult with our experts in the various countries you operate.
Below we discuss some examples and zoom in on Germany (which, as we have previously discussed, has a history of enacting specific rules for the games industry) to see how it has implemented some wider EU regulation.
Data Privacy: Strengthening the Rights of Consumers
With the effective date of the new EU privacy rules drawing closer, one of the top legal topics in 2017 for data-driven companies with European operations should be the preparation for new compliance requirements and processes.
The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018, introducing fundamental changes to the EU’s privacy framework, including a significant increase in possible fines, up to EUR 20 million or up to 4% of global turnover for serious violations. The GDPR will strengthen consumer rights and controls over how their data is processed. Examples include the right to information about their data, portability of data among service providers and the infamous ‘right to be forgotten’. For gaming companies in particular, the change in age of consent for minors is relevant. The age of consent for minors is 16 years. Member states may lower the age limit to 13 years, but not all of them are likely to do so.
The impact of the GDPR cannot be overstated. In particular, the GDPR’s data handling requirements, and the penalties for getting it wrong, make it clear to businesses across the world that if they intend to use data relating to individuals in the EU they must proactively address privacy issues. For anyone that has not already started a GDPR compliance project, the message is: don’t panic yet, but the sooner you can start, the better. We have developed this short guide in an infographic to help you kick off your GDPR compliance project, and to show you how we can help you along the way.
Consumer law: withdrawal right for digital content
The implementation of the EU Consumer Rights Directive in 2014 gave consumers across the EU a statutory withdrawal right in contracts for the purchase of digital content. Unlike in other types of agreements, it is possible for the producer of content (for example a gaming company or a producer of a video) to obtain a waiver prior to delivering the content.
For example, what exactly constitutes digital content? In interactive media, this could be as simple as an app purchase. But what about in-app-purchases? It is crucial to determine whether digital currencies such as “credits” within games are indeed digital content for the purpose of EU consumer law and only if they are indeed considered digital content does the withdrawal right waiver scheme apply.
Germany’s first attempt at defining digital content in this context was when the Regional Court of Karlsruhe ruled that the definition of digital content in the EU legislation was sufficiently broad to include any kind of data, however it was communicated to the consumer, even if this was not a download. Therefore, virtual currency in the German court’s opinion is digital content and a withdrawal right waiver would be possible.
However, according to the court, the withdrawal right cannot be waived before it is created, meaning the waiver needs to be declared by a separate action after the purchase. In practice, this means that online game providers should implement two buttons for players to click (or tap) before virtual currency is credited to an account. First, the player would tap a “purchase” button and then they would see a second screen asking for the withdrawal right waiver.
This reasoning is thought of by many as surprising, as the court ignores the possibility of making legally binding declarations conditional upon certain later events. The games provider has appealed the decision, and we expect some clarification this year as to whether the formalities imposed by the Regional Court of Karlsruhe are actually necessary. It also remains to be seen whether other EU countries will take a similar approach.
In the meantime, it is important to note that some form of user consent during the purchase process is required at any rate for a valid withdrawal right waiver. It is not sufficient to include the information notification in the terms of service.
It also pays to remember that when addressing the German market, Terms and Conditions must be available in German and are governed by German law; in almost all cases, this also requires a legal review of the terms to make them compliant with Germany’s particularly strict rules on standard terms for B2C contracts.
Alternative Dispute Resolution
New EU legislation requires anyone providing services to consumers to inform them about the existence of a new EU-wide Online Dispute Resolution Platform (ODR), even if a provider does not want to participate in such online dispute resolution procedures. The ODR Platform was developed by the European Commission to help consumers and businesses resolve their contractual disputes about online purchases of goods and services out-of-court, at a low cost, in a simple and fast way.
An EU country can also implement additional, national alternative dispute resolution mechanisms, each with their own set of information and disclosure requirements. Some Member States, including Germany, have already done this. This means that just because you met the EU requirements on informing your user about the existence of ODR as a means to dispute resolution, does not mean you have met the requirements for all EU countries. If you deploy your game or product in various countries it is therefore important to know which countries deviated from the EU regulation.
Germany-specific: youth protection officer
A hot topic in interactive media and gaming has always been age requirements. Germany goes a step further by taking a page from data privacy’s playbook (where a Data Protection Officer is required under the GDPR). Germany recently revised its online youth protection rules by requiring German online service providers to designate and share the contact information of a youth protection officer, if they offer content that could potentially impair minors. This also applies to German entities of US companies, like all international entities, they must adhere to local law.
The officer can be an employee or an external service provider and has the task of advising the provider on issues of youth protection and serving as a contact for users. However, smaller providers with less than 50 employees, or less than 10 million monthly visits, can satisfy this requirement by becoming a member of a self-regulatory organization.
As with other online legal requirements, such as alternative dispute resolution, a key issue is how you inform your user of the applicable rules. It is no secret that ‘agreeing’ on the terms of service when you are eager to start your game is simply a few clicks that keep you from playing right away. Websites, therefore must provide the information on alternative dispute resolution and the contact information of the youth protection officer in a manner that is easy for users to locate, identify and is permanently accessible. On top of that notification requirement, information on alternative dispute resolution must also be included in the Terms of Service, but this (again) may differ from country to country.
The examples above are a mere illustration of things that are on regulators’ radars in Europe. EU-wide regulations are a good starting point, but there are nuances in each country. At the end of the day, expanding your user base across borders is exciting and a huge opportunity for your company. When you are ready to expand your business overseas, though, you need to know what the basics are that you need to put in place when you have an international user base and where any country-specific measures need to be put in place. Who’s ready to level up?!