GDPR-K: How the kids data privacy law affects games publishers everywhere
SuperAwesome MD Max Bleyleben explains why it's not enough to look for GDPR compliance - in the kids' space, you also need GDPR-K compliance
The GDPR deadline is only seven weeks away. What a lot of people don't realise about GDPR is that many - if not most - game publishers will become subject also to GDPR-Kids or GDPR-K, the provisions specifically written to protect the data privacy of children (defined as under 16) online.
Think of GDPR-K as COPPA for Europe
The US pioneered kids' digital privacy law with COPPA (Children's Online Privacy and Protection Act), which effectively banned behavioural advertising, retargeting, and data profiling of kids. COPPA ultimately led to the creation of what is now the biggest privacy-based digital ad market and, in parallel, to the emergence of 'kidtech', 'zero-data' tools for brands to safely engage with kids.
GDPR-K effectively replicates COPPA in Europe, with some important differences.
If children play your game, GDPR-K applies to you
The huge shock that is coming to European publishers is that, under GDPR-K, a child is defined as under-16 in Germany, Italy and Netherlands. Although other countries have chosen lower ages (UK and Ireland have picked 13, France has picked 15, etc.), practically speaking if you're operating a game across Europe you'll need to consider any audience under 16 as children.
"There is no mixed-audience concept under GDPR, so publishers will need to identify and treat their adult and child audiences separately"
GDPR-K applies to any "service offered to children", which is defined as any that is not actively dissuading or preventing children from using it. This means that typically mixed-audience games - such as casual HTML5 web games, or the many popular mobile apps beloved by commuters and kids equally - will now all be considered 'child-directed'.
This broad scope will capture thousands of game developers, large and small, who previously would have considered their audience as 'general' or certainly 'not kids'.
There is no mixed-audience concept under GDPR, so most publishers will need to identify and treat their adult and child audiences separately. This means either using an age-gate to ask users how old they are, or creating clearly demarcated services for adults versus children.
Putting your head in the sand isn't an option
Europe is pretty serious about GDPR-K. The law allows for much larger fines than COPPA, the greater of 4 per cent of turnover or €20 million. Perhaps more worryingly, it puts in place a framework for private lawsuits, which would mirror the class action lawsuits we have already seen in the US for alleged breaches of kids data privacy law.
Many developers probably feel their obligations only extend to GDPR. However, this is not enough for those with a kids audience or even a potential kids' audience. Three key things every European game developer needs to do right now:
Decide whether you want to be a kids-directed game or not: If your audience is 'family' or includes under-16s explicitly or implicitly, you'll need to commit to a kids strategy, or age-gate your audience between kids and grown-ups.
No more behavioural ad targeting: Under GDPR-K, children "merit specific protection with regard to their personal data" and profiling for marketing purposes is specifically disallowed. For all those monetizing with ads (the vast majority), this will be a huge change. They will need to audit and in many cases replace their existing adtech providers. Critically, this will also mean removing social media plugins, which are one of the top culprits for capturing data on kids.
Rewrite your privacy notices and policies: GDPR-K requires that all notices are transparent, concise, and completely comprehensible by both parents and children.
"GDPR-K marks the moment publishers must make a decision about their content and audience"
GDPR-K marks the moment publishers must make a decision about their content and audience. By definition, many games developers will default into having a kids audience. The alternative is to risk a hefty fine and serious damage to your reputation.
Although this sounds challenging, the emergence of the 'kidtech' sector - designed for digital privacy - means there are clear solutions for achieving this.
The good news is... Mo' money
At first glance, GDPR-K seems like a huge challenge for game developers. However, the quid pro quo is that digital budgets in the kids space are growing at the fastest rate of any market in the world (25 per cent a year according to PwC).
This monetisation opportunity is big, but different to what many have experienced before. GDPR-K-compliant advertising requires you either obtain opt-in permission with verifiable consent from parents, or (more practically) ensuring you're operating in a zero-data environment.
Done right, this empowers developers to monetise their kids' and grown-up audiences more effectively than ever before by making use of the best premium ad engagement opportunities for each audience. But the disruption created by these changes also sets the scene for a new wave of game developers and audiences to emerge.
As with any new games innovation (app stores, etc), there are often disproportionate rewards for the game developers that get in early. GDPR-K will be no exception, by setting the standard for compliant kids game content and audience monetisation, you're guaranteeing years of digital revenue growth.