Introduction
Video gaming has become a full-blown industry that spans the entire globe and represents revenue in USD tens of billions annually. Now more than ever, video gaming is a widespread entertainment activity: gamers have access to a wide variety of interfaces for gaming, there are many choices of genres and an even greater pick of titles within each genre. Outside of entertainment, video gaming has also carved a place as sports – its own, specific e-sports industry.
Despite the challenges currently faced by every sector of the economy, video gaming remains a solid market with significant growth perspectives. Video games attract an ever-growing number of new players and, in turn, attention from investors, developers, publishers and other companies in the value chain seeking to maximize their monetization potential.
In this industry where art and technology are in focus, companies must have a robust legal strategy to secure their investments during and after game development.
In this two-part series, we will focus on specific tech law topics that are particularly relevant to the economic actors in the video gaming industry:
- In Part 1, we will explore current data privacy challenges that affect video game monetization, as well as the value of a good cybersecurity strategy.
- In Part 2, we will look at the opportunities presented by the rise of AI in video gaming and the importance of well-negotiated IT contracts in the gaming industry.
1. Data Privacy challenges and enforcement trends
1.1 Personal data is at the heart of the monetization schemes
Video gaming is a very diverse industry and companies may face different challenges which depend on many factors such as the hardware used, the genre of the game, etc. Video gaming is becoming an increasingly social experience. As a result, the single- or multi-player status of the game as well as the inclusion of online gaming capabilities are also factors that need to be taken into account when assessing privacy risks.
All things considered, video gaming can (and as the industry evolves, is very likely to) involve the processing of a significant amount of personal data of the players (pseudonyms, contact information, payment details, any personal data provided in chat systems, etc.), and the personal data may be processed for many purposes, such as managing the relationship with the user base by providing updates, providing in-game chat systems, using anti-cheat systems, and last but not least, game monetization through advertisements and in-app purchases.
Further, the scope of personal data that can potentially be collected is significant. Consider the following: should we consider that avatars are in themselves personal data? What about users’ voices for games that enable voice conversations? Could we consider that in-game behavior is an indicator or philosophical beliefs and therefore sensitive data? These questions reach uncharted territories, and the industry should keep an ear out for any answers that will impact them.
We can see the potential of monetization materializing in the context of mobile gaming in particular. Mobile gaming is particularly accessible to the wider public, including those who do not necessarily identify themselves as “gamers”, since it does not require a dedicated device in addition to the one most of us constantly carry with us – our mobile phone.
Through the app stores they are already used to for their general “mobile app” needs, users have access to a wide range of mobile video games, from the digital replicas of our favorite board games to various types of puzzle games, simulators (dating, farming, fishing, building, trucking…), role playing games and strategy games… Access to games is generally free of charge, and only a tap on the “Install” button away.
Mobile gaming tends to operate on the so-called “freemium” economic models, meaning that the game itself is provided free of charge but the gamer can pay for additional in-game features and goods (e.g., clothes, armor, weapons, etc.) and/or the game relies on in-game advertisements to be profitable. Both of these monetization schemes require the processing of personal data, and in the latter case, rely on such processing – especially if the advertisements are personalized. Either way, personal data is a key component of such monetization schemes.
For many mobile games, the EU General Data Protection Regulation (GDPR) will apply to the data processing operations identified above, either because the game’s publisher is established in the EU or because the game is offered to individuals located in the EU (e.g., the game is provided in French, Italian and/or other languages primarily spoken in the EU).
Publishers seeking to reach a global audience will therefore have to establish a strategy to comply not only with the provisions of the GDPR but also, depending on their individual cases, that of local data protection laws such as those regarding cookies and other trackers.
In light of the above, it is crucial for game publishers and other industry actors to stay aware of the guidance and enforcement trends of the relevant Data Protection Authorities.
1.2 Trends in the EU: regulatory enforcement and guidance
One thing is certain: The EU Data Protection Authorities are looking at personal data processing activities that relate to advertisements with a watchful – and critical – eye.
This observation is not specific to video games in particular, as demonstrated by the ever-increasing flow of decisions against social networks and other types of applications that also rely on personalized advertisements to generate revenue. However, this should not be ignored by video game developers and publishers.
For example, France’s Data Protection Authority (CNIL) has recently issued decisions that provide significant insights into the processing of personal data for advertising purposes.
In terms of soft law, the CNIL recently published an action plan to protect mobile app users[1]. This plan consists of three steps:
- the CNIL will continue its internal work in order to have a complete understanding of the personal data processing in the context of mobile apps, particularly in technical terms;
- the CNIL will use the resulting knowledge to support professionals and inform the general public, in the form of guides and recommendations for example; and
- the CNIL will carry out targeted investigations and, if necessary, take enforcement action against organizations that do not comply with their obligations.
While this action plan does not target mobile games specifically, there is little doubt that game developers and publishers will be concerned with this. These actors should formulate a strategy for managing investigations and, where relevant, enforcement action taken by the data protection authorities.
While minor protection is a concern that the gaming industry is already well aware of in the context of access to content with the Pan European Game Information (PEGI) content classification system and parental controls, it is also highly relevant as regards data privacy. In this respect, the CNIL has also provided guidance aimed to strengthen the protection of minors in digital environments. Compliance with this guidance will require publishers to analyze whether their internal processes are adapted for the processing of the minors’ personal data. For example, the CNIL recommends allowing minors to exercise their data privacy rights on gaming platforms regardless of their age. But is a 10-year-old child capable of understanding a privacy policy that uses technical wordings such as “legal basis” or “purpose”? Or is it preferable to draft a minor-friendly version of the same to enable minors to exercise their rights?
Lastly, it should be noted that companies in the mobile gaming sector are also facing increased restrictions from key actors: app store providers, who are themselves subject to obligations with regards to data privacy and attempt to maintain control over third-party content that they aggregate on their platforms.
As we have seen in recent months, the app store providers frequently change their data privacy terms – game developers and publishers should therefore establish a strategy to grow alongside changes, not suffer through them.
2. Cybersecurity in the video game industry: a peculiar sector with peculiar challenges
2.1 Cybersecurity in Massively Multiplayer Online Games: the unbeatable challenge?
Over the past decade, the video game industry has experienced a rapid increase in Massively Multiplayer Online Games (MMOGs), both in terms of newly released games and revenue. MMOGs are video games that involve a very large number of players simultaneously, usually through an online-only access to the game. Fueled by the outbreak of COVID-19, the market of MMOGs has seen positive growth in this genre that is known for being demanding of players’ time, sometimes requiring several hours of gaming a day to ensure a good enough level to overcome the endgame.
While such an exigency might tempt players to violate the MMOG cybersecurity rules to cheat to gain a competitive edge over their opponents, there has been a steady increase in more common types of cyberattacks (such as phishing and click-fraud) that are progressively migrating into the MMOG sphere. Such an increasing risk notably arises from the fact that MMOGs are progressively turning to mass-monetization of their content, both with in-game currencies or real money. In doing so, MMOGs are somewhat coming together with Web-based banking applications and auction sites. It is also important to note that MMOGs are becoming heavily-detailed simulated worlds, with mature communication and social presence mechanisms that bring together both the real and fictional identities of the MMOG players.
Overall, this means MMOGs have become prime targets for phishing and click-fraud attacks. It is especially true for games that are both marketed and intended for young players. A 2023 study[2] revealed that games with a younger-than-average gaming community are most targeted by hackers as the young gamers are more likely to fall for scams. Criminal hackers prey on the naivety of children and teenagers in the hope of stealing their parents’ bank data. Thus, the main scams consist of offering the so-called “virtual currency packages” for free. In order to receive these fake packs, the criminals develop various booby-trapped webpages which are promoted on the Internet and notably on social networks.
As those types of cyberattacks are usually – at least partially – not conducted within the game itself but rather on webpages mimicking the games’ graphics and visual identity, combatting such phishing and click-fraud attacks proves particularly challenging for video game editors, whose liability in connection with those attacks from a French law perspective is yet to be determined, notably in cases where (i) cyberattacks are partially carried out “in-game” (e.g. using the video game chat features), or (ii) cyberattacks make use of the video game “ancillary” services provided by the editor (e.g. official forums, supporting mobile applications).
As such attacks on the end user of a video game multiply, it is not so much their resulting financial impact but rather the reputational damages they incur that should have the video game editors worried.
2.2 Passionate players bring passionate hackers: the case of cyber-anarchy
The gaming industry has recently emerged as a preferred target of cyberattacks that typically target other types of standard software or online platforms. Nonetheless, it is also facing cyberattacks whose goal is not personal data or credit card information theft, but rather a disruption of the game itself.
Those cyberattacks are usually brought about by the players themselves, who typically act on the basis of their resentment towards the video game makers, notably when they disagree with their editorial choices. Insofar as those attacks are not motivated by financial interests but rather a desire to disrupt the overall gaming experience of other players, they embody a rather sector-specific kind of cyberattacks, whose somewhat political purpose can be linked with cyber-anarchy.
For cyberthreats that fall into this category, there are two main types of attacks:
- cyberattacks targeting video games in early development phases to create leaks; and
- cyberattacks targeting video games after release to disrupt online servers.
On one hand, hackers can launch cyberattacks to obtain and eventually publicly release early builds or major plot elements of video games to the public, prior to the release of such video games. These attacks bring about video game “leaks” which are being increasingly suffered by game developers with several major video games titles that have not been expected to be released until at least 2024 but have been publicly leaked.
Those leaks can be particularly detrimental to the in-development games, as the public is given access to hours of footage of various aspects of the games that are still a work in progress. As the footage generally consists of poor-quality, unfinished contents, it tends to decrease the overall expectations of players for games that have taken years in the making. In the worst cases, hackers can also obtain part or all of the video game source codes, which can then be publicly disclosed – or sold – on the dark web, therefore voiding years of work and heavy financial investments from the video game makers.
On the other hand, hackers can launch DDoS attacks to online video game servers after their release. A DDoS attack disrupts the online server of a video game by sending an overwhelming amount of request and/or information to the server. DDoS attacks can result in players getting kicked off a server in the middle of a game because it is overloaded or experiencing extreme lagging in their gameplay.
The problem for gamers and video game studios alike is that DDoS attacks have become increasingly cheap and easy to perform, as hackers do not need to have programming skills or invest a large amount of money. This phenomenon – referred to as “DDoS as a Service” – means that attacks can be rented and launched online for as little as USD10, under the supervision of an experienced hacker providing technical support during the attack.
As such, online server disruption has become part of the day-to-day challenges for video game editors, who have to implement efficient and easy-to-launch server back-ups, while also ensuring minimum annoyance for players.
2.3 A nascent regulatory framework that is yet to be acted upon by video game editors?
With cyberattacks becoming more and more common across the business world, public authorities at both the French and the European level have taken it upon themselves to regulate cybersecurity more effectively.
At the national level, France is already equipped with a robust judicial arsenal to tackle cyberattacks. Such attacks can be punished under various provisions of the French Criminal Code. Among those provisions:
- Article 226-4-1 provides for sanctions applicable when one usurps the identity of a third party, including when the offence is committed on an online public communication network;
- Ransomware attacks can be prosecuted on the basis of Articles 312-1 and 312-6-1 of the French Criminal Code, which punish extortion (whether it is from an individual or organized gang); and
- Articles 313-1 to 313-3 of the French Criminal Code, which represses fraud, and can be mobilized for all types of frauds, including fraudulent sale of “in-game” currencies, or frauds through websites mimicking official video game websites.
At the European level, the NIS 2 Directive[3] entered into force replacing Directive (EU) 2016/1148 and improving the existing cybersecurity status across the EU, already provides for an administrative structure at the EU and Member State level and mandates relevant policies and strategies to be updated and harmonized with those that have already been put in place. Moreover, the European Cybersecurity Act of 2019[4] has incorporated the EU Agency for Cybersecurity (ENISA), with promises to install a new European cybersecurity certification scheme.
Moreover, the EU is already working on two legislative proposals to address current and future online and offline risks:
- an updated directive to better protect networks and information systems;
- a new directive on the resilience of critical entities.
With all those upcoming regulations reinforcing the effective arsenal of legal provisions to tackle cyberattacks, one might wonder how the video game industry may react and adjust its cybersecurity practices.
[1] CNIL website, Mobile applications: the CNIL presents its action plan to protect your privacy, 24 November 2022, accessible in French here.
[2] Kaspersky, The dark side of kids’ virtual gaming worlds, 2023.
[3] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
[4] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification.