Our Terms & Conditions | Our Privacy Policy
The All India Game Developers Forum (AIGDF) says that the Digital Personal Data Protection Act (DPDP Act, 2023) may end up affecting how free-to-play games (F2P games) operate and monetise their user base via advertising.
In a recently released report about the anticipated impact of the Act on the gaming industry, AIGDF mentions that F2P games largely cater to multiple different age groups, including those under 18. With the DPDP Act, they would have to obtain verifiable consent from the parents of those users who are under 18, before processing their data. The Act also prevents companies from processing the data of an under-18 user in a manner that is likely to have a ‘detrimental effect’ on their well-being. Further, Further, it prohibits those processing the data of under-18 individuals from monitoring their behavior or targeting them with advertising.
“These prescriptions are likely to pose a disproportionate challenge to common industry practices among F2P games,” the report says. It adds that F2P games tend to collect user information during registration or even during gameplay to serve targeted advertising users based on their behavior, preferences, in-game choices, and location. This is crucial for the gaming industry because games maintain user profiles and accounts, and track a user’s progress within the game. F2P games may have to track users for a range of purposes, including to figure out whether someone is cheating. Thus, AIGDF argues, it is unclear what ‘tracking’ means in the context of games.
F2P games’ business model relies on in-game purchases and advertising for revenue. The absence of qualifying language limiting the prohibition on tracking can negatively impact their business model, given that they largely rely on in-game purchases and advertising for revenue generation. AIGDF explains that similar concerns also exist for restrictions on behavioral monitoring, which can impact certain tools that gaming companies deploy to monitor risks to children within gaming environments and detect toxic behavior, cyber-bullying or predatory activity.
Other concerns for F2P games:
Lack of clarity on the age of the gamer:
AIGDF argues that under normal circumstances, F2P games don’t discern the age or age bracket of their users. While most F2P games rely on content-based age-rating systems for game distribution, such age-rating systems are not legally enforceable in India. Instead, users have to exercise their personal discretion/parental control features when accessing age-appropriate games.
The AIGDF has previously argued that India should adopt a government-sanctioned age-rating framework for the gaming industry. In its current report, it mentions that F2P games would benefit from age rating, by classifying which games need verifiable parental consent mechanisms. However, this would not take away other consent-related complications.
The financial burden of implementing age verification:
F2P game developers include independent developers, publishers, and other micro small, and medium enterprises (MSMEs). Given the size and capabilities of those within this space, it would be challenging for them to implement know-your-customer requirements (KYC) to obtain parental consent. Since the government is yet to operationalise the DPDP Act via rules, it is unclear how gaming companies would have to seek user consent. However, whenever the government does prescribe consent mechanisms, implementing them is likely to increase costs for F2P games.
Inability to anticipate detrimental effects:
F2P gaming companies might also struggle to anticipate how the outcome of their data-processing activities might constitute an ‘intangible detriment’ to a minor. The provision of preventing detrimental effects might require further guidance from regulators, the report states.
Impact of the DPDP Act on real money gaming:
Consent fatigue:
The DPDP Act says that all data collectors must provide notices to consumers about the collection and use of their data. At the start of a real money game (RMG), the game developer would have to not only inform users about game mechanics but also about how they process, store and protect users’ KYC and other personal data. Further, the Act requires that the game explain to the user how it might use their data to identify fraudulent activity in-game, and how the developer may share it with third-party vendors for payment processing. Games have to give users the option to opt out of sharing specific data categories for processing.
Overly complex and lengthy notices could deter players from completing a game’s registration process, leading to the risk of higher user drop-offs. Each additional step in the registration process can be a drop-off point for users.
Advertisements
Sector-specific regulations:
Under the IT Rules, 2021, real money games have to verify user identity before accepting any deposits and they have to follow the same process regulated financial entities comply with. “While specific clarity on the nature of ‘KYC’ obligations for the handling of this personal and financial data by RMG online gaming intermediaries is awaited, it is apparent that some form of sectoral data collection and handling obligations will continue to be applicable,” the report says.
Challenges for Web3 games:
Lack of consideration for blockchain under the Act:
The report defines Web3 games as games that incorporate blockchain technology. Blockchain technology uses decentralised ledgers to store information digitally for public access. Simply put, whenever any information is recorded on the blockchain, it is stored across multiple locations simultaneously in different computers (called nodes). Blockchains are immutable, which means that the data stored on them cannot be changed or tampered with once it has been recorded.
AIGDF argues that it is unclear how the DPDP Act would apply to decentralised networks as those which exist in Web3 games. Web3 game developers will need to be mindful of privacy obligations in relation to any personal data that they process using the blockchain. For instance, the DPDP Act requires that companies must allow users to correct or erase their personal data. Given the immutability of blockchains, Web3 game developers might not be able to allow users to fully access these rights.
Unclear how the act applies to pseudonymous identities in games:
Another concern is the fact that Web3 games allow users to interact with each other anonymously or pseudo-anonymously through virtual avatars. Companies can make these avatars hyper-detailed and based on vast amounts of biometric data and other personal data and also completely unique, not bearing resemblance to the user. AIGDF points out that it is unclear whether the data used to create and operate these avatars counts as “personal data” under the law.
The issue becomes more complicated when you consider other data collected in virtual reality environments like emotional expressions, behavior, breathing, and body movements. In some cases, this data might be enough to identify a specific individual. Such virtual environments can generate huge amounts of data – up to 2 million unique data points per user. Depending on how the law is interpreted, this could mean two very different things:
- Web3 gaming might be seen as processing even more personal data than traditional games.
- Or, it might be treated as processing non-personal data, which would be subject to less strict regulations.
AIGDF’s recommendations to the central government:
- Ensure that there is flexibility in integrating parental consent mechanisms without over-prescription, in the case of F2P games where the gamer may not be deeply invested in the platform and may be unwilling to go through complex processes.
- Subject to adequately ensuring the well-being of minors, the government should consider allowing F2P games to track/show targeted advertising to under-18 gamers.
- The government should clarify what constitutes data processing in a manner that may be detrimental to the well-being of a child.
- Issue FAQs to provide gaming companies with details on the scope and granularity of digital personal data obligations, such as notice and consent, which is especially relevant for Web3 games.
- Clarify the scope of individual rights to modification/erasure of data in relation to information stored using immutable technologies like blockchain.
- The government could consider putting out industry-driven codes for data protection in various sectors. These codes would be non-prescriptive and would help companies understand how to comply with broader data protection laws in the context of gaming.
Also read:
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Aggregated From –
Comments are closed.