I’ve spent the better part of the last few months acquainting myself with the intersection between privacy and social games. Things can be a bit complicated.[1] The goal of this article will be to explain the current state of affairs and suggest some options to consider when drafting a privacy policy that touches on social games.
 

I’ll use an example to set the stage for the discussion:
 

Little Jill Jellybean is a new user to Facebook. She signed up because everyone in her peer group was on there and South Park had an episode on it (so you know it’s a moral imperative to join). A friend posts on her wall about an exciting new game, so Jill installs the application, Uranium Enrichment City[2], and begins playing. Jill builds the foundation of her nuclear core, but quickly finds that the only way to enrich uranium quickly enough to become a higher level atomic scientist is through microtransactions, so she puts in some money to buy spent fuel rods. Also, since her reactor may melt down without constant monitoring, she utilizes the Enrichment City application on her smart phone to monitor radiation levels. Things progress marvelously.


It all seems so innocent…
but there lurks a unspoken legal reality beneath the playful surface: Little Jill Jellybean’s interaction with the game may touch upon 4 or more privacy policies (with 4 or more separate entities collecting information relating to her and her activities). 

We can see where the different privacy policies come into play when we break down the example:
 

  • Smart Phone: When Jill boots up the Enrichment City mobile application, the smart phone may begin to collect information about her and transmit that information to the developer of the smart phone’s app platform. Information such as her name, location, usage habits and so forth.
     
  • Social Network: The game resides on a social networking platform, where it can access Jill’s friend ecosystem and grow through a variety of viral means. While Jill plays, the social network will collect information relating to Jill (namely the information she puts on her profile), and perhaps how Jill is interacting with the applications on the platform (which applications Jill is downloading, how much money she is spending on those applications, etc.) Jill may get her friends involved in this process by inviting them to assist her in the development of her heavy water reactor for example. 
     
  • Social Game Developer: As Jill enriches uranium with breathtaking efficiency, her interaction with the game will also be subject to information collection. The game may ask her to register an account or perhaps it will receive information from the social network or the smart phone relating to Jill’s user characteristics.
     
  • 3rd Party Services: Any number of third parties with separate privacy policies may be directly integrated into the game. Payment services or developer toolsets/engines/platforms are typical examples. Each of these may collect information (particularly payment services) and each will likely have its own privacy policy.

Now, Jill has presumably agreed to each one of these privacy policies at some point (if not actively, then passively through use). However, Jill may not be aware of which activities are being governed by which privacy policies and how that information is being transferred among the entities associated with the application.

Regulations aren’t great in setting forth explicit requirements with respect to privacy. Instead we often get broad statements that are meant to be applied according to context. But issues are popping up with greater frequency, so it makes sense to try and be as clear as possible. Possible downsides include the prospect of FTC enforcement proceedings or litigation based on unfair business practices if the privacy policy does not accurately describe what information is collected and how it is actually used. Additionally, there are risks if the privacy policy fails to comply with the requirement of California law and other laws that expressly say that if you collect personal information from a consumer online you must disclose what information you collect and how you use it. Additionally, a company may be responsible for downstream disclosures or uses of personal information if you know that the company to which you provide information is going to disclose it or use it in a particular way and you don’t disclose that. 

So what can the developer of a social game do with its privacy policy to straighten some of this out? Provide clear and concise information.

Identify the entities. The developer of a social game is in the best position to know which entities are involved with the social game. Typically the developer has chosen the platforms where the game will run and the third party services that will be integrated into the game. Identify these entities and provide a link to each entity’s relevant privacy policy.

Explain how the entities are involved. You may not be able to state what information the associated entities are collecting (particularly since this is likely a moving target), but you can explain to your user how the various entities are related to your game. For example:
 

X is our platform, you can find its privacy policy here: [link]. They provide the home for our game. 

Y is our payment service provider, you can find its privacy policy here: [link]. We’re not wild about handling financial information so they handle the transactions for us.


Reference other agreements where appropriate. 
Often the platform or another third party will obligate the developer to undertake certain actions with respect to privacy. In certain instances it may make sense to directly reference and link to the relevant agreement so the user understands the reason for the inclusion of certain language in the privacy policy. The link provides the user with the opportunity to investigate the broader context and better educate themselves on the handling of their personal information. However, recognize that some of your agreements might be subject to confidentiality clauses or that there might be other reasons for not referencing a third party.

Identify the information being transferred. Often the platform or third party service provider will be collecting information independently of the game developer. That’s fine, and it’s up to the platform and service provider to have an appropriate privacy policy in place to cover that. However, if you as the game developer are collecting and transferring information, clearly state what information is being transferred and for what use. Also, consider identifying the entity that will be receiving that information.

The right wording for any particular privacy policy is very much a product of circumstance, but the general thrust is always the same: be clear and up front where possible. This isn’t just a matter of making things easy on your users; it’s a means for avoiding public relations situations and the ire of regulators. Friends don’t let friends create privacy policies that wallow in unnecessary vagueness.

Authored By:

Shawn Foust (GamerTag: OMG SRSLY)
(650) 815-2627
sfoust@sheppardmullin.com
 


[1] Kind of like a Rubik’s Cube that hates you.

[2] Quite possibly my most brilliant game idea ever — I’m willing to consider co-development opportunities.