Biometrics, Gaming & Privacy Laws
As avatars and other uses of biometric information become more and more popular, game developers should be sure to review the applicable privacy laws governing the collection and use of such information. Otherwise developers could find themselves being sued.
Just this week, the U.S. D.C. for the Southern District of New York rejected a proposed putative class action claiming that Take-Two Interactive Software, Inc. (“Take-Two”), collected and retained facial scans of gamers in violation of the Illinois Biometric Information Privacy Act (“BIPA”). See Vigil v. Take-Two Interactive Software, Inc., 2017 BL 25907 (S.D.N.Y., No. 15-CV-8211, 1/30/17). However, given that Illinois, Texas and Connecticut have biometric privacy laws on the books there is no doubt we will see similar litigation in the U.S. in the near future. And since most game developers sell to a worldwide audience, they will need to make sure they are in compliance with biometric privacy laws in foreign jurisdictions as well.
How BIPA Affects Game Developers
Under BIPA (740 Ill. Comp. Stat. § 14/15), companies collecting biometric information or identifiers (e.g. fingerprints, facial scans) must provide notice to the individual explaining how their information will be stored, for how long and the purpose of the collection, and receive written consent from the individual to use the information. Violations under BIPA can result in statutory fines up to $5,000 or actual damages per violation, reasonable attorney’s fees and costs, and other relief as appropriate, including injunctions.
The Take-Two games named in the lawsuit, NBA 2K15 and NBA 2K16, give gamers the option to create customized basketball players (which are essentially avatars) via 3D facial scans which become visible to other online gamers. When a gamer decides to create their avatar, they must agree to the terms and conditions of the game so the cameras in their XBOX or PS4 console will scan the gamer’s head.
The plaintiffs claimed that Take-Two: (a) failed to provide adequate notice, (b) did not obtain their informed consent, and (c) did not use “industry-standard reasonable care” to safeguard their personal information. In addition, the plaintiffs alleged broad privacy concerns, particularly regarding biometrics information. While the District Court ruled that the plaintiffs’ allegations of BIPA violations were “procedural” and “marginal, at best,” and such claims were not sufficient for standing under new Article III standard, the plaintiffs have appealed to the Second Circuit.
Since the Supreme Court decision last year in Spokeo v. Robins, requiring a “concrete and particularized injury” for standing, it has become more difficult for plaintiffs to establish sufficient standing under Article III. To date, the Second Circuit has interpreted Spokeo to mean a statutory violation does not establish a concrete injury for standing under Article III. See Strubel v. Comenity Bank, 842 F.3d 181 (2d Cir. 2016). This means that in Take-Two, the plaintiffs would need to establish that the alleged violations of BIPA presented a material risk of harm to their concrete interests.
For game developers to mitigate and avoid similar complaints, a compliance review of federal and state privacy laws is recommended. In addition to biometrics laws like BIPA, many states regulate organization’s privacy policies, children’s online privacy, security safeguards, data breach notifications and much more. The lack of uniformity between states can make compliance review an onerous process; however, the potential fines and enforcement (certain state Attorney Generals are actively enforcing privacy laws), make compliance an important business decision.
Privacy laws applicable to game developers can be found in most major economic markets. In particular, game developers should be aware of the European Union (“EU”) and countries in the Asia Pacific. The EU has typically been viewed as having the most robust privacy laws by having a broader definition than the U.S. of what constitutes personal data and requiring companies to implement compliance measures beyond notice and consent. Such measures include security safeguards, data transfer mechanisms for transfers of personal information between countries (e.g. Privacy Shield, Model Contracts, Binding Corporate Rules), and much more. In Asia Pacific, countries like South Korea, Japan, Singapore, China and others have been falling in step with the EU model, so companies can expect to see a lot of overlap between these jurisdictions.
In the EU, the EU Directive and ePrivacy Directive will be replaced by the General Data Protection Regulation (“GDPR”) and ePrivacy Regulation which will come into effect on May 25, 2018. These new rules provide greater accountability obligations and restrictions to international data flows, among other things. In order to be compliant by May 2018, game developers should start taking steps now to meet the requirements under both laws and any applicable local Member State laws. Failure to meet the requirements under the GDPR and ePrivacy Regulation can result in hefty fines up to 20,000,000 EUR or 4% of total worldwide annual turnover.