By Jiexi Li
Apply for 30 mins FREE Consulting!
Notice of various laws and regulations came one after another. Several major departments joined forces to supervise special activities and test disclosure of game apps in China. A large number of APPs have been notified for rectification, and there are also products that have been punished or removed from the shelves due to personal information processing violations. With the development of the mobile Internet and the prominence of data value, personal information compliance is not only a hot topic in China, most countries and regions around the world have issued relevant laws and regulations, and the Europe region has frequently imposed fines of hundreds of millions or billions. As a high-tech industry in the Internet industry, the game industry should conduct compliance assessment and construction with the attitude that there are no trivial matters in compliance. This article mainly discusses the compliance requirements, precautions and industry practices related to personal information collection in personal information processing in light of the characteristics of the game industry.
1、 Overview of Personal Information Protection in China
At present, in the process of processing personal information, most APPs obtain the authorization of natural persons to use more and agree to the “privacy policy”, which according to the current legal definition should refer to the authorization of personal information processing. The meaning of the right to privacy is different from that of the definition of personal information rights and interests. The right of privacy is a personal right enjoyed by a natural person stipulated in the Civil Code of China, which refers to the private space, private activities and private information of a natural person who has a peaceful private life and is unwilling to be known by others. According to the definition of the Personal Information Protection Law of China, personal information refers to all kinds of information recorded electronically or otherwise related to an identified or identifiable natural person, excluding information processed anonymously. Personal information includes general personal information and sensitive personal information, and the latter has a greater impact on the personal and property of the personal information subject, so it should bear a higher duty of care in the process of processing. Sensitive personal information needs to be processed for a specific purpose and with sufficient necessity to obtain the individual’s separate consent.
2、 Characteristics of Personal Information Protection in the Game Industry of China
At the level of personal information protection, the game industry has certain particularities compared with other Internet industries, and these problems cause game companies to face greater challenges at the level of compliance, which requires the cooperation of products, technology, legal affairs and compliance to do a good job in compliance affairs. The game features include but are not limited to:
A large number of products. A game company generally includes multiple games, and one game is one independent app. Different games may have inconsistent information processing scenarios and specific information processing due to different contents and playing methods, such as whether there are user social functions, voice functions and photo uploading functions.
Information sharing. In many cases, the developer and the publisher of the game are different subjects. Due to the continuous cooperation between the publisher and the developer and the needs of product optimization, recursion and bug handling, the publisher is required to share some information and data related to game testing with the developer, and relevant compliance arrangements need to be designed in advance.
There are many channels for cooperation. The cooperation between game products and third-party distribution channel generally adopts the intermodal mode. Users register and log in with channel accounts, pay for internal purchases to channels, and get collected with relevant personal information by channels. They are users of game distribution channels. A game is usually intermodal with dozens of third-party distribution channels, involving third-party SDKs access, evaluation, handling rules disclosure and other issues.
Real name certification (ID certification). Game products must be input into identity cards for real name authentication before they can be used. This process involves the authorization and compliance of sensitive personal information such as identity card numbers, personal information of minors, and even face recognition, involving how to effectively design child guardian consent schemes, and the storage of sensitive personal information.
Global Distribution. Online games have the gene of global distribution. With the fierce domestic competition and the cooling period of domestic version number approval, strict new anti-addiction regulations were implemented in September 2021, and a large number of game manufacturers began to focus on the big cake of out-bounding, and the momentum of out-bounding was strong. The games of Tencent, miHoYo, NetEase and other large game companies are in the forefront of the global revenue list. Global distribution faces different personal information compliance requirements in different countries and regions, and compliance is complex, demanding and costly.
For reasons including but not limited to the above, game enterprises face objective problems such as heavy tasks, great difficulties and complex and diverse problems in compliance, and the direct and indirect costs of compliance (user experience costs caused by compliance and the cost of compliance operation itself) are particularly high.
3、 Precautions for Personal Information Collection
Personal information processing includes the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information. As an app operator, it is the first to collect personal information, and legal collection is the legal basis for subsequent processing matters. According to the Research Report on Administrative Penalties for Data Privacy Compliance in 2021 issued by the iLAW Compliance Innovation and Research Institute, of the 128 administrative penalties imposed by local market regulatory bureaus for infringement of personal information, 126 cases were punished for collecting and using consumer personal information without the consent of consumers, accounting for 95.45%. Obviously, there are many problems in collecting personal information in violation of laws and regulations, which is also one of the key points of supervision. Personal information collection shall follow the principles of legality, legitimacy, necessity and good faith, so APP should pay attention to the following in the stage of collecting personal information:
First to get consent from user. Without the consent of the user, personal information shall not be collected, especially after downloading the app and before loading and logging in (the user checks or confirms that the Personal Information Protection Policy is generally set on the landing page), so as to avoid collecting the user’s personal information. If it is necessary to obtain relevant authority, such as storage, it is suggested to pop up a window to explain the authority and purpose of the demand. The compliance practice of the agreed part can refer to the head products of the head manufacturers, such as the Arena Of Valor and other products. According to the characteristics of the game, it is suggested that users be clearly informed in the pop-up window that if they download apps through third-party distribution channels, the relevant rules of information processing shall be subject to the policies of the Personal Information Protection Policy of the channel, and the relevant links shall be listed.
To be clear on rules. The Personal Information Protection Policy shall completely list the scenarios for collecting personal information and the specific information collected one by one, explain the rules for processing personal information, and clearly indicate the purpose, mode and scope of processing. In the enumeration of personal information protection policy scenarios, it is not recommended to use the word “etc.”, even if such content is listed, it will not have practical effect, but it is suspected of violating the regulations. In addition, in practice, if the app is launched on the distribution channel, the channel will conduct privacy compliance testing for it, pay attention to understanding the channel requirements through the channel’s developer platform in advance, and some channels prohibit the expression of “a third-party distribution channel” on their pages and products.
Do not refuse if unnecessary. Except for the functions necessary to provide the relevant services, the provision of products or services to users shall not be refused because the user refuses or withdraws his consent. The minimum necessary personal information for the basic functions of online game services specified in the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications is the mobile phone number of the registered user. The minimum necessary personal information specified in the Basic Specification for Collection of Personal Information by Mobile Internet Applications (App) for online game services is: network access logs, identity card information, mobile phone numbers, user log information (only for users who use the information publishing function), account information and third-party payment information. According to the actual situation of game products, this article considers that the norms are more reasonable. When providing specific services such as voice calls and photo albums, if the user refuses to grant authorization, the specific service shall not be provided. According to the requirements of laws and regulations such as the Law on the Protection of Minors, online game service providers shall require minors to register and log in to online games with their true identity information; the Notice on Further Strict Management and Effectively Preventing Minors from Indulging in Online Games and other anti-addiction notices require that all online game users must use real and valid identity information to register their game accounts and log in to online games. Therefore, if the user does not provide information such as identity card number and name for registration, he may refuse to provide game services.
Do not collect if unnecessary. The principle of minimum necessity shall be followed in the collection of personal information. If there is no direct relationship between the provision of services and the information that is not necessary for the realization of existing business functions, it shall not be collected, such as for the realization of product functions, product safety, fraud and risk control, which can be collected after evaluation. If it is collected only for the reasons of improving service quality and optimizing experience, it shall be cautious.
Double List. According to the requirements of the Notice on Conducting the Awareness Improvement Action of Information and Communication Services, each enterprise shall establish a “list of collected personal information” and a “list of personal information shared by third parties” (hereinafter referred to as the “double list”), listing the types, purposes, scenarios and sharing methods of information, so that the personal information subject can more conveniently and clearly know the information being processed. The purpose of the notice is to further clarify the requirements for personal information processors to enhance openness and transparency and inform users of the processing of information. When publishing the list, it is suggested that in addition to sorting out according to the inspection report, industry practice should also be fully investigated and comprehensive evaluation should be referred to. The practice of the dual list can refer to the products in the “List of the First Group of Internet Enterprises Establishing the Dual List” attached to the notice.
4、 Practice of the Game Personal Information Protection Industry
(1) Personal Information Protection Policy
This article has analyzed the personal information protection policies of some excellent game enterprises, the common information collection scenarios and information published in the text of the personal information protection policy, and the following are examples after refining some of the text. In practice, we shall list them one by one after analyzing and evaluating the legality, necessity and safety of the product test report:
It should be noted that, according to the Methods for Determining the Illegal Collection and Use of Personal Information by App, the personal information protection policy shall be accessible after entering the main interface of the App with no more than four click operations.
(2) Double List
The double list shall be displayed in the secondary menu of the APP to facilitate the user’s inquiry. The list of collected personal information is mainly a summary of the collected information listed in the text of the personal information protection policy. In combination with the principle of minimum necessity, the list of collected personal information shall change with the different functions and services of the products used by users, and shall be dynamic. According to the survey of the first batch of double-bill products, the collected personal information such as the “Kwai App” is dynamically displayed. The list of personal information shared by third parties shall list the third-party SDKs that collect personal information one by one, and display the relevant contents according to the field requirements. Please refer to the compliance practices of Tencent Games, Perfect World Co., Ltd. and Netease Games.
To sum up, personal information protection is in full swing, but there is still a long way to go. As a relatively young compliance field, both the regulatory subject and the regulated object have a process of continuous improvement and optimization. As a game enterprise with certain particularity, it should further study the compliance requirements, pay attention to the compliance dynamics at all times, constantly repeat the design of product compliance schemes, and improve all aspects of personal information processing compliance from the perspective of personal information collection compliance. From the perspective of the current regulatory practice in China, notification, rectification and unrectified removal from the shelves are the main means, but from the perspective of the exorbitant global penalties, especially those imposed by the European Union, personal information compliance regulation will certainly be more stringent and accurate.
Get more information tailored to your needs by click Here.