Managing Privacy, Identity, And Virtual Worlds In Video Games: Part Two

by Shiang-Shin Chung, Samuel Houle, Yujin Luo, and Jiayuan She

In Part One of this article, the authors discussed the current landscape and the breadth of research on privacy and gaming, as well as gamer’s identities within their digital realms. Part Two dives into the authors’ user research, and gives an analysis of how gamers and companies perceive data privacy.

Research Methodology

To gain a comprehensive understanding of the gaming privacy landscape, We first conducted an online survey surrounding data privacy and gamer identity in online video games. The survey was divided into two main parts: screening questions that focus on descriptive information about respondents’ background; questions that include respondents' gaming experiences, general awareness of privacy, and privacy preferences.

The survey went online on January 29, 2022, and was closed on April 4, 2022, for a total of 64 days. Respondents, who self-identified as gamers or non-gamers, are both included in the survey. Respondents under 13 years old were filtered out of our survey before we compiled our results or conducted any analysis. We also hosted eight 30-minute interviews from December 2021 to April 2022, including experts from different fields. The main topics related to how industry professionals perceive and interact with online privacy from their perspective and how they view the future landscape of privacy. We facilitated an hour-long focus group with 5 self-described gamers to gain a deeper understanding of current privacy practices in gaming. We also inquired about what a better future would look like in the eyes of the participants.

Survey Results

We received a total of 156 responses, and 116 individuals completed the entire survey. The ages of the respondents ranged from 15 years old to 51 years old, with an average age of 25 years old. This is a survey of convenience; the respondents are skewed towards graduate students or people aged around 20-30. Of these respondents, 56% are men, 41% are women, and non-binary individuals account for 3%. In terms of ethnicity distribution, most of the respondents were Asian and Caucasian, accounting for 51% and 26%, which matches the general gamers' demographics (Figure 1). Self-identified gamers account for 64% of the respondents. When we asked the respondents about the hours they spent on gaming every week, 34% of them spent 0-7 hours, 21% spent 7-15 hours, followed by 15-24 hours. Most of the respondents involved in this survey are low to medium-level gamers based on this scale.

Figure 1: Percentages of ethnicity and race, survey respondents

Figure 2: Weekly hours spent gaming

Gaming Preference

The respondents used the PC platform most, accounting for 42%, followed by mobile and console accounting for 34% and 22%, respectively. PlayStation and Nintendo showed the most popularity among all the console players. The top three most popular game genres among those surveyed were role-playing, adventure, and action, while platform games ranked last.

Privacy Awareness and Preferences

When asked about what kinds of regulated privacy-related information gamers were aware of, and what they considered to be privacy-related, most respondents believed that personal information (e.g., home address, phone number, email address) and financial information (e.g., credit card number, paying methods) are highly related to their understanding of privacy and regulated by laws. When asked about how acceptable certain forms of data are reflected on in-game experience for respondents, the survey shows that most gaming- related information is thought to be highly acceptable such as data collected through gameplay, gaming history, and friend lists; personal information such as ethnicity and gender is the least acceptable to be used in games.

Around 74 % of the respondents consider privacy policies as a huge factor when choosing the game, while 18% of them don’t consider privacy when playing. The rest 8% chose based on factors like quality of the game, difficulty to understand the privacy policies, gaming platform and the quantity of data the game is collecting, etc. For example, one respondent mentioned that they would care about privacy for multimedia devices like mobile or PC, but not for a Nintendo console. When asked whether they would move to another platform if they found that the platform was misusing their personal information, 79% of the respondents answered they would not continue to use the platform. Interestingly, a more protective privacy policy versus a less protective one has a low correlation with respondents’ willingness to pay for the game.

Comparing gamers and non-gamers, their awareness of privacy regulations, preference towards what kind of information should be collected or not, and willingness to pay for the game are showing similar results. But if we compare gamers on different platforms, it shows some divergence in willingness to pay for a game. Mobile users and PC users are more likely to pay for a more privacy-protective game, while console users are most likely not to do so.

Just over 89% of respondents claimed they would prefer to have full manual control of their in-game identity versus having the platform automatically adjust it in-game based on their personal data. When isolating the 11 remaining respondents who disagreed with this preference, it is interesting to find that 83% of these respondents consider themselves gamers. While this group is not nearly as sufficient of a sample size as the entire pool of respondents, it is important to note that out of the entire sample population, only 63.5% consider themselves gamers. While this study doesn’t show conclusive evidence as to why this is, it may point to the notion that certain types of gamers are more apt to release control to developers for the creation of gameplay than others.

Interviews

To gain a multifaceted perception of online privacy, industry professionals were interviewed from various fields: video gaming, tech, media, legal, and higher education. The main takeaway from the point of view of the interviewees is that in-game detailed personal information is not as important for gaming companies as we expected it to be. Collecting and storing all gamers’ information is time and resource-consuming while the business value is relatively low. One interviewee said, “We focused more on improving the gaming experience as a whole and attracting more players. Tailoring to each player is not the priority.” (personal communication, February 24, 2022).

Another interviewee aligns with this statement, “While it is useful to know gamers’ in-game detailed behavior, cross applications data is far more valuable for precise marketing.” (personal communication, March 3, 2022) Under the protection of CCPA, it is prohibited for companies to trace back to a certain user, that is, they cannot locate or identify an exact individual from their usable data, so it sets a barrier between the users and the companies. However, most of our interviewees agreed that gamers do not care much about privacy agreements as they prioritize their game choice before privacy protection. Interviewee #3 pointed out, “There are things people theoretically care about, but in reality, they don’t.” (personal communication, March 3, 2022). Most people give away information and privacy easily because they don’t personally relate to the consequences or the privacy concept is too complicated for them to fully comprehend. “But if someone on Reddit starts to complain about related issues about a game, then it will be a problem.” Interviewee #2 added (personal communication, March 3, 2022).

The landscape of future online privacy is still filled with uncertainty and opportunities, and there are some blueprints from these professionals. Alex Alben, Professor of Law, Privacy, Data and Technology at UCLA, believes that companies should not only allow customers to passively engage in privacy notices but also enumerate what has changed in policy updates:

The industry should move away from mere paragraph-style privacy notices as most companies do currently and lean into “contextual active consent”. This means that companies should allow users to wield the right to decide whether they want a one-time privacy agreement, or notices rolling out while using the service.
— A. Alben, Personal Communication, February 18 2022

Drew Davidson, Director of Carnegie Mellon University’s Entertainment Technology Center, also agreed with this reasoning. He thinks the users should have a more active role in allowing companies to access their personal data. The system should better allow consumers to opt-in, to be informed about how they’re sharing about themselves, instead of letting users click on it and figure out what to turn off. They should give the users control over how they represent themselves in that sphere.

Image via Unsplash

Professionals were asked how they perceive the emergence of new kinds of virtual worlds such as VR/AR applications and metaverse. Alessandro Acquisiti, Professor of Behavioral Research on Data Privacy at Carnegie Mellon University said, “There is a privacy risk that Meta might make things even easier to engage in “disclosure behaviors”, but making it even harder to understand the implications” (A. Acquisiti, personal communication, February 28, 2022). He fears that as the speed of the online world shifts and evolves, it will be harder to understand what privacy means to our identity or the implications. Interestingly, Interviewee #1 mentioned that he believes younger generations are more sensitive to privacy-related issues while older users stay more distant from the topic since they tend to keep the traditional concept of data storage.

On the other hand, privacy protection for children is also a concern shared between professionals. One interviewee mentioned that gaming privacy should be stricter in children’s playing space, “The most important thing is keeping children safe.” (personal communication, March 3, 2022). Though the COPPA is now protecting kids from being exploited by companies, professionals still think there are a lot of improvements that should be made. “It seems that parental consent doesn’t work because it is easy for kids to find their parent’s credit card. The FTC is doing a study on how to revise COPPA,” said another interviewee (personal communication, February 18, 2022). As for applicable improvements, one interviewee pointed out that instead of doing showy yet useless security features such as profanity prohibition, games like Pokémon are doing a better job. They installed real security guards such as restricting the naming to no more than four numbers to make sure no phone number is shared, which is an unnoticeable yet meaningful measure that future games should aim towards.

The professionals agree that despite the fact that the customers are not as aware and attentive to the privacy issue as they should be, companies should be the ones to take the initiative and lead them towards a safer user experience. A privacy lawyer mentioned that instead of viewing the laws as the bare minimum, the companies should shoot to be above what is legally required and brand themselves as businesses that are actively protecting the customers more than the government requires them to (personal communication, March 29, 2022).

Gamer Focus Group

Image via Unsplash

After analyzing much of our consumer survey and industry interview logs, we determined that gaining deeper, qualitative insight into the behaviors and attitudes of frequent gamers would help develop stronger recommendations. A focus group was held hat was composed of five male gamers. The focus group claimed to play generally between 25 and 60 hours of gaming a week. We focused on the gamers’ beliefs on current privacy-related practices and future expectations for the industry.

The participants concurred that privacy is a rule for gaming, not an exception. One instance the gamers considered a major “misuse” of their data was the act of tracking across different platforms (such as name, personal information, gaming footprint, etc.). One gamer mentioned that he hadn’t realized a privacy policy he once agreed to would apply to multiple games. He cited that Forza Horizon 5 greeted him with his full name the moment he first turned on the game after buying it, without him even knowing “where his first name would have been on [his] XBOX Live account” considering he did not remember recently using his first name when setting up game accounts (personal communication, April 3, 2022). To him, it felt like an invasion of privacy. When asked if the participants would consider moving to another platform if they found a gaming platform to be misusing their data, the general consensus was that the participants would prefer to have all of their games in one central location. However, they were also aware that the reality is they must accept that they need to use certain platforms if they want to keep playing games they enjoy.

The gamers also agreed that they would consider options that exhibit a form of “contextual active consent”, similar to what Apple provides for its iPhone users. Yet, they are hesitant about user interface designs that would hinder gameplay. The gamers discussed the potential to opt-in to certain privacy practices per game, rather than have to opt out tediously; essentially a whitelist of privacy. Some of the gamers alluded to an idea of a central log where all privacy permissions would be clearly listed on a platform. This insinuates that there is a willingness among the gamers to be more careful about privacy if the notices are more accessible to them. On a similar note, when asked if they believed branding a company as specifically privacy-protective, they agreed it would not be a negative thing to promote, but that the game company should always protect its users whether the company brands itself as privacy-protective or not.

The gamers also think that the state of privacy for consumers will probably worsen without governmental intervention. With the rise of new technologies and platforms like the idea of the “metaverse”, the gamers also see that there could be more privacy threats because it could connect one’s real life to the game more closely than in the past. Even more than just connecting a real-life persona to a virtual persona, the Metaverse may also make it possible for gaming companies to “use a recommendation algorithm from the real world to the virtual world, just for advertising. That is what I don't want to see.” (focus group, April 3, 2022). Several in the focus group believe a better future for gamers would occur if companies not only were more transparent with the data that they collect, but also how exactly the data is used to improve the gaming experience.

The insights from the focus group provided a better basis for understanding what consumer motivations and turn-offs could affect a gamer’s reality.

Conclusion

The Tension Between Privacy Protection and Game Access

According to the survey results, 74% of the respondents deem privacy policies important when choosing a game. Those surveyed also have a higher level of willingness to pay more for an increased protective privacy policy for mobile and PC games than console games. Therefore, it is safe to deduce that different capacities of data collection and usage, as well as privacy policies on different gaming platforms, affect gamers’ choice of gaming platforms.

However, in the focus group discussion, it was clear that if participants find out there is a misuse of their private data on certain platforms, they will continue using the platforms because of their strong game preferences or game exclusivity, the limited availability of gaming platforms, and the high switching costs. Gamers are creatures of habit (Focus group participants, April 3, 2022). They agree that they are willing to compromise privacy protection because they want most of their games in one place or they simply do not want to buy another console.

Ultimately, there is no real dialogue between gamers and gaming companies, just the exchange from one’s wallet. Gamers want their privacy protected but if they want to play the game, they have to agree to privacy agreements set by gaming companies, or they will suffer from no access to the game at all or limited functions.

Gaming Platform Privacy Settings Comparison

To understand the current organizational offering of user control over privacy, it is important to compare the privacy setting options on mainstream gaming platforms, including consoles, PC game stores, and mobile app stores.

Figure 3: Gaming Platform Privacy Settings Comparison

PlayStation has the most options, but it also groups options under categories to help consumers easily orient and avoid overwhelmingness. As shown in the figure below, there are comprehensive visibility options on gaming and media, friends and connections, personal information & messaging, and control for personalized content. In comparison, the other two major console platforms are not as comprehensive in terms of privacy options: Xbox only has visibility options, communication preferences, and control for voice data collection, and Nintendo only has options on friend suggestions, promotional emails, usage information, and third-party authorization.

Figure 4: Sony Account Privacy Settings

However, this differentiation in the level of players’ active control of privacy is not distinctly presented to gamers. For instance, there is no clear statement or marketing copy on privacy protection on the website, let alone pop-up windows or navigation of these features. In this case, only the excessively prudent consumers will take the initiative to compare the ranges of privacy settings and notice the differences.

In-Game Identities and Data

With the continuing emergence of gaming technology that connects social virtual worlds with game-oriented virtual worlds – such as VR-capable games that exist on the same platform as VR meeting spaces – comes an increased chance for privacy infringement. People may assume their in-game data and personal data are isolated to the gaming medium, but these misconceptions could lead to unforeseen consequences.

Entertainment is shifting and collapsing into novel versions of itself and probably will continue to do so based on demand. Even films and television are becoming more interactive and being produced at a higher rate than ever before in new mediums, such as Epic’s Unreal 5 engine - a leading 3D creation tool for photorealistic visuals and immersive experiences (Chou, 2022). Virtual worlds are bleeding into the typical gaming experience. Therefore, one’s digital persona will be affected. An in-game identity may not be seen as a completely separate persona from one’s real-life persona by data aggregators.

The survey shows that almost 90% of the respondents agreed that having full manual control over their in-game identity is a better option than gaming experiences being automatically adjusted based on their private information. The respondents’ general attitude towards gaming privacy is that they prefer to have the freedom to choose how they present themselves in the virtual world.

Yet, according to the survey result, respondents welcome less privacy-related data, such as gaming history or friend lists, to be used for experience optimization. They consider personal and financial information as most privacy-related and showed a low willingness for gaming companies to collect it. This suggests that respondents prefer in-game data over real-world data to be collected and used.

Organizational Regulation

Executives should embrace a data usage restriction system where machine learning is used to authorize different departments with different access to user information. One interviewee shared that Facebook had an internal machine learning algorithm that predicts necessary consumer private information for each team’s practices and grants access automatically. If a department requires extra access to other ungranted private information, it will need to go through a separate application system (personal communication, February 24, 2022). Systems using machine learning would be nimbler than an unlikely one-size-fits-all solution when dealing with the diverse nature of gaming. Oftentimes, it is not the individual pieces of private information that cause actual damage to consumers, but connecting different types of information on the same individual would pose a severe threat to the individual’s privacy and safety (personal communication, February 24, 2022). Separating access to different types of personal identifiers would effectively help avoid harm from data leaks.

Clear and Comprehensive User Control of Privacy

On the consumer-facing side, there are improvements to be made. For example, with the regular privacy policy agreement, there should be a more concise and easier-to-understand version accompanying the original one for gamers to understand the extent to which they agree. Whenever there are updates or revisions to the privacy agreements or settings, there should be notices, such as pop-up windows to bring the changes to gamers’ attention.

Going beyond basic private information, to satisfy players’ needs of controlling their in- game identities, companies should allow gamers to completely turn off personalization. In games, gamers would be able to build a virtual identity, either in alignment or not with their real- life identities. However, data analysis categorizes gamer characteristics and provides content accordingly, which may lead to an echo-chamber-like phenomenon, where gamers can only get recommendations that the system believes they will enjoy or purchase.

Though gamers do not really have choices except to take whatever privacy agreements and control options offered by gaming companies, their growing privacy concern should not be neglected. Instead, gaming companies should develop a better sense of consumer boundaries regarding digital privacy, and integrate that into both game development and marketing.