Managing Privacy, Identity, and Virtual Worlds in Video Games: Part One

by Shiang-Shin Chung, Samuel Houle, Yujin Luo, and Jiayuan She

Data Privacy in the Gaming Industry

With millions of users across the world, video games have become one of the leading entertainment industries, estimated to have generated $178 billion USD in revenue in 2021 (Statista, 2021). A major factor of industry growth is the strategic use, sharing, or selling of the personal data of users (Sire, 2021). More user information and related data are being harnessed for corporate interests such as marketing purposes, posing a serious threat to consumers’ privacy if proper consent isn’t given.

While there are instances in which consumer privacy is being safeguarded, debate continues on whether these regulations are sufficient. Data privacy laws such as the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, gave California citizens more control over the usage and whereabouts of their own personal data (Hennel, 2021). This law is similar to international privacy laws like the European General Data Protection Regulation (GDPR), which many believe to be less forgiving to corporations and prioritize the consumer in comparison to U.S. laws. There are already a number of contentious discussions surrounding the topic of privacy, and with the rapid emergence and development of video game technology - whether in the context of new hardware like VR headsets or new concepts like the Metaverse - opportunities for data extraction and exploitation are only growing (Louveaux and Ho, 2022). With the passing of the CCPA, businesses have the opportunity to leverage laws around personal information to develop and enhance their business.

This research explores the nature of consumers’ beliefs towards the practice of privacy in virtual worlds as well as major industry players like game developers, businesspeople, and academic professionals. As the industry grows, privacy standards may need to be altered accordingly. Having a roadmap in such a dynamic environment will help the gaming industry’s leaders be proactive toward competition. In addition, this article provides evidence to determine the extent to which a gamer’s personal information should be used to alter in-game experiences. With more accurate forms of consent regarding personal data, developers may be able to generate experiences that ensure all players are comfortable in their space to express their in-real-life identity or, for some, their separate in-game identity. The scope will include a variety of gamers from the United States to generate a better understanding of how one’s personal beliefs towards data usage in virtual environments affect the expression of identity as gamers play

The Need for Consumer Privacy

The presentation of one’s identity is only going to become more ingrained in our everyday lives, especially as the lines between video games and other forms of entertainment blur. This study examines the motivations between consumers, businesspersons, developers, academics, and legal experts as it relates to the utilization of personal data in gaming. If consumers want a more secure, private, unadulterated experience, does the industry want to acquiesce? Regardless of the answer, the importance of this study lies in its ability to discern if the needs of the masses align with corporate interests regarding data privacy, and, if not, where the gaps might be bridged.

Consumer privacy infringement is a growing issue, but privacy rights are not well understood on a mass scale. One example of privacy infringement is the case of the developer of the popular Angry Birds mobile game, in which the company was sued under the Children’s Online Privacy Protection Act (COPPA) in August 2021 for lack of compliance with parental consent regulations (Gillett, 2021). Additionally, Facebook (now Meta) has been involved in multiple privacy infringement lawsuits over the last decade (Newcomb, 2018). With Meta moving towards integrating virtual reality into its umbrella with its Oculus product, there will be more avenues to regulate considering so much personal data can flow between the arms of one company so fluidly.

Privacy Laws: EU and California

Discussions on privacy vary in scope and sentiment but are largely seen as processes still in their nascent stages, especially regarding user control over the storage, usage, and sale of personal data. Various studies have taken account of the privacy landscape as a whole, highlighting the strengths and weaknesses of certain regulations, practices, and the like, but the gaming industry has seen much less involvement in this field in comparison. Consumers may still be unaware of their rights in what happens to their data, especially in the context of the games they play and the virtual worlds in which they interact.

The implementation of the purported gold standard of privacy regulation, the EU’s GDPR, directly affected gaming companies operating within the European Union, making them comply with tighter standards on gamers’ data. The extent to which this regulation impacted actual gameplay is little to none - aside from the handful of gaming companies that chose to shut down the hosting of old games as GDPR compliance would have been too costly to maintain. However, GDPR has made it more difficult for companies “to use player info to study or market to them without their knowledge” (Lumb, 2018, para. 4). This means that the gaming industry, as a whole, is resilient enough to comply with tight regulations and provide its users with satisfactory conditions for gameplay. This also insinuates a grander market tension: companies may want to provide the most comfortable experience for their customers, but short-term expectations of revenue may be keeping decision-makers from overhauling their stance on privacy, even if there are long-term benefits in such a resilient industry.

While the EU has made strides that are resulting in consequences for major gaming companies, much of the regulatory framework is applied from a privacy perspective as it pertains to online engagement, rather than gaming-specific regulation. This leaves potential gaps open for businesses to exploit users’ data in ways without their express consent. The gaming industry is continuing to innovate, and with more hardware and opportunities for data extraction comes more potential for either unfair or ineffective uses of consumer data.

Because the EU is regarded as a role model globally regarding privacy, other governmental entities, such as those that implemented the CCPA in California, may come to realize the need for more stringent oversight if the factors of even the GDPR model are shown to be lacking in its regulatory effect on gaming companies. There are a number of U.S. federal regulations pertaining to privacy, many of which are overseen by the Federal Trade Commission, and none of which are gaming-specific. Most U.S. federal-level privacy regulations relate to protections surrounding identity theft and financial information, rather than specific to cases of consent around the misuse, selling, or sharing of personal data.

Online Identity and Player Data

image via Pixabay

Game developers have a vested interest in using player data to alter in-game experiences, whether for increasing the playability and marketability of their product for the benefit of the consumer or for the benefit of the company for which they work. Sometimes, this can result in unfair usage that leads to more predatory practices, but other times, it can be used directly for the player’s benefit. For instance, using data to “(a) to support gaming, (b) to prevent cheating, and (c) to identify personality traits of the players” (Martinovic et al., 2014, para. 34). This comes in contrast to instances in which gaming companies collect data without the proper consent of their players.

For example, the U.S. Federal Trade Commission has recently focused its efforts on looking into Epic Games, the studio responsible for the Fortnite franchise, for its questionable practices in collecting children’s data without legitimate parental consent (Sinclair, 2021). The discrepancies between the benefits for businesses and consumers present the idea of a tradeoff economic structure, in that consumers may want the best in-game experience possible, but may not be aware of the ways in which that result occurs and, as a result, do not realize the value of their data. While some gamers may not care, others might (or their parents might) and there are still ethical and social concerns with this mentality that may need to be further addressed either by gaming corporations internally or by governmental entities externally.

Personal Identity in the Gaming Sphere

One’s identity can be expressed in a variety of ways within virtual worlds, which creates even more forms of personal information that could be connected to an individual or group. In many ways, virtual worlds are places in which gamers can experiment with identity, processes and decisions that, in reality, could be considered forbidden (Bakioğlu, 2012). This factor alone gives credence to the argument that gaming could be more unsafe in regard to privacy than most gamers realize. Mobile game companies have the capacity to utilize connected social media app data to directly target consumers or create audience profiles for the sale and/or sharing of personal data to advertisers (Wang & Bashir, 2021). In contrast, console-based gaming companies generally have both the infrastructural and technological capabilities to harvest, utilize and commodify both telemetric and biometric data that is unique to a player’s decision-making skills, personal preferences, and the like (Martinovic 2014). Both platforms offer different experiences which means different possibilities for data collection.

One’s identity even stretches further in gaming scenarios than one may think. Past the use of aspects like telemetric and biometric data, aside from more basic forms of personal information, each user has their own “ID identity”, which represents the way that an individual could be identified through the unique ways in which consumers interface with a game software (Gong et al, 2020). If games provide a platform to both exhibit one’s everyday identity and game-specific identity and gamers do not have full or, at least, sufficient autonomy in how the data associated with these identities are used changes should be made to current regulatory frameworks.

Privacy regulation is not inherently a benefit for the gaming industry as a whole. Some companies may find their specific audiences care most about transparency and would reactively provide more control and awareness for their consumers. Some companies may find that keeping their operations private is still more profitable than wholly satisfying the consumer. Others may have an entirely different approach to privacy frameworks.


In part two, this article continues with a deep dive into gamers’ perceptions of strong versus weak privacy policies, and how that informs their decision-making as consumers. Part two also looks into how professionals in the industry are predicting the changes and challenges ahead with gamers’ data, and compares some of the leading game developers’ privacy control settings.


Definition of Terms

  • California Consumer Privacy Act of 2018 (CCPA): a California law that gives California residents more control over the usage, sale, and sharing of their personal information. It provides the framework for the Right to Know, Right to Delete, Right to Opt-out, and Right to Non-discrimination granted to each California resident (State of California - Department of Justice - Office of the Attorney General, 2022).

  • European General Data Protection Regulation (GDPR): the European Union (EU)’s new data privacy and security law that grants any European citizen the “right to be forgotten” (www.gdpr.eu, 2022).

  • Children’s Online Privacy Protection Act (COPPA): a U.S. law that requires online services or mobile applications collecting and sharing personal information about children under thirteen to obtain verifiable parental consent and to follow a number of other data-handling requirements. (Russell, 2018)

  • Right to be forgotten/Right to erasure (GDPR): This grants the right to gain, from the data controller, the erasure of personal data in a timely manner (www.gdpr.eu, 2022)

  • Sharing, selling, and usage of data: If a company expressly states within their Terms of Service how they wish to use personal data, and the user accepts, the company may do so as it pleases. Any owner of personal data, with proper consent from the user, can sell data to other parties, share data with other parties, or use the data internally for a number of reasons specific to the party’s interests (Freedman, 2021).

  • Metaverse: a term used to describe an interconnected virtual reality where people gather to work, socialize, play, or explore. (Merriam Webster, 2022)

  • Telemetric: of, or relating to, telemetry - the tracking of objects, or in the context of gaming, processes, and the people who performed them. (Zenn, 2020)

  • Biometric: of, or relating to, biometry - the measurement and statistical analysis of people’s unique physical and behavioral characteristics. (Gillis et al, 2021)

  • Personal data (a.k.a. Personally Identifiable Information): any information that relates to an identified or identifiable living individual. (European Commission, n.d.)

Resources

Sire, T. (2021, September 12). How the video game industry wins with data. CompanionLink Blog. Retrieved May 6, 2022, from https://www.companionlink.com/blog/2021/09/how- the-video-game-industry-wins-with-data/ 

Gillett, M. T. (2021, August 28). New Mexico sues angry birds developer over child privacy violations. Jurist. Retrieved March 2, 2022, from https://www.jurist.org/news/2021/08/new- mexico-sues-angry-birds-developer-over-child-privacy-violations/ 

Newcomb, A. (2018, March 25). A timeline of Facebook’s privacy issues — and its responses. NBC News. Retrieved 4 March 2022, from https://www.nbcnews.com/tech/social- media/timeline-facebook-s-privacy-issues-its-responses-n859651 

Lumb, D. (2018, May 26). How GDPR is affecting the games you love. Engadget. Retrieved March 2, 2022, from https://www.engadget.com/2018-05-26-how-gdpr-is-affecting-the- games-you- love.html?guccounter=1&guce_referrer=aHR0cHM6Ly9kdWNrZHVja2dvLmNvbS8&guc e_referrer_sig=AQAAAHc_qXBNyrph-WvPltgzYAYmT- Rm9pwu6zthLwcs20zCcLjABk4CPCr1eSAo4aP5a6j21Ac0_HSEQ35rVY76jlr1ZUj- qPF8hS_JBQdfnGZ86sN-oCi13uxbQzY9mO5ywXwULVV55ka7mJ- JGm5KQKf6Y6QpjislVYmBPNDzZZhZ 

Sinclair, B. (2021, May 6). FTC has looked into Epic's handling of children's personal information. GamesIndustry.biz. Retrieved March 4, 2022, from https://www.gamesindustry.biz/articles/2021-05-06-ftc-has-looked-into-epics-handling-of- childrens-personal-information 

Bakioğlu, B. S. (2012). Negotiating governance in virtual worlds: Grief play, hacktivism, and Leakops in Second Life®. New Review of Hypermedia and Multimedia, 18(4), 186–259. https://doi.org/10.1080/13614568.2012.746742 

Wang, T., & Bashir, M. (2021). Gaming apps’ and Social Media Partnership: A privacy perspective. HCI for Cybersecurity, Privacy and Trust, 475–487. https://doi.org/10.1007/978-3-030-77392-2_30 

Martinovic, D., Ralevich, V., McDougall, J., & Perklin, M. (2014, September 8). "You are what you play": Breaching privacy and identifying users in online gaming. IEEE Xplore. 37 Retrieved March 2, 2022, from https://ieeexplore.ieee.org/abstract/document/6890921/keywords#keywords 

Gong, X., Chen, C., & Lee, M. K. O. (2020). What drives problematic online gaming? the role of IT identity, maladaptive cognitions, and maladaptive emotions. Computers in Human Behavior, 110, 106386. https://doi.org/10.1016/j.chb.2020.106386 

U.S. average age of video gamers 2021. Statista. (2022). Retrieved 4 March 2022, from https://www.statista.com/statistics/189582/age-of-us-video-game-players/