Children no longer make up the majority of gamers, but they’re still a big part of the industry – one that will be greatly affected by the EU General Data Protection Regulation (GDPR).
Whether they’re playing on a browser, console or PC, gamers are encouraged to create accounts and share personal data. But when the Regulation takes effect on 25 May 2018, organisations will be subject to much stricter rules on how they can obtain personal data. Consent will be harder to get, and for some under-16s, it will no longer be an option.
Age of consent
Under the GDPR, the default age at which a person is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16. For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.
Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.
Instead, data controllers must get consent from a person holding “parental responsibility”. They must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.
The reason for these rules, the GDPR states, is because children “may be less aware of the risks, consequences and safeguards” of sharing data.
The GDPR lists specific requirements for lawful consent requests, specifying that consent needs to be given with a clear affirmative action. In other words, individuals need to be given a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.
The terms for consent must also be written in simple language and take into account their target audience.
Consent is only one of six lawful grounds for processing data, and it’s generally the least preferable option.
There are a couple of reasons for this. If your organisation has used consent to collect data and then you want to reuse that information for another purpose, you’d need to ask for everybody’s consent again. Anyone who refuses to consent or doesn’t reply must be removed from your records.
The second reason is that individuals are free to withdraw their consent at any time. This means you have to remove them from your records. If you don’t, your organisation risks disciplinary action from your supervisory authority.
Become a GDPR expert
The complexity of the GDPR and the punishment for failing to comply has created a pressing need for experts on the Regulation. There has never been a better time to invest in GDPR training.
Our Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course provides a comprehensive introduction to the GDPR and gives you practical advice on planning, implementing and maintaining a GDPR compliance programme. It also enables attendees to fulfil the data protection officer role.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.