What does the “data” in data privacy mean? A quick Google search defines data as: “facts and statistics gathered together for reference or analysis.” In the data privacy context, most people likely think of things like one’s name, email address, phone number and so on, all of which is correct. But might the definition stretch even further? California seems to think so.
In June 2018, California enacted the California Consumer Privacy Act (CCPA). The CCPA is the country’s first broad statute aimed at expanding consumer’s rights over their personal data. Though it’s just a California state statute, it has far reaching implications. It applies to any business that a) collects consumer’s personal data, b) does business in California (even if not headquartered there) and c) satisfies one of the following conditions: i) has gross revenues in excess of $25 million, ii) traffics in the personal information of 50,000 or more individuals or households or iii) earns more than half of its revenue selling consumer data. In today’s interconnected world you have to imagine that all American digital businesses, to say nothing of foreign businesses, are doing business in California, giving the statute effectively nationwide reach. In regards to the size and revenue conditions, the adage “If you’re not paying for the product, you are the product.” is well known at this point. The app store is filled with free apps, the business models of which depend on collecting consumer data and thus place them within the scope of the Act.
Perhaps the most interesting aspect of the Act is how broadly it defines “data.” Under the Act, the term includes any information that can be used to identify an individual, household or device. As such data is not just the traditional pieces of information identified above but also one’s browsing history, location data, and even biometric data. Biometric data? Attorneys at Skadden have elaborated on what this might mean. According to them, biometric data can include things such as keystroke patterns and click speed. One can imagine that an individual player’s gameplay data, such as movement patterns, firing or attack frequency, or preferred weapons, might also fall under the protection of the act. Video game players often have an online profile that identifies them when they play over the internet. Information is collected from these online profiles to establish the leaderboards for the game in question and the rankings or, Elo, of individual players. The importance of this data takes on another dimension in the context of competitive professional gaming, esports. An esports league might be interested in collecting player data to ensure that there is not a discrepancy between player inputs and gameplay outcomes which would indicate cheating. Additionally, esports events are often streamed to millions, and both the streamers and their advertisers might be interested in collecting audience data to optimize user experience. Streaming platforms like Twitch often allow viewers to comment on the action. Data collected from this commentary also likely falls under the protection of the Act. In sum, gaming, and especially competitive gaming, presents many unique data collection opportunities and thus openings for liability under the Act.
However, mere collection of data is not itself a violation of the Act. Under its provisions, businesses are required to provide notice of their data collection and sales practices and provide opt out mechanisms. For consumers under 16, affirmative consent to data sharing is required. For those over 16, consent is assumed but they must be allowed to opt out. If these requirements are not met, the California attorney general can pursue penalties of up to $2,500 for each violation and up to $7,500 for intentional violations. The Act also provides California consumers with a private right of action through which they can seek actual or statutory damages between $100 and $750.
At the time of enactment, the CCPA was already the strongest consumer privacy law in the nation but the California electorate decided to take it even further. In November 2020, Californians approved Proposition 24 which amends the CCPA with the even more comprehensive California Privacy Rights Act (CPRA). The CPRA amends some of the CCPA’s perceived shortcomings. The initial CCPA allowed Californians the right to access and delete personal information businesses had stored on them and the right to opt out of having that data sold. However, critics pointed out that this legislative scheme still left too much of a burden on the consumer who had to take proactive steps to take advantage of the Act’s provisions. The new CPRA by contrast places the burden on companies to reduce data collection and retention. Additionally, it imposes new notification requirements aimed at ensuring consumers are better informed of their rights to data privacy. Perhaps the most significant change brought about by the amendment is the establishment of a new state executive agency authorized to enforce the law.
The CPRA also establishes a state agency with the authority to enforce the law, something the California Attorney General’s office has been handling since CCPA became law. This new agency will have a $10 million budget and will relieve the state attorney general’s office of some of the burden of enforcing the law. Additionally, companies coming under the scope of the law will be required to conduct cybersecurity audits and submit them to state regulators.
If the enactment of the CPRA is any indication, data privacy rights in California are becoming stronger. It is not difficult to imagine other states following suit if California’s legislative scheme achieves its goals. There may even come a point when the United States passes strong federal data privacy legislation, bringing us closer to the stringent protections of the European Union. These developments in the realm of information privacy will be of increasing interest not just to videogame companies, but across sectors as more and more consumer products become “smart.” But as more aspects of our lives become connected and data collection capabilities expand, concerned consumers may find themselves wondering if the legislative process can ever keep up.