What is the new law? Quebec has introduced its new privacy law framework to prevent companies from collecting unnecessary data from its customers to protect the province’s residents, and it imposes responsibilities on companies and organizations that handle data. Known as Law 25, the legislation aims to modernize the existing data privacy framework and align it with recognized global standards such as the European Union’s General Data Protection Regulation (GDPR). Like GDPR, it applies not only to Quebec-based businesses but also to any company processing the personal information of any Quebec resident. Unlike similar U.S. privacy laws, there is no minimum threshold that has to be met before the requirements apply. Nor does it only apply to big companies. Anyone doing business or collecting data in the province is bound by the same rules.
Does it only apply to big companies and mass transactions
Therefore, if gaming companies have a single customer accessing their services from Quebec, they have to comply with the law. It is regarded as pioneering in Canada but does reflect the general direction of travel regarding data privacy throughout the rest of the developed world. However, despite its regionalized, province-by-province approach to data regulation, there can sometimes be a “domino effect” with laws in Canada, with neighbouring governments picking up on best practices. If that were to happen, it is likely there would be federal reform in the near future.
Operating to global standards
Regardless of whether federal reform takes place, the bottom line is that most gaming companies operate globally and, therefore, have to operate to the highest data-protection standards to be able to sell their products across a wide range of markets. This is particularly true of digital products, and the more homogenous they are, the easier they are to sell in massive quantities. It could be easy for gaming companies to think that other than adaptations for currency differences, they can just provide standardized products. Much of the popularity of super successful gaming titles is that they deliver a shared experience regardless of where in the world they are played.
Localization sells games
However, cultural differences can mean that games are adapted for different markets. This is particularly true when one is looking at iGaming products and services. Online casino platforms could be regarded as ‘much of muchness’, and each one needs to differentiate itself from the competition. This could be through unique content and localized gaming features. iGaming platforms collect huge amounts of data on their customers. They have to do this to adhere to their licensing agreements. Now, they will have to ensure that the way in which they collect and store the data is also compliant with Law 25.
iGaming platforms accustomed to GDPR compliance
As many of the top casino game platforms have roots in countries that are already GDPR compliant, it should be quite simple for them to be Law 25 compliant, too. Online casinos have to verify customers’ age and addresses. In addition, they have links to customers’ financial details for deposits to be made to place a wager. If the player’s luck is in and they are looking for payout online casinos offers, they will need to have their funding sources linked up. The last thing a player wants is a delay in getting their winnings after all.
Law 25 is not only about standard data
However, it is not only the standard personal data that is protected under the new data privacy laws. There will also be restrictions on the amount of information that can be gathered from within the game. Quebec’s privacy regulator has also made clear in its consent guidelines a number of restrictions on what personal data can be collected from video game players. These include the following categories:
- How many clicks a player makes in a single session
- How long they played in a session
- Who they interacted with, i.e. their friends lists
- Metadata on their system/device
- Conversations on public servers
- Scores, user names/pseudonyms, avatars and game history
Looking at that list could be somewhat alarming, as a player might assume that most of those details were private anyway. However, as this kind of data is invaluable to a business wanting to sell ‘more of the same’ or understand what motivates a purchase, companies are keen to be able to exploit it for marketing purposes.
Privacy Impact Statements need to be carried out
Gaming companies will now be required to carry out Privacy Impact Statements (PIA) to evaluate various factors related to the protection of personal privacy. The Act requires them to do this if it,
“Undertakes a project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information”.
In other words, this could apply to a new system that automatically collects in-game data to identify glitches or bugs.
A PIA is also required
“When a business intends to communicate personal information outside Quebec.”
This means that a gaming studio that develops MMORPG games, collects data from players and sends them to servers in Toronto, for example, would need to carry out this assessment. The same would apply to any financial transactions, as the payment data would almost certainly be handled by servers outside of the province.
Full disclosure
The Act says that players must be notified of any tech that identifies, locates or profiles them. These technologies must be deactivated by default, and players must opt-in. This includes the collection of player data for in-game targeted advertising and geolocation functions.
How can gaming companies obtain valid consent?
Any personal data that is collected that is not essential to playing the game requires valid consent, and the company must present a separate request for permission to collect and store it. Targeted advertising and profiling are not considered essential. Privacy practices cannot be hidden in general Terms of Service and must be disclosed as a distinct privacy policy and obtained using distinct check boxes.
Other articles from mtltimes.ca – totimes.ca – otttimes.ca