(Image courtesy TheDigitalArtist via PixaBay.)
Earlier today, I posted an article about what we here at Hypergrid Business are doing to comply with GDPR.
Fines are up to 20 million Euros or 4 percent of total annual global revenues — whichever is higher, and GDPR applies to every company that has European users or customers — no matter where it is located. So we’re paying attention.
Fortunately for us — unlike some of our larger competitors — compliance was pretty straightforward because we don’t do much collecting of data.
But how does GDPR affect those of our readers who have grids?
I’m not a lawyer — so, disclaimer alert! — please do not take the following as legal advice. However, I have been covering privacy issues as part of my day job at CSO magazine (most recent article is How privacy is moving data security to the top of corporate agendas) and I’ve been talking with a lot of legal and compliance experts about this.
Basically, a lot of the rules are common sense, and you should have been doing this all along anyway. The biggest differences is that your users have to opt into any marketing communications, and need to have a way to have their personal contact info deleted from your systems. None of this should be too difficult for a smaller company, especially if you use an outside service for most of these functions.
Here’s some general advice about complying with GDPR:
Only collect as much data as you need
If you want to send someone a package, you need their address. If you’re not sending them any packages, why are you asking for their address? Is it just to send them spam? Or do you have a legitimate reason? Take a good look at the services you provide and decide whether the information is really necessary.
For example, you need your visitors’ IP addresses so that you can send them content. And if they cause trouble, and you have to block them, you’ll need to save those IP addresses so that you can keep the bad guys out.
If you allow people to create accounts, you will need to ask for their email address so that you can send them password resets, or important notices about their accounts.
If avatars come to your grid, and cause trouble, you might want to save their avatar names so that you can keep them out in the future. If they sign up for in-world groups, you’ll need their avatar names in order to send them group messages.
You will need to tell your users what data you collect on them, and why, and how you use that data, and why its necessary for you to have that data for you to continue providing your service.
And you users should have the option of seeing what data you have on them, and you should allow them to delete it.
If you do collect data, put a support email address or contact form on your website to make it clear to your users how to do that.
If you don’t really need the data, ask for permission before collecting it
If you want your users to subscribe to a mailing list, and that list isn’t critical to the service that you provide, then they have to voluntary agree to it.
You can’t just have a “click here if you don’t want it” — that’s an opt-out button. You need one that says “click here if you want it.” They have to actively do something to get on your list.
So if you want to send messages to all your hypergrid visitors telling them about new sales or events on your grid, put up a sign in the welcome area and ask them to click on it to sign up. Don’t just sign them up automatically, then give them the option to cancel later.
Don’t blackmail your users
Say you’re providing an important service to your users, like allowing them to attend music events in a virtual environment. They enjoy that, and want to continue doing it. Don’t force them to accept your stupid mailing list in order to continue being able to log into your grid.
That’s just evil.
If you’re about to send out an email telling your residents that they have to agree to all sorts of privacy invasions in order to continue using your grid — stop that right now.
Instead, send out two separate emails.
The first, telling them about the data that you have to collect in order to provide the service they want.
Then, send them a second email will all the voluntary stuff they can get, like newsletters, and marketing announcements, and get their permission to send that stuff to them.
The same applies to content, too, by the way. For example, in order for them to wear the new dress they created and uploaded to the grid, you have to be able to display that dress, on their avatar, to other users. Otherwise, nobody will be able to see it, and it totally kills the point of uploading content to the grid. If they want to sell the dress on your marketplace, you have to be able to post the picture of the dress so that people can buy it. If you want to promote their content or destinations or events in your social media feeds, you will need to be able to use their content. What’s the point of having an event on your grid, if nobody can find out about it? But if you use their pictures in a different, unrelated context — say, in an advertisement for your land rentals — you should get permission first.
Look at the data you already have, and decide whether you need it
You might need to keep some historic data in order to ensure performance of your grid in the future. Do you really need personally identifiable information there? If you do need to keep that information, do your users have a way to find out that you’re keeping it, what exactly you’re keeping, and if they can delete it?
If you’re a small
(Image courtesy TheDigitalArtist via PixaBay.)