How GDPR affects me as an indie game developer?

If you think Europe’s General Data Protection Regulation (GDPR) doesn’t affect you (wherever you are) as an indie game developer, you’re wrong.


The regulation, seven years in the making, finally comes into effect this year, on 25 May, and is set to force changes in everything from medicine to banking, advertising to technology, and of course, this includes games. Besides the regular GDPR, there is also the GDPR-Kids, specifically written to protect the data privacy of children (defined as under 16) online.

Individuals – as users, gamers, clients – will now have the power to demand companies reveal or delete the personal data they hold, which is a lot, since it’s common to hand in so much information about our personal lives to them without even noticing, companies end up having a lot of data about us in their hands.

How can this affect you as an indie game developer?

The GDPR applies only to the EU and its citizens, but because many companies that are outside of the EU offer goods and services to EU citizens, they have decided it’s easier to apply GDPR’s terms globally.

As 25 may approaches, gaming companies are adapting their marketing efforts to adhere to the GDPR requirements.

Companies will now have to prove they have a lawful reason to keep the data they request from their users, and if they don’t follow the rules, the potential penalties are massive: up to 4% of a company’s annual turnover. So, this affects everyone.

How can you comply with the personal data collection and retention requirements?

If you want your games to be played all around the globe without worries, you better stick to the rules. Here are some tips on how to do that:

Think about it now

As a developer, it would be wise to consider data protection matters during the game development cycle and not as an afterthought.

Less is more

Online games such as MMO, mobile games and location-based titles, once collected a great deal of information from users, for example, Pokémon GO, a game that collected not only the location of the player, but tracked each step and filmed in real time where the player was going; you probably should think twice before developing a game that needs this type of data. Now less information is more safety for your players and your company.

Be clear

It is now necessary to write your privacy notices and policies so that all notices are transparent, concise and comprehensible by both parents and children.

Choose your audience

Now is the time to decide whether your game will be a kids-directed game or not: If your audience is ‘family’ or includes under-16s explicitly or implicitly, you’ll need to commit to a kids strategy.

The ads and the cookies

Now, profiting from ads is going to be more difficult. Gathering personal data from users for the purpose of profiling for marketing is no longer allowed. For all those monetizing with ads this will be a huge change. The solution will be to audit and in many cases replace their existing adtech providers. Critically, this will also mean removing social media plugins, which are one of the top culprits for capturing data on kids.

Do your homework

Privacy by Design, Right to be Forgotten and Data Portability are key concepts you have to grasp and implement in your games if you have or intend to build a playerbase in the EU. You can learn more about GDPR here.