How To Optimize Your Game's Advertising While Complying With Privacy Laws

How To Optimize Your Game's Advertising While Complying With Privacy Laws

When you are marketing your game, especially when you do paid user acquisition with advertising, you want to lower the costs as much as possible while getting the right players that are going to play your game and retain. In order to do proper marketing, you need to have some user data.

As time has progressed, countries and states have set limits on what data can be collected and how it can be used. In some cases, this has made it very difficult for marketers to do their jobs when it comes to optimizing campaigns.

This article will go over the basics on how to optimize your ad campaigns while remaining legally compliant by:

  • Why marketers need data to optimize
  • Understanding the different data types
  • Examples of how laws differ globally
  • Examples of how to remain complaint
Disclaimer:
This article is for informational and educational purposes only and does not constitute legal advice. While we aim to provide accurate and up-to-date information regarding data privacy laws and advertising practices, you should consult with a qualified legal professional or data privacy expert to ensure compliance with applicable regulations in your specific jurisdiction.

How Marketers Use Data To Optimize Campaigns

First, we need to understand how marketers utilize a user's data to optimize campaigns. Typically the most important key performance indicator is the conversion rate. For games, we look for conversion with wishlists, sales for premium games, and installs for freemium games. 

To improve those conversions, a marketer must have an understanding of who is converting, and then adjust the campaigns to get more of those people. They must first collect this data through a pixel and then send that data back to a Conversion API. You can read a full explanation here in this article. But Conversion APIs (CAPIs for short) work as such:

  1. A user clicks on an ad
  2. Through a "pixel" the user is tracked
  3. When the user converts or takes an action, their information is sent back to the ad platform's CAPI
  4. The ad platform then sends more users who are likely to engage with the game and convert

The challenge is that pixel must be legally acquired from the user as it normally falls under “Personal Data” (discussed below) or “3rd Party Usage”. Without being able to track a user, this makes a marketer's job more difficult and even worse, wastes the marketing budget you allocated for your game.

There is a stigma associated with data collection of users and how it can be used in illegitimate ways and violating a user’s privacy. Below we will break down the types of data and then how it is applied.

Types Of Data

First we should examine the types of data that can be recorded about a user, because not all of them are the same. Now the type of data is normally defined by the law, and how the law defines it can change from region to country. The below are general types that are most used:

De-identified Data

De-identified data is information that has been stripped of personal identifiers to the point where it can no longer be connected back to a specific person.

  • Cannot be reasonably linked to an individual or device: The information cannot reasonably be used to infer information about, or be linked to, a specific person or a device associated with that person.
  • Reasonable measures are taken: The entity holding the data (the "controller") must take reasonable steps to ensure the data cannot be associated with an individual.
  • Public commitment to non-re-identification: The controller must publicly promise to handle the data only in its de-identified state and not attempt to re-identify it.
  • Contractual obligations for recipients: Any third party that receives the data must be contractually bound to the same standards of not attempting to re-identify the data.

For example, let’s see you get a report that 27% of the people that engage with your ad are males, that data is de-identified because there is no way of linking that back to a specific user.

Personal Data

In simple terms, personal data is any information that is linked or can be reasonably linked to a specific person. This can be:

  • Direct Identifiers: Name, address, social security number, passport number, etc.
  • Online Identifiers: IP address, email address, device IDs, cookies, and other tracking technologies.
  • Inferred Data: Information derived from other data points to create a profile about a person's preferences, behaviors, or characteristics.

Certain laws require the user to opt-in to collect personal data, while other laws auto opt-in the user but the user has the right to opt-out.

Sensitive Data

The final category is "sensitive data," which is a specific category of personal information that receives a higher level of protection, requiring your explicit "opt-in" consent before it can be processed. Here is a short and concise summary of what is considered sensitive data:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data used for the purpose of uniquely identifying you
  • Personal data collected from a known child (under the age of 13)
  • Precise geolocation data (your specific location within a radius of 1,750 feet)

Almost all laws require that the user explicitly give consent when utilizing sensitive data. 

Laws Currently Affecting Data Collection

There are laws already in place that place restrictions on the data that can be collected. Below are various examples that set both country-wide and state-specific laws. These are brief descriptions as covering the full laws are out of scope of this article and require a lot more analysis.

GDPR

The General Data Protection Regulation (GDPR) is a European Union law that governs how personal data must be collected, stored, and processed, requiring organizations to obtain clear opt-in consent before collecting data and to provide easy opt-out mechanisms for users at any time. While it directly applies to all EU and EEA countries, it also affects any organization worldwide that processes personal data of individuals located in those regions.

China Personal Information Protection Law

China's Personal Information Protection Law defines personal data as all information relating to an identified or identifiable person, and its scope covers the data of individuals within China, even if processed by entities abroad for providing services or analyzing behavior. The law requires a strict opt-in model, meaning organizations must obtain separate, explicit, and informed consent from individuals before collecting the minimum amount of data necessary for a specific purpose, and consumers have the right to refuse or withdraw consent, particularly for activities like advertising.

California Consumer Privacy Act

The California Consumer Privacy Act of 2018 defines personal data broadly as information that identifies, relates to, or could reasonably be linked with a particular California resident or household. The law's scope applies to for-profit businesses operating in California that meet specific revenue or data processing thresholds, and it provides consumers with the right to opt-out of the sale or sharing of their data, while requiring explicit opt-in consent for minors and financial incentive programs.

Colorado Privacy Act

The Colorado Privacy Act defines personal data as any information that is linked or reasonably linkable to an identifiable individual and requires businesses to get explicit, opt-in consent before processing sensitive data, while giving consumers the right to opt-out of their data being sold or used for targeted advertising. The law applies to entities that conduct business in Colorado or target products to its residents and meet specific data-processing thresholds, regardless of where the business is physically located.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act grants Connecticut residents rights over their personal information by requiring businesses to be transparent about data collection and to honor consumer choices. The law defines personal data as any information that is linked or reasonably linkable to an individual, and it mandates that consumers must actively "opt-in" for the processing of sensitive data, while providing them the right to "opt-out" of the sale of their personal data or its use for targeted advertising.

Japan

The law is Japan's Amended Act on the Protection of Personal Information, and it defines personal data as any information that can identify a living individual, including through codes or when combined with other data. The rules require explicit opt-in consent before collecting sensitive information or sharing data with a third party, and its scope covers any business, including those overseas, that handles the personal data of individuals in Japan.

These are only brief descriptions of each of the laws but it should give a general overview of how the laws work and can differ. One of the key distinctions between what the GDPR and China laws set up vs laws enacted in certain states in the US, is that the consumer is required to opt-in with the GDPR and China, while the consumer has to opt-out in the US. This distinction is critically important for game marketing.

How Advertise Your Game Effectively While Following Various Laws

Paid User Acquisition and maximizing the Return on Advertising Spend (ROAS) has to be focused on data and as mentioned above, training the conversion API. Without an answer of who is buying your game, it makes it very difficult to optimize your ad spend. Let's break down how you might walk through different scenarios based on advertising in the United States, Europe, and Japan.

Step 1: Localize Your Ad

First you want to localize your ads. Just like you localize your Steam pages, you want to localize your ads as well. This means adapting not just language and cultural references, but also ensuring compliance with local data privacy regulations.

One of the items we like to employ at Glitch is tracking links. These links cookie the user to improve trackability as the user can move between multiple of your properties (Steam Page, Website, etc). Tracking links can be applied in some use cases but not all. Let's take a look at:

  • United States: Because the user by default is considered opted in and they have to opt-out, the tracking links are fine.
  • Japan: If the tracking link is not sending data to a third party (yet) and Glitch can act as your data processor (an "entrusted person"), therefore the tracking link is fine.
  • Europe: Because the user has not explicitly consented to being tracked and cookies, the tracking link should not be implemented yet.

If you want to read more tracking, read this article here.

Step 3: Optional Alternative Landing Pages

If the landing page is going to a property that you do not own, like a Steam page, then there is nothing you have to do here. But if it's going to a property you own like a website, then you can design different landing pages with different levels of consent and data pushing requirements.

  • United States: Users are already opted in, therefore send the conversion data back to the API through the tracking pixel. If the user opts out, then stop updating the CAPI.
  • Japan: Hold the tracking pixel information but do not send it quite yet. When the user finally opts in, then you can send all the conversion data back to the CAPI, otherwise you can only use the data on your end.
  • Europe: No tracking can be done until the user opts in, then you can start sending data back to the API. If the user does not consent then all the data must be discarded/not tracked.

Step 4: Continue To Collect and Send Data for Opted In Users

For the users that have opted in or remain opted in, we need to keep collecting data and sending that data back to the API and tracking the user. Remember that we want to be sending back the correct events to the conversion API to better train it and send look-alike audiences.

Remember that when user opts-in, there are several events that you want to send to the conversion api that are more than just the conversion. You want to send:

  1. Pageviews: When users navigate between property or pages on your website, send this data back as it indicates a user is showing interest.
  2. Purchases & Installs: When a user purchases or installs your game, send this back to the conversion to indicate this kind of user is the is converting.
  3. Retention: Day 7, Day 15, Day 30. Users that retain are the best kind of users and we want the ad platform to send more of those, therefore send that data back to the CAPI as well.

Compliance At Glitch

At Glitch, we understand that compliance can be a nightmare when you want to fully optimize your advertising globally. We use custom AI that helps you create ads that comply with laws and regulations worldwide.

Our system works by understanding your target audience for your game, then helps localize the text for each target market. It either applies tracking links to appropriate ads where the target audience is automatically opted in, or leaves the links off if compliance requires it. Finally, it automatically feeds events back to ad platform conversions.

Wrap Up

The level of your tracking and what you are able to decide comes down to what the user is allowing you to track. Understanding these nuances across different regions is crucial for effective game marketing while maintaining compliance with privacy regulations. The key is to build flexible systems that can adapt to different privacy requirements while still providing valuable data for campaign optimization.

Read more