The GDPR Dilemma: Ethics, Enforceability, and Global Reach in Game Marketing

This is probably one of the most controversial topics we are going to write about in this series: the ethics and enforceability of the GDPR, and how it can affect your game's marketing. The question becomes threefold:

• Is the GDPR ethical when applying its requirements to companies in countries it has no sovereignty over?
• Is it enforceable when applying its requirements to companies in countries it has no sovereignty over?
• Does it contradict other laws that countries have established?

Understanding the GDPR

You know when you visit a website and see that popup at the bottom asking for permission to use cookies and other tracking functionality? Before GDPR, this didn't exist because a website could track anything it wanted without the user's permission.

Then in April 2016, the General Data Protection Regulation (GDPR for short) was created. It is a legal framework that was established by the European Union that dictates how data can be collected on consumers. The law essentially states that nothing can be tracked without the explicit consent of the user, even if the information is not personally identifiable information (PII).

So if you assign a user a random device ID, like "Za-43-4v-435" that is only used to identify a unique user but doesn't give any information on who that user is, then that is still not allowed under GDPR tracking rules unless the user consents to it.

For marketing your game with paid advertising, this can be incredibly difficult because we rely on tracking to optimize campaigns. And this will make the cost of advertising your game higher. But we can discuss the loopholes later.

Is This Ethical Or Digital Colonialism?

There are philosophical reasons that can be discussed around the right to privacy and what is ethical versus what is not ethical. We can break this down into a few key arguments:

Right vs Privilege: We can argue that the right to privacy is a basic human right no matter where you are in the world. Your information should not be available to everyone to do as they wish. But the internet is not a right—it's a privilege. And while the companies who own a site or service that you visit should respect your privacy regarding what data they make available, using their service is a privilege and they have the right to collect data that helps their business operate.

Digital Colonialism: Europe has a long history of colonization, especially when they brought Christianity to the "savages" in the Americas and Africa. Europeans imposed their religious beliefs, cultures, and values onto other nations, which by today's standards we would call ethically wrong. The argument has shifted from "we are bringing them god, medicine and education" to "data privacy is a fundamental human right for everyone". It is still forcing their beliefs onto others.

Now in today's world, most first world countries will not use military means against each but moreso economic means to achieve goals, ie look at Trump's trade wars at the beginning of his 2nd term. So we arrive at the same question around whether GDPR imposes their laws onto other nations with fines—are they in fact engaging in another form of colonization, but just digitally?

From an ethics standpoint, data privacy should be universal, but how it is implemented must be nuanced when it no longer serves in the context of basic human rights. And to force that belief onto other countries creates an ethical dilemma, even if it's for the betterment of the entire world.

Is The GDPR Globally Enforceable?

One of my favorite activities is spending time at national parks. Often parks have rules such as "grilling can only happen on Friday, Saturday and Sunday." But when I go with friends, we see people grilling every day and someone always says "That's against the rules."

Parks are massive, with lots of land to cover, and park rangers are often tied up with other responsibilities ranging from animals, boating littering, road safety, people disputes and typically park rangers can cover multiple parks. With their hands tied up, when rule breakers are pointed out I often ask "Well, who is there to enforce the park rules of when to grill?" And that is where one of the key elements of any law comes into play: how is it going to be enforced?

First, for European countries, GDPR is absolutely enforced. There is a public site here with all of the violations and penalties owed:

https://www.enforcementtracker.com/

Notice that the tracker only holds European countries, not global countries, which is a telling sign on its actual enforceability. As a European company, GDPR can take action against a European company given their business presence. What about non-European companies? Well, these are the largest fines issued this year:

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/

Notice the companies are big corporations like Meta, Amazon, LinkedIn and Uber being hit with fines—companies that have a physical presence in the EU. But you never really hear of any small companies outside of Europe paying fines.

This goes back to enforceability. Let's say you're a small business in Ohio and you violate GDPR and they want to fine you. What happens if you don't pay?

• You don't have a physical office in the EU, so they can't shut your location down
• You don't pay taxes or operate as a registered business in the EU, so they can't revoke your business license
• The legal system in your state has no laws, processes, or obligations to adhere to the laws of the EU, so asking the local court system would go nowhere

Maybe they could block your site or service in the EU, but the internet service provider (ISP) may not have the requirements or means to do so. The biggest example of the GDPR fining an no EU company is when they fined the New York based company Clearview AI for $30 million Euros, in which Clearview has repetitively ignored. Enforcing their laws on other countries and systems is incredibly difficult.

Does It Contradict Laws Other Countries Have?

Here is the most conflicting area of content around the GDPR and imposing its law globally: what if it contradicts the laws of another country?

In India, the "Originator or Traceability" law requires significant social media intermediaries with over 5 million users in India to identify the first originator of a message within the country when compelled by a court or government order. This same requirement can also be extended to smaller intermediaries if the government determines their platform poses a material risk to national security or public order.

This law directly contradicts GDPR principles, so who should be right? If GDPR says it's right, then it's effectively practicing legal colonialism by placing its expectations onto other countries. This example is only one of many, both the US and China have their own laws that have GPDR contradictions as well.

Wrap Up

This article is not legal advice of any sort and should not be thought of as such. The questions surrounding GDPR's global reach touch on fundamental issues of sovereignty, ethics, and the practical realities of enforcing laws across borders in our interconnected digital world. As game developers and marketers, understanding these complexities is crucial for making informed decisions about data collection and user privacy in your products.