Should gaming operators be held to similar consumer data privacy protection standards as banks? The Consumer Financial Protection Bureau (“CFPB”) thinks so. The CFPB released a report in April, claiming that the billions of dollars per year that flow in and out of virtual worlds make gaming operators akin to traditional banking and payments systems. See our analysis on the CFPB’s proposed treatment of in-game currency as fiat currency here. As a corollary, the CFPB posits that gaming operators should be held to the same data privacy standards as the banking industry. Gaming operators should take notice of this report and bolster their cybersecurity and data sharing disclosures, as reports like the CFPB’s historically proceed agency investigative and enforcement actions.
The CFPB’s report highlights the agency’s concern with the gaming industry’s lax cybersecurity and privacy practices. Online games process lots of data about their users, including location data, biometrics, financial information, gameplay, and interactions with other gamers. Game operators can “generate an accurate portrait of a gamer’s offline identity” by combining gaming data, social media accounts, and third-party sources. The proliferation of AR/VR/MR headsets add even more data to the mix, particularly a player’s physical movements like eye gaze and gait analysis.
The CFPB points to a few specific instances where gaming operators use personal information to “take advantage of players’ proclivities to entice more spending.” For instance, the CFPB warns that gaming companies use personal data to offer the highest price that a given user is willing to spend on an in-game experience, a practice known as discriminatory pricing or dynamic odds. The CFPB report also flags behavioral advertising as problematic, particularly when gaming companies target ads by leveraging player behavior with sensitive personal data.
Beyond the gaming operators themselves, the CFPB report reflects the agency’s concern over third-party marketplaces that cash out in-game assets into fiat currencies. These third parties are known to have weak cybersecurity guardrails and have been victim to several data breaches and hacks, pointing to an “industry-wide security issue.”
Finally, the CFPB aims to ensure that gamers, particularly children and their parents, are fully aware of how gaming operators process and sell their personal information. Game operators should take caution when monetizing and sharing sensitive consumer data without the proper cybersecurity and privacy guardrails in place.
