The EU Privacy Regulation will oblige gaming affiliates to comply with stringent requirements in the processing of players’ personal data.
In several previous blog posts I have already discussed the EU General Data Protection Regulation (GDPR) and how it is going to represent a groundbreaking change in the approach to privacy compliance. This change of approach will also impact gaming affiliates, and consequently how they are selected by operators.
Why gaming affiliates will be obliged to take privacy seriously
The new approach to privacy compliance is due not only to potential sanctions, which will be increased to 4 percent of the global turnover and can be issued both against operators and affiliates, but also because the potential loss of players’ data (a so-called “data breach”) might lead to major liabilities and damages, including reputational damage, for both operators and affiliates.
Indeed, in the case of a data breach, affiliates will be obliged to notify the operator “without undue delay after becoming aware of a personal data breach”. This wording seems quite flexible, but since operators are obliged to notify the relevant privacy authority of a data breach “not later than 72 hours after having become aware of it”, if an affiliate is not able to identify and does not notify the operator of a data breach within less than 72 hours of its occurrence, this might be considered evidence of a lack of compliance with privacy regulations.
Also, in some cases, notification of a data breach shall also be extended to players, which will further increase the potential damage (including reputational damage) for both affiliates and its operators. This is also because in case of claims from authorities and players, affiliates will have to prove to have performed what is required under privacy laws to comply with data protection regulations, as the burden of proof will be on them to show privacy compliance according to the so-called principle of accountability.
The main principles on the matter above can be summarized as follows:
- players can file direct claims for breach of their privacy rights against both operators and their gaming affiliates if the breach is the result of the conduct of affiliates;
- gaming affiliates’ liability arises only if they did not comply with the obligations imposed specifically on data processors by the EU General Data Protection Regulation or did not act within the scope of the lawful instructions of the operator;
- the burden of proof of showing privacy law compliance is on the gaming affiliate, which shall prove that it was not liable;
- in cases involving more than one operator or affiliate, each of them is liable for the refund of the whole damages;
- gaming affiliates are liable for the misconduct of their sub-affiliates appointed by them, i.e. of the network of affiliates reporting to a “master” affiliate.
Why operators will start scrutinizing the privacy compliance of their gaming affiliates
Up until now, my personal experience has been that there was a tendency to draft data processing agreements in a standard format which was used for any type of supplier, including gaming affiliates that were often not even appointed as data processors, regardless of the categories of data and modalities of data processing activity that it was meant to perform.
The scenario completely changes with the EU Privacy Regulation, which will oblige operators to renegotiate all data processing agreements. Indeed, the GDPR provides a detailed list of instructions that have to be contained in the agreement.
How long is the line of processing?
Gaming affiliates shall be instructed to “not engage another processor (i.e. another sub-affiliate) without prior specific or general written authorization of the controller (i.e. of the operator)”. This is a principle which “in theory” is already in place, but there are affiliates where the “line of data processing” is made up of more than five entities that were sometimes almost totally ignored by the operator, which had not even been notified of their identity. The EU Data Protection Regulation introduces more flexibility in appointing sub-affiliates, but such flexibility still requires that operators are able to have, at any given time, a full picture of the data processing activities performed on their behalf.
Is data kept secure and do operators have full control over data breaches?
Gaming affiliates are required to comply with the same “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” that are imposed on the instructing party (i.e. the operator). But how can gaming affiliates or their sub-affiliates, which are sometimes very small organizations, comply with these measures? Will this oblige operators to more carefully select their gaming affiliates?
The review of the level of conformity with privacy laws of gaming affiliates, which is something that is either not performed at all or carried out only in relation to very large affiliates, will become an obligation to be performed periodically (e.g. annually). If an affiliate is not able to ensure privacy compliance, operators will be obliged to either terminate the relationship or face the risk of potential liabilities.
How are audits performed?
The GDPR requires that gaming affiliates commit to making available to the controller all information necessary to demonstrate compliance with its privacy obligations and allow for and contribute to audits, including inspections, conducted by the operator or another auditor mandated by the operator.
This obligation is reinforced by the need for gaming affiliates to keep a “record of all categories of processing activities carried out on behalf of a controller”. Therefore, a gaming affiliate that might process personal data on behalf of several operators shall keep a separate record of the categories of processing activities carried out by each of its operators.
How shall gaming affiliates be selected by operators?
Because of the scenario described above, the selection of gaming affiliates might be required to perform much more detailed due diligence before selecting them. Data protection authorities have not yet accredited certification entities which might certify the level of privacy compliance of their clients, but this is likely to become a “must-have” in the long term, or will at least represent a competitive advantage.
Regardless of the presence of any sort of certification, it is recommended that – at least prior to the effective date of the EU General Data Protection Regulation – operators:
- map all their gaming affiliates and their sub-affiliates that shall be disclosed;
- oblige those entities to provide the registry of data processing activities required by the GDPR, outlining – among others – all the data processing activities performed on behalf of the operator and the measures put in place to protect personal data;
- exclude those gaming affiliates that are too small or reluctant/unable to comply with the GDPR privacy obligations, requiring affiliates to have a very limited line of sub-affiliates;
- provide – even remotely through webinars with multiple questions – training to gaming affiliates on the measures required by the GDPR and repeat such training at least every other year;
- enter into a new data processing agreement with each gaming affiliate meeting the requirements of the GDPR;
- perform periodic random audits and have in place technical measures aimed at identifying potential illegal access or processing of personal data processed on their behalf; and
- require each gaming affiliate to send at the end of each year the updated version of the registry of point 2 above together with a completed checklist showing their the full compliance with the GDPR and the lack of any data breach or lack of compliance to report.
I expect that there to be a transitional period of adjustment, but the first sanctions and the potential negative publicity might be a relevant driver for the change in the approach to privacy compliance.
If you found this article interesting, please share it on your favorite social media.