Game Republic

Video Game Development and Regulation

Game Republic Affiliate Member – Eaton Smith LLP have kindly shared their take on game regulations particularly around data that may impact games companies. Thanks to John Cotterill (@EatonSmithJohn) who works with the corporate and commercial division of Eaton Smith for sharing his insights. You will be able to hear more legal insights from Chris Taylor from Eaton Smith at GameDevDay on May 10th…

picture of John Cotterill at Eaton-Smith

Video Game Development and Regulation

Video game developers need to be aware of the various types of regulations that may apply to the game that they are developing. This note in particular will focus on data protection laws.

Data Protection Laws

As with any UK company, game developers must comply with relevant data protection laws.

If your game is going to utilise or collect the “Personal Data” of players (such as real names, address’ payment details or any other data that could be used to identify them, including usernames) then data protection needs to be at the forefront of your mind during the development process, as you will be classified as a Data Controller and/or a Data Processor and be subject to data protection laws.

Breaches of data protection laws are enforced in the UK by the Information Commissioner’s Office (ICO). The ICO have the power to impose significant fines to those in breach of data protection obligations.

Being a Data Controller and/or a Processor means that you will be subject to obligations relating to (amongst other things):

  • The security of players’ Personal Data. Remember the Sony PlayStation Network breach in 2011? Sony was fined £250,000 by the ICO under past data protection laws for failing to keep its systems secure with regular patches. Data Controllers and Processors’ must implement appropriate technical and organisational measures to ensure that Personal Data is kept safe.
  • Breach notification. In the event of a data protection breach, Data Controllers should have systems in place to ensure that both the ICO and the players are notified of the breach, and that players are aware of what steps they can take to protect themselves.
  • Lawful, fair and transparent collection of personal data. Personal Data must only be collected and processed where there is a “lawful basis” for doing so. Furthermore, data subjects have the right to be informed as to how their Personal Data will be held and processed (amongst various other rights).

Concerningly, a report into data privacy within mobile games published on 18 April 2023 indicated that of the 269 mobile games analysed, 90% were non-compliant with relevant data protection laws. The games analysed varied in genres, but the main concerns were that players were not being provided with a chance to consent to the use of their Personal Data in the way the developers had designed the systems.

The above shows how developers may not yet be fully appreciating the data protection laws that will likely apply to them. Whilst game developers may want to focus on game development and whilst players likely don’t want to be bombarded with legal documents just so they can play a game, it is important that a balance is reached to ensure compliance.

Beyond purely fines, players may be concerned about the use of their Personal Data. A lack of transparency as to data usage, or concerns regarding the data security, will likely lead to a dip in player confidence and potentially, your sales.

If you require any further advice on any specific point, please get in touch with me via email

If you like this post, please help us by sharing it!