How esports survived the huge wave of GDPR changes. Nataliia Dyka

Long ago one of the first esports tournament happened at the Stanford University where students competed on the video game Spacewar. No sponsors, professional players, thousands of dollars in prize money, broadcasting or other benefits of the present times. The winner (Stewart Brand, 33 years old, a biology student) received his slice of the fame pie and a year long subscription to the Rolling Stones magazine. It is no surprise that we could not find a word about participants personal data protection. No one cared about such things fifty years ago, but times have changed.

Last year, the total esports prize money awarded out amounted to $ 156,950,956.51 million from a total of 3,554 tournaments according to the Moreover, the spectacular growth of the esports market gave rise to the organizations, the only aim of which is to collect and process gameplay statistics. For example, DotaBuff collects and processes millions of data sets from Dota 2 allowing esports analysts to track an esports player’s KDA (kills-deaths-assists) similar to a basketball player’s PER (player efficiency rating). Before adoption of the GDPR, such data collectors took an advantage of the game developers week privacy policies and had a free access to the players’ game history, including personal data. Things changed on 25 May 2018 when the GDPR was adopted.

General Data Protection Regulation (GDPR) is a new set of rules designed to give EU citizens more control over their personal data. Personal data are any information which is related to an identified or identifiable natural person, e.g. name, identification number, location data, telephone, credit card, email, address, etc. In practice, these also include all data which are or can be assigned to a person in any kind of way, thus, your game score history also might be subject to the personal data protection. Consequently, since May 2018 all esports market players have to ensure that their activities comply with the GDPR.

As far as personal data are collected in great amount from the players and then processed by the game developers, streaming and gambling sites, coaches and statists, esports industry becomes particularly vulnerable to the GDPR. Now esports market players may be divided into several groups: one is trying to comply with the GDPR by amending privacy policies and FAQ pages while the others decided to shut down their projects thus eliminating risks of punishment for the non-compliance. For instance, the multiplayer back-end system of the Super Monday Night Combat by Uber Entertainment was not GDPR compliant, and the cost to make it compliant exceeded the budget allocated to the game. That was the way GDPR said “game over” to this MOBA game.

One more challenging issue for the esports is the acceptable age of the players. It is not a surprise that there are a lot of children in the esports industry and their personal data have been always collected and processed the same way as adults’. But now, according to the GDPR, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. In the real life it is quite difficult to obtain such consents, that is why the majority of the data collectors are establishing a 16 years old age barrier for all players.

Now it’s obvious that the GDPR has affected many countries even outside of the EU. Governments of these countries adopted or are considering adopting their own versions of the GDPR. This is a positive trend. What shall we expect in the esports industry? Thousands of amended privacy policies, hundreds of claims and millions of questions regarding personal data protection. Living in the digital times is both exciting and challenging. Good luck to everyone with GDPR compliance.