2 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates
June 2020
The CCPA also requires businesses to (a) provide notice of
data sharing/sale opt-out rights to consumers, and (b) obtain
affirmative consent to the sale of information from users under
16 years of age (and consent from a parent/guardian for users
under 13). In other words, while the default scheme is implied
consent with users affirmatively opting out of data sharing,
for users under 16 the default is that sale and sharing are not
permitted unless the user (or his or her parent/guardian, if the
user is under 13) opts in.
In the event a company fails to comply with these requirements,
the CCPA provides for both government enforcement as well
as a limited private right of action in the case of data breaches.
The California attorney general may seek civil penalties of up
to $2,500 for each CCPA violation (measured by each instance
of any specific provision or requirement being violated), or
up to $7,500 for intentional violations.
1
Additionally, California
consumers may bring a private right of action for data breaches
involving nonencrypted and nonredacted personal information,
where the company failed to implement reasonable security
procedures. Under such private actions, impacted consumers
may seek either their actual damages or statutory damages of
between $100 and $750, whichever is greater. Thus, because
of the availability of statutory damages, consumers who have
been impacted by a data breach may recover from noncompliant
companies even without a showing of harm.
CCPA’s Impact on the Video Game Industry
Beyond the general impact of the CCPA — requiring all compa-
nies to ensure that their data collection, retention and sale/
sharing policies meet the CCPA’s requirements — companies
involved in the video game industry are likely to experience
more specific consequences in at least three ways.
First, the CCPA’s requirement of obtaining affirmative consent
for the sale of data from any user under 16 will likely have a
disproportionate impact on the video game industry, given
the popularity of video games with younger audiences. And
while many companies already take steps to limit their data
collection practices for users under 13 (as required under
the Children’s Online Privacy Protection Act, or COPPA), the
strategies employed to do so may not be feasible or desirable
for users in the 13-16 age bracket. For example, an online game
may age-gate its service so only users who are 13 years of age
1
It should be noted that the CCPA provides a 30-day cure period before the
attorney general may seek such fines against a company.
or older can play; doing so restricts the player base to some
degree, but the company is able to collect the same data from
all players, without concern of violating COPPA. However, this
same strategy of age-gating may not be feasible with respect
to players 13-16, as such players may (depending on the game)
represent a large percentage of the player base. While compa-
nies may be able to avoid the need to age-gate by segregating
the data collected from users ages 13 to 16 — thus ensuring
that such data is not mistakenly sold without consent — these
additional steps may not be feasible or cost-effective.
Second, the CCPA’s broad definition of “personal information”
implicates certain activities that video game companies might
not typically associate with the collection of personal data,
particularly in the esports and streaming contexts. For example,
biometric information about a game’s player, such as keystroke
patterns, recognition and click speeds, and logon/logoff times,
could all fall under the CCPA definition of “personal informa-
tion” if they can be uniquely identifiable. Esports companies
may be interested in collecting and storing such data for
purposes completely separate from their typical data collection
practices — for example, as a means to identify and root out
cheating. Similarly, streaming services may be interested in
collecting information about a user’s preferred channels or
time spent watching a particular stream to better tailor their
service to the user. Indeed, even a company hosting an esports
tournament or gaming event may inadvertently collect personal
data by recording who is watching the event, or who is inter-
acting with the company’s social media posts regarding the
event. While the mere collection of this information does not
in itself violate the CCPA, the fact that a company is collecting,
storing and potentially sharing this information would require
that company to comply with the CCPA and be aware that such
information is subject to the CCPA’s regulations.
Finally, the effects of the CCPA may be particularly acute for
companies in the mobile and free-to-play gaming space, which
often rely heavily on consumers’ data as a source of revenue.
It is worth remembering that the CCPA is specifically directed
to any company that earns more than half its annual revenue
from selling customers’ personal data, or collects information
from more than 50,000 consumers or household. Thus, a free-
to-play or mobile game developer that supports itself with ad
revenue tied to consumer data may need to be CCPA-compliant
even if its annual revenue is relatively low.