Cloud Gaming and Metaverse: Data Compliance in Gaming Industry

The development of technologies such as 5G, Internet of Things (IoT), cloud computing, big data, artificial intelligence, and virtual reality provides new creative and development opportunities for the gaming industry. In many cases, gaming companies will need to cooperate and integrate software and hardware of third party manufacturers and developers (i.e. game devices, platforms, scenes and applications) in order to deliver new forms of games - such as cloud gaming and metaverse gaming.

These more connected gaming experiences rely upon but also generate massive amounts of data. China’s increasingly stringent protection of personal information means gaming companies have a two-fold challenge –continuously improve game content but also ensure compliance with data protection regulations.

This article will provide an overview of data compliance risks in the gaming industry particularly in relation to cloud gaming and metaverse gaming. In addition, we will also consider special requirements introduced by China to combat child gaming addiction.

I. Cloud Gaming

Cloud gaming run online on remote servers and streamed directly to the player’s device. Traditional gaming runs games locally on the player’s own hardware (i.e. video game console, personal computer, or mobile device).

As the game suggests, cloud gaming is fully reliant upon cloud computing technology. All computing activities during cloud gaming, including data uploading and downloading animation rendering and logical operation are carried out on cloud servers. Cloud servers accept input commands from players via the Internet, and then return processed scenes to the player’s front-end device. Compared with traditional games, cloud gaming does not require devices to have a great deal of memory capacity or processor performance. Moreover, since players do not need to download end user software of games on their devices but simply need to login on the cloud gaming platform, cloud gaming is also an important way promote games.

In the cloud gaming industry: (1) 5G network operators operate a communication network with a high bandwidth, high concurrency and low latency which can provide cloud gaming with a solid network infrastructure; (2) cloud computing service providers, act as the “online CPU + GPU” of cloud gaming to provide a smooth experience for game players; (3) game developers and game operators are mainly responsible for the development and operation of cloud games (including original cloud games or existing off-the cloud games which have been migrated to the cloud) and responsible for continuously updating and maintaining such cloud games; (4) cloud gaming platforms connect game operators and players, enable players to start to play cloud games with a simple click on the click-to-play button on the cloud gaming platforms, and are responsible for the cloud games distribution and user operation; (5) end user devices such as consoles, personal computers and mobile devices then transmit the game scenes to the players.

The fact that cloud gaming has a variety of stakeholders involved makes for complicated data flows.

Data processing roles change depending on the role of the relevant stakeholder.

1. Specific Stakeholders and data flow roles

The main stakeholders involved in cloud gaming data flows are players, cloud gaming platforms, game operators and cloud computing service providers:

(1) Game players are data subjects. They “produce” data such as registration and login information, log information, payment information, and device information.

(2) Cloud gaming platforms provide online click-and-play game platforms for players and are responsible for the integration and distribution of cloud games. Players register and purchase membership and immediately start playing games by accessing online cloud gaming platforms. Cloud gaming platforms record players’ playing activities including:

• Registration and login information: mobile phone number, email, username and passcode, etc.;
• Real-name authentication information (for anti-addiction requirements): mobile phone number, ID number, name, etc.;
• Log information: login log, operation information, interaction records, ID, search and query content, IP address, type of browser, telecom operator, network environment, language used, date and time of access, web browsing records, length of staying online, refresh records, posting records, following, subscribing, collecting and sharing information, etc.;
• Device information: device model, operating system and version, user end version, device resolution ratio, package name, device settings, device identifier (MAC address/IMEI/AndroidID/IDFA/OPENUDID/GUID/ICCID/IMSI), hardware and software feature information, device sensor, IP address, etc.;
• Payment information: specific order number, order creation time, transaction amount, top-up records, transaction and consumption records, payment institutions, logistics companies, etc.; and
• Personalized recommendation information: browsing and search preferences, behavioral habits, location information related features, etc.

After collecting relevant data, cloud gaming platforms themselves decide the purpose of data processing and the processing method. Accordingly, in this sense cloud gaming platforms are “data processors”.

(3) Game operators cooperate with cloud gaming platforms by authorizing gaming platforms to provide access to games and integrating a software and hardware environment for gamers. Players do not need to download software but can rather immediately play cloud games on an online cloud gaming platform. Nevertheless, as the game operators still operate the cloud games, the players will also need to accept the game operator’s privacy policies.

In addition to data collected by cloud gaming platforms, game operators also collect the following information directly:

• Game log information: login log, item log, operation information, game match information, dating records, etc.;
• Game environment and device security information: device identifiers, hardware and operating system information, list of installed applications, process and game crash records, overall game usage, game channel sources, etc. (to detect plug-ins and prevent cheating).
• Game interactive information: text, pictures, voice, video and other ways to interact with other players in the game (to filter pornography, violence, politics, abusive language, malicious advertising and other inappropriate content).

After collecting the relevant data, the game operators can decide on the purpose of processing data and manner of processing and are therefore also “data processors”.

In order to deliver a better gaming experience, it is possible for game operators and cloud gaming platforms to share data. This may include sharing game progress data so as to enable players to re-enter a game and start where they last finished.

(4) Cloud computing service providers are entrusted by the cloud gaming platforms to collect and process players’ personal information, record players’ game process and behavior record, and store relevant game data within the scope entrusted by the cloud gaming platforms. With the assistance of the Internet Data Centers, cloud computing service providers usually have strong computing power, and sometimes are also entrusted by the cloud gaming platforms to provide analysis of the game data. Subject to the authorization and instruction by the cloud gaming platforms on the process of data, the cloud computing service providers are “entrusted parties” in the data entrusted processing relationship.

Data flow and relevant agreements among key roles in the cloud gaming industry

2. Compliance requirements

(1) Privacy policies

According to the PRC Personal Information Protection Law (the “PIPL”), cloud gaming platforms and game operators, as personal information processors need to provide players with "privacy policies" and obtain their informed consent.

Pursuant to the Methods of Determining Illegal Collection and Use of Personal Information by App, Self-Assessment Guide for Illegal Collection and Use of Personal Information by App and Notification on Infringement of User Rights and Interests by APP common non-compliance issues in respect of privacy policies include:

• Privacy policies do not completely list the personal information collected and used, or the personal information listed is not clear and explicit;
• Privacy policies do not insert a list of third-party software development kits (SDKs) applied;
• Privacy policies include unreasonable disclaimer clauses;
• Privacy policies do not provide channels for user complaints and suggestions;
• Privacy policies seek one off consent from players for multiple business functions;
• Privacy policies do not provide effective ways of deleting personal information or canceling user accounts, or the methods provided are too complicated or unreasonable; and
• No specialized personal information protection rules for minors under 14 years old.

These key points must be considered by cloud gaming platforms and game operators.

(2) Data processing agreement

PIPL requires that parties in the data entrusted processing relationships need to agree on the purpose, duration, processing method, types of personal information, protection measures, and the rights and obligations of each party, and have these set out in a “data processing agreement”[1].

In addition, PIPL also requires when there is joint data processing then all processors need to agree on respective rights and obligations[2]_. PIPL does not explicitly require data processors to enter into data processing agreements with data recipients (not joint data processors) in cases of data sharing. However, the national standard Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) clearly states that when sharing or transferring personal information, the responsibilities and obligations of the data recipient should be stipulated through contracts and other means[3].

Practically, on the one hand data processing agreements facilitate relevant parties to clarify their relationship and respective rights and obligations under the data entrusted processing, data joint processing, and data sharing scenarios. On the other hand, data processing agreements serve as the necessary supporting documents for the party providing personal information to meet specific compliance requirements (such as conducting personal information protection impact assessment under the data entrusted processing and data sharing scenarios).

As for the cloud gaming industry, there is data entrusted relationship between cloud gaming platforms and cloud computing service providers and there may be a data sharing relationship between cloud game operators and cloud gaming platforms. It is therefore suggested that data processing agreements shall be concluded between relevant parties to regulate corresponding data processing activities.

II. Metaverse Gaming

The concept of “metaverse” originates from Neal Stephenson’s science fiction novel, Avalanche, which describes a virtual world independent of the real world but which can interact with the real world. Humans can socialize, work and play by way of digital virtual images.

Metaverse games are immersive, open and decentralized. They are based on technologies such as blockchain, virtual reality (VR), augmented reality (AR), and cloud computing[4]. The metaverse games rely heavily on wearable VR devices, somatosensory interactive devices, and other intelligent devices which collect massive volumes of real-time sensitive personal information such as location, torso movements, eye rotations etc. This means metaverse games can entail a serious risk to personal information security and as a result metaverse gaming companies need to take data security and privacy protection very seriously.

1. Virtual images reveal a large volume of personal information

Similar to traditional large-scale online games, players generally have a 3D virtual image in the metaverse games. This image is more vivid and life-like compared to gaming’s traditional 2D image. Metaverse games can generate virtual images of players based on photos uploaded or taken by players or by using facial recognition functions. Players can also “create” their faces as they wish, or even use non-human images such as animals as their virtual images.

(1) Processing facial images

When playing metaverse games, facial recognition technology is used when players produce their 3D virtual images by uploading photos or directly photographing their faces. Such facial recognition technology captures players’ facial feature points, performs facial profile description, and in this way generates virtual images. Facial features, together with genes, fingerprints, voiceprints, palm prints, auricles, and irises, all fall within the category of personal biometric information[5]. Under the PIPL, biometric information is protected as sensitive personal information[6], which can only be collected and processed by the personal information processors after obtaining separate consent from the relevant personal information subject[7].

If a game company obtains players’ “implied consent” in a covert way, for example, by pre-checking consent, or by bundling the act of capturing facial features with other functions or processing activities to obtain players’ consent (“bundled” consent), these methods affect the players' right of providing a separate consent under the PIPL.

Several Issues Concerning the Application of the Law to Civil Cases Involving the Processing of Personal Information by Using Facial Recognition Technology issued by the Supreme People’s Court in June 2021 also stipulates that it is not sufficient to rely upon an individual’s bundled consent to process his or her facial information[8].

PIPL requires that the storage period of personal information shall be the shortest time necessary for the purpose of processing[9]. In other words, metaverse game companies can only keep players’ facial information for the minimum time necessary for the players to participate in the game. Absent other reasonable reasons, metaverse game companies must take the initiative to delete relevant personal information after the relevant game services have been provided.

The national standard Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) puts forward stricter requirements for the storage of facial information. In principle, companies should not store the original personal biometric information, such as the original collected facial images; if storage is necessary, companies should only store the summary information of the facial images, that is, the original facial images should be technically processed so that the stored information cannot be reversed to show the original facial image[10]. In addition, when transmitting and storing facial information, requires companies to take security measures such as encryption to prevent facial information from being leaked, tampered with, or lost[11], and store facial information separately from players’ identity information[12], so as to avoid damages to players caused by information leakage as far as possible.

(2) “Virtual interactive information” may constitute personal information

As the metaverse world is highly immersive and vivid, many players almost live a “second life” and therefore may unintentionally disclose large amounts of personal information. In addition to the players’ virtual images, the players’ activities in the metaverse world lead to traces being left on various apps in the real world. When information derived from the metaverse world is correlated with the real world, then this can all constitute personal information. For example, a player may post photos of what he or she ate in the real-world restaurant and may then “eat” at a restaurant in a metaverse game which serves the same food as consumed in the real world. if a player is often online during the day on weekdays in a metaverse game this may indicate the player’s occupation. If someone pays attention, he or she may find many connection points that can identify the real world identity behind the virtual image.

According to the PIPL, personal information includes all kinds of information relating to identified or identifiable individuals recorded by electronic or other means[13]. According to the national standard Information Security Technology - Personal Information Security Specification (GB/T 35273-2020), to determine whether a piece of information is personal information, the following two paths should be considered: (1) identification, i.e., from information to individual, whether a specific individual could be identified by the specificity of the information itself, or whether personal information could help to identify a specific individual; or (2) association, i.e., from individual to information, such as information generated by a specific individual’s activities (e.g., personal location information, personal call records, personal browsing records, etc.) is personal information[14]. Therefore, certain virtual interactive information generated in the metaverse games may be personal information if it may, either alone or together with other information, identify an individual or is associated with an individual.

Metaverse games are usually built on the blockchain which normally guarantees user anonymity. However, in China the government still require blockchain information service providers authenticate the real identity of a player[15]. Game operators should therefore focus on protecting a player’s real-name authentication information or other personal information strongly associated with the player’s real world identity. In addition, game operators should take specific security measures to reduce risk to a player’s personal and property security which may be caused by an excessive exposure of personal information. One means to reduce such risk is for the game operator to store identity information of players separately from other types of information, or have identity information stored anonymously.

2. Difficulties in deleting data from the blockchain completely

(1) Challenges

Blockchain is considered to be one of the main pieces of infrastructures in the metaverse. It is essentially a decentralized database that uses cryptographic algorithms for distributed data storage to enable the data generated by each on-chain action to be divided into several data blocks and stored separately. Metaverse game companies are seeking to create a “blockchain ecosystem” by building games on the blockchain. Putting games on-chain opens up the possibility of having different metaverse games being integrated as well as having currencies in respective metaverse games able to be exchanged like currencies are in the real world. This would be a major step towards a “one world” of gaming[16].

Blockchain technology’s most distinctive features are decentralization and immutability. However, the decentralization and immutable nature of blockchain is a challenge for Internet ecological governance and personal information protection.

The first challenge is that the data is stored in multiple different blocks so that attempting to delete the data corresponding to a certain event requires accessing and deleting all data in all relevant blocks. This is much more difficult than requiring the game operator to delete data stored locally.

The second challenge is that blockchain technology makes it difficult to achieve complete "deletion"- each modification of the data uploaded on the blockchain will pack a new block and hide the previous block. This means that even if the user cannot access the original data, such original data still exists on the blockchain[17]. This could mean that false information released by a player, traces of account de-registered by a player or data forbidden by a game operator may still be permanently stored on the chain.

(2) Compliance requirements

Metaverse game operators, as a personal information processor is under an obligation to delete personal information in a timely manner. The PIPL lists four situations in which personal information should be deleted[18], which are:

• The processing purpose has been achieved, or it cannot be achieved, or it is no longer necessary to achieve such purpose;
• Personal information processors stop providing products or services, or the storage period has expired;
• The individual has withdrawn the consent; or
• Personal information processors process personal information in violation of laws, administrative regulations or the agreements.

The aforementioned deletion situations have the following exceptions, and under such exceptions, the processors of personal information shall stop processing the personal information except for storing and taking necessary security protection measures[19]:

• The storage period stipulated by laws and administrative regulations has not expired. For example, it is stipulated in the Notice of the National Press and Publication Administration on Preventing Minors from Becoming Addicted to Online Games that online game companies must properly store and protect the real-name registration information provided by users strictly in accordance with relevant laws and regulations, and such information shall not be used for other purposes[20]; or
• It is technically difficult to delete personal information, such as deleting on-chain data.

(3) Possible solution

In practice, personal information processors may take technical measures to anonymize (or highly de-identify) data. This means the original data cannot be directly identified to a specific individual.

As for metaverse games, for example, when a player cancels his account, it is difficult for the operator to delete all data corresponding to such account, but the operator can take corresponding technical measures to block the “link” between such data and the player’s identity. Doing so makes it difficult for others to identify the data subject even with access to the relevant data. Metaverse game operators may also decide not to upload personal information collected from players on the blockchain but rather store such personal information in an off-the-chain database to reduce the difficulty entailed in deletion.

III. Protection of Minors

Under PRC law minors have special and enjoy priority protection[21]. Personal information of minors under the age of 14 is defined as sensitive personal information under the PIPL[22] and personal information processors shall comply with stricter protection requirements for such sensitive personal information.

In addition, in order to prevent minors from being addicted to online games, China has implemented real-name authentication and anti-addiction system for online games since 2007[23]. This requires all online games to be connected to the online game real-name authentication and anti-addiction system of the National Press and Publication Administration[24]. The real-name authentication function is achieved through the Ministry of Public Security’s ID number inquiry system[25].

Considering the above special requirements on protection of minors, personal information protection issues need to be considered by the game operators when processing minors’ personal information and can often be complex.

1. Consent from the guardian

As required by the PIPL, when processing personal information of minors under the age of 14 (“children”), the processors must obtain the consent of the children’s parents or other guardians (“guardians”)[26].

In practice, it is not easy to verify the authenticity of consent from guardians. Some game companies collect guardians’ email addresses, cell phone numbers and other contact information, and thus send verification information to guardians to confirm the authenticity of the guardianship relationship. Some game companies may even collect more information from the guardians such as their names, ID numbers, and household registers to confirm the guardianship.

Game operators collect contact information and proof of guardianship for the purpose of verifying the authenticity of the guardianship relationship, and for the purpose of obtaining the guardians’ consent to process children’s information. Therefore, according to the principle of “minimal necessity” for collecting personal information, game operators shall delete personal information obtained from guardians in a timely manner after achieving their purpose[27].

However, since children’s personal information is sensitive personal information, if a child demands more services involving the processing of personal information while playing a game, then each processing activity will require separate consent from their guardian. In order to provide game services to children legally and efficiently, practically, game operators often store the contact information of guardians to enable consent requests from time to time. It should be noted that documents proving the guardianship relationship, such as the household register and guardian’s ID card, are not necessary to contact the guardian. Therefore, game operators should delete such information in a timely manner after the processing purpose has been achieved.

2. Real-name authentication and facial authentication

Regulatory requirements that players pass real-name authentication before being able to play online games mean that game operators must collect a player’s real-name for verification purposes. Game operators generally authenticate identity by collecting players’ names, ID numbers, valid ID documents (such as ID card, household register or driving license) and cell phone number, and by using the Ministry of Public Security’s ID number inquiry system.

In addition to obtaining the consent, the PIPL also requires the processing to be necessary for the performance of a statutory duty or obligation. Therefore, theoretically, game operators do not need to obtain an individual’s consent for personal information collected for real-name authentication as required by law. Nevertheless, in practice, most game operators still seek consent from players in their privacy policies for real-name authentication as well as all other personal information collected during the game.

Theoretically, after game operators realize the purpose of real-name authentication, they should immediately delete the personal information related to real-name authentication as the purpose of processing such personal information has been achieved and obtain the consent of the players[28]. However, since the National Press and Publication Administration requests that game operators store information on real-name authentication[29], and for the convenience of lost account recovery, account dispute settlement and other services, game operators usually will store authentication information. Given that name and ID information are sensitive personal information[30], game operators should take strict security measures and access control measures to prevent the leakage of such information and any damages caused to individuals therefrom.

In addition, as minors may masquerade or borrow the identity information of an adult to circumvent restrictions, some game operators combine facial verification with identity verification to confirm consistency of a player’s registered and actual identity. When a player logs into the game, or under game scenarios such as recharging, consuming, or trading, then camera access may be requested by the game operator to take real-time photos or videos of the players’ face. Thereafter , game operators will compare a player’s identity information collected at the registration stage with the ID number inquiry system of the Ministry of Public Security to confirm identity. Facial information is sensitive personal information[31], and game operators should obtain separate consent from players before activating facial verification[32]; and for players identified as children, operators shall obtain separate consent from their guardians[33].Part II of this article provides more details on the requirements of processing facial information.

3. Specialized rules for children’s personal information

PRC law requires personal information processors to make specialized rules for processing a child’s personal information[34]. As a result, game operators often formulate separate rules for processing personal information of children in addition to their general privacy policies. Typically, such rules will include a notice to guardians.

4. Personal information protection impact assessment

Under the PIPL, it is required to carry out a personal information protection impact assessment before processing sensitive personal information or entrusting others to process the personal information or sharing or transferring personal information to other processors[35]. The personal information protection impact assessment should assess the processing purpose and methods, the impact on individual rights and security risks, and whether the security measures taken are legal, effective, and appropriate to the level of risk[36].

As children’s personal information is considered to be sensitive personal information, this means game operators will need to attach special importance to a child’s personal information and carry out a personal information protection impact. Although game operators are the subject of the personal information protection impact assessment, the assessment scope should not only focus on game operators’ security capabilities, but also security capabilities of other parties which access the data under entrusted processing or data sharing arrangements.

In addition to the personal information impact protection assessment, game operators may be subject to additional obligations in the future. One example, is that according to the Regulations on the Protection of Minors on the Internet (Draft for Public Comments), important Internet platform service providers with a large number of minor users and significant influence on minors are required to regularly conduct impact assessments and are required to publish annual social responsibility reports[37].

Conclusion

The rapid development of the digital economy provides gaming companies with new platforms and development opportunities but also new compliance challenges.

At the same time when game companies continue to promote the growth of new types of games which take place in more all-encompassing worlds they also need to consider how to manage the data compliance risks that arise in the real world.

Games which are increasingly sophisticated and interconnected need access to lots of player personal data in real time. This flow of massive amounts of data comes up against a China which is exercising strong supervision over personal information. In order to flourish the gaming industry will need to continuously be aware of data compliance and plan accordingly.

Thanks to Mi Hualin (Intern) for her contribution to this article.

 Scan the code to download the article