Tanya Forsheit is a partner at Frankfurt Kurnit Klein & Selz and the co-chair of the firm's Privacy & Data Security Group. She is considered one of the leading privacy and data security counselors and litigators in the world. At DICE Europe, she'll be discussing how game developers should embrace big data in order to build robust communities. In the conversation below, Forsheit touched on some the issues she'll be discussing at DICE Europe, as well as her favorite television lawyers.
Some gamers have a fear of big data and the companies that collect it. You believe that it's a useful tool for developers to build communities. Why should gamers embrace big data?
I wouldn't expect gamers to have a fear of big data. Big data is the reason why gamers get to game in the first place. It lets them game in the way they expect to do so, meaning it allows them to have robust, interactive platforms where they can interact with other people within the gaming community. They can benefit greatly from it with a relatively minimal cost. Without big data, you wouldn't have the kind of economic environment that would allow developers and publishers to make things available like Pokemon Go, though that's certainly not the only example. Pokemon Go is a free experience to many users and, judging by the numbers, is very attractive to a lot of people.
Even if we were to set aside in-game advertising to pay for games, the use of location data allows for gameplay in augmented reality games that you just can't do without big data. I think that gamers should embrace big data, but recognize that both they individually and the companies collecting information share responsibility. The appropriate use -- the ethical and responsible use -- of data is a shared responsibility.
Your perspective is from a legal background, but there's also a trust factor involved with the collection of big data. How does a developer or publisher go about gaining trust in order to build a community through big data when most gamers don't read the terms-of-service agreements in games?
Gamers are not alone in not reading those things. Very, very few people read them. For those of us on the legal side, it's a constant tension between wanting to provide disclosures that are user-friendly and not your traditional boilerplate privacy policies. It builds trust to present information to a gamer -- or any consumer, for that matter -- in a way that they easily understand and without interfering with their experience. The tension comes from what has to be done, unfortunately, for the regulators and advocates. It's a little ironic, because the regulators and advocates are interested in that trust-building and theoretically support it being user-friendly, but because of the way the law has evolved, there are all these things that have to be included in these documents and that's what starts to create the fine print that nobody understands.
Here's one example to give you a flavor of it. In California -- where we have a lot of privacy laws -- there's a requirement that we include in privacy policies a disclosure about do-not-track signals. This is a largely meaningless disclosure. What it's about is if I'm online using just about any browser these days, I have the ability to send a do-not-track signal. If the website I'm visiting chooses to honor that do-not-track signal, then I theoretically won't be tracked as I navigate through it. Almost no websites respond in any shape or form to do-not-track signals. There was this effort over many years to try to reach a consensus on what it meant to respond to do-not-track signals. It was almost impossible. They couldn't come up with a solution. California got impatient and instead of looking at the substance of the matter -- looking at what's best for the consumers and best for business -- they decided to require putting a disclosure in privacy policies. Now, every single privacy policy out there has this paragraph in it that says "we do not respond to do-not-track signals because there isn't an industry consensus for it." Who cares, right?!? Why do we have to put that in there just to confuse people and make them feel like there's something going on that they don't understand.
The bottom line is that most websites are doing targeted advertising or behavioral advertising based on people's browsing, including gaming sites. That advertising is based on things like your browser type, IP address, and device information. It's not a "Big Brother" type of situation that a lot of consumers are afraid of -- this idea that somebody out there is watching me all the time. It's really not like that. This is a machine-automated process. It's designed to bring people free or low cost services online, using more relevant advertising. And, by the way, even though do-not-track doesn't work, there are ways to opt out of these programs through self-regulatory organizations like the NAI (Network Advertising Initiative) and the DAA (Digital Advertising Alliance). The funny thing is, if you opt out of targeted advertising then you just end up with a lot of advertising that you don't want. It's not an ideal situation, but if people want free or low-cost games or apps then there's a trade-off. People should look at it as benefit that we could never have imagined having 20 or 30 years ago.
You mentioned Pokemon Go earlier. That game had a situation in an early version with users having to allow generous access to their information. Was that situation overblown by the media? Was the press making a big deal about a story when there wasn't really one to tell?
I've seen so much conflicting information about this. The story was, that when it first came out, users that signed up through their Google accounts were having everything collected -- or at least the app said that it could collect everything. That was pretty clear, but was changed. I've seen some stories, including some written by people in the privacy profession, that say the company wasn't actually accessing all of that information. It was really just an error in the disclosure. Even though the app said that it could collect everything, that wasn't actually what was going on. I've seen people that have done the analysis say that the only thing that was corrected was the disclosure and that the activity hasn't changed. It still raises the question of how the disclosure got drafted that way. Somebody should have been paying closer attention to that. It's a good example of how if a gaming company wants to establish trust and build a community that they should be very clear about what information they do and do not collect.
How should game companies approach data collection? What about companies that aren't yet sure about what data will be most effective? Should they over-collect or show some restraint?
That's the $64,000 question that every organization struggles with. Business needs change very quickly. Technology changes very quickly. There's always going to be some initiative where you think you need more data or different data. So there are a lot of people that think they should just err on the side of "we might need this in the future, let's do it." The tide has turned a bit, especially because of the new European laws. It wasn't something those companies had to worry about, but it's changing in a major way. Come 2018, any company that's marketing to European residents or processing data acquired from European residents will have to comply with European law. The laws incorporate the notion of data collection limitation; you can only collect data for a particular purpose. You can't collect it because you think that some day it might be useful to you. Any company that's looking to establish trust should look at data collection in terms of "What do we need now?" and "What do we need for the next year, maybe two years?" They can't look at it in terms of "What could we ever imagine that we'd ever need?"
I've had conversations with clients where I've asked them what they'll be doing with the data they collect and what issues they're trying to solve for their products or services through data collection. Sometimes they can't answer those questions. And honestly, you have to be able to answer those questions. That should inform the data collection and the data use.
Since you're the only lawyer I've chatted with for DICE Europe, I have to ask you who your favorite lawyer is from movies and television.
[Laughs] Okay, this is embarrassing, but it reflects when I came out of law school. I was a big Ally McBeal fan back in the day. It's stupid, but I was a fan. This also reflects my age, but I loved all of the lawyers from McKenzie, Brackman, Chaney and Kuzak -- the firm in L.A. Law. I'm a big fan of Law & Order too, so of course I have to mention Jack McCoy, Sam Waterston's character. He's one of my favorites.