Data compliance in online gaming

China’s Data Security Law and Personal Information Protection Law, two important laws in the field of data compliance, were released one after another in 2021, installing both monitors and safety nets for companies’ data processing activities and users’ rights and interests in personal information.

Together with the Cybersecurity Law, they form the legal backbones for network and data security in China. Under this framework, the gaming industry, as a data processing subject that collects and uses a large amount of user information, is also facing compliance challenges.

Regulatory provisions

In addition to the legal framework of the above-mentioned “big three laws”, there are also new rules, standards and guidelines that refine the data compliance requirements, some of which have special provisions for the gaming industry.

For example, the Provisions on the Cyber Protection of Children’s Personal Information, which came into effect in 2019, further safeguard the security of children’s personal information when they use gaming products.

The Measures for the Determination of the Collection and Use of Personal Information by Applications in Violation of Laws and Regulations, released later, are referenced by gaming companies on how to avoid applications being determined to have illegally and unlawfully collected and used personal information.

The Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications, which came into effect in 2021, define the scope of the necessary personal information that can be collected by gaming products.

Basic principles

When processing personal information, gaming companies should follow the principles of lawfulness, transparency and minimum necessity. In principle, gaming companies should not collect and use the personal information of users until and unless the users are made fully aware of what personal information is being collected and have given their consent.

After collecting users’ personal information, gaming companies should immediately anonymise it, and take technical and management measures to separately store information used to restore identification of specific subjects.

Within the scope of the user’s consent, his or her personal information should be stored for the shortest time necessary to achieve the purpose of processing, and after exceeding the time limit, the personal information should be deleted or anonymised.

Companies need to strengthen the system design process for data protection, and risk monitoring and should carry out risk assessment regularly. For specific system design, normative documents such as (1) the Information Security Technology: Personal Information Security Specification; and (2) the Information Security Technology: Big Data Security Management Guidelines may serve as references.

Special circumstances

In addition to the above-mentioned basic principles, the following issues require special attention in light of the special circumstances of the collection of users’ personal information in the gaming industry.

Definition of the scope of minimum necessary personal information.
According to articles 4 and 5(18) of the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications, the basic functional service of online gaming applications is “providing online game products and services”, and the necessary personal information is “registered user’s mobile phone number”. Applications should not refuse to allow users to use their basic functional services because they do not agree to provide any non-necessary personal information.

According to the above-mentioned provisions, except for mobile phone numbers, gaming companies are in principle prohibited from refusing to provide gaming products and services to users because they do not agree to provide other personal information, such as that about the users’ personal hobbies, geographic locations and level of education; otherwise, the companies would be suspected of having violated the principle of minimum necessity.

However, those provisions appear to be inconsistent with the content of the Notice on Preventing Minors from Becoming Addicted to Online Games, which was issued by the National Press and Publication Administration. Article 1 of the notice states that “the real-name registration system for online game user accounts should be implemented, and all online game users are required to use valid identity information before registering for a game account”.

Although the above-mentioned provisions and the notice match each other in terms of legal hierarchy, since the latter is a special provision aimed at preventing minors from becoming addicted to games, companies should not in principle be regarded as violating the former for compelling users to carry out real-name registration.

Compliance of sensitive personal information such as that of minor users.
Sensitive personal information processed by gaming companies generally includes: users’ identity cards; virtual property information such as virtual currency, virtual transactions and game redemption codes; and personal information of minors under the age of 14.

The processing of such sensitive personal information is subject to more stringent compliance requirements, including that the user (or his/her guardian) be informed of the necessity of processing sensitive personal information, and of the impact on the user’s rights and interests.

Such processing must not be carried out until the user’s consent has been obtained, and an assessment of the impact on the protection of personal information must be carried out before the processing, with records of the assessment report and the processing situation preserved for at least three years. Specialised rules should be formulated for processing the personal information of minors under the age of 14.

Some gaming companies have not formed special privacy policies for processing the personal information of minors under the age of 14, or have obtained only a general consent to the processing of sensitive personal information through the regular privacy policy.

Others have shared users’ virtual properties with affiliated companies without the users’ consent, or they have used such property for further marketing analysis. All these acts constitute processing of users’ sensitive personal information in violation of laws and regulations.

Jeff Yang is the director of Wang Jing & GH Law Firm