#Privacy: US Data Privacy and the esports industry – far from game over

Competitive video gaming (eSports) is a billion dollar industry. Millions of viewers tune in annually to watch players in real-time compete for prize money and bragging rights.

End-users purchase in-game products and exchange information through chat forums and other methods of communication. And advertisers reap the benefits. In short, data is king. And as the eSports industry is poised to grow even further in the years to come, even more data will be collected, used, and shared.

With this growth comes legal challenges. In the United States (US), the eSports industry must navigate a complicated and often overlapping patchwork of data privacy and information security laws. This landscape can present unique compliance challenges for the eSports industry, especially as it relates to minors. And non-compliance can result in significant financial and reputational fallout.

At the federal level, for example, two laws that impact how eSports organizations can collect, use, and share data are the Children’s Online Privacy Protection Act and the Federal Trade Commission (FTC) Act.

Under COPPA, website and online service operators must follow certain requirements if they direct their platform to children under 13, or have actual knowledge they collect personal information online from children under 13.

There are several legislative efforts underway in Washington D.C. to strengthen COPPA, and the Federal Trade Commission (FTC) is increasing enforcement, evidenced by a recently issued a civil penalty of $5.7m USD for a video social networking application accused of violating the law. The FTC also has authority to enforce the FTC Act, which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.

The FTC has brought enforcement actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information.

At the state level, the legal landscape is even more complex. Most states have their own version of COPPA and the FTC Act, and many others are adopting consumer-specific data privacy laws such as the California Consumer Privacy Act (CCPA).

As amended, the CCPA took effect on January 1, 2020 and gives most California residents the right to know what personal information has been collected about them, request that such information be deleted, and to opt-out of the sale of that information to third parties.

The CCPA imposes specific and significant obligations on covered businesses, applies extraterritorially, and carries with it the threat of potential penalties of $2,500 per violation and $7,500 per intentional violation. Over a dozen other US states have introduced similar legislation this legislative year. And extensive discussions are underway at the federal level to adopt a similar standard.

In addition to data privacy laws, there also exists a complex framework of information security standards that may impact eSports organizations. These laws generally require covered businesses to ensure that the personal information they collect is subject to reasonable security practices and procedures, including reasonable administrative, organizational, and technical safeguards.

The CCPA, for example, only allows a private right of action (i.e., lawsuit) if the California resident’s personal information was unencrypted, unredacted, and subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business violating the duty to implement and maintain “reasonable security procedures and practices.”

Although the CCPA does not define the phrase “reasonable security procedures and practices,” the language is derived from another California law that predates the CCPA by almost 15 years. Under that law, the California Attorney General has opined that the California standard for reasonable security procedures and practices means, at a minimum, compliance with the Center for Internet Security’s Critical Security Controls (CIS Controls).

The CIS Controls largely map across to other well-information security frameworks, such as the NIST Framework (a widely accepted 2014 Cybersecurity Framework prepared by the US Department of Commerce’s National Institute of Standards and Technology), the international security standards set forth by the International Standards Organization, and industry-specific frameworks such as the Common Security Framework developed by the Health Information Trust Alliance (HITRUST). Whether that will be the standard in 2020 remains to be seen.

In short, data privacy and information security rules are becoming more complex in the US. And there is no “one-size-fits-all” approach for compliance. eSports organizations must therefore ensure their data strategies and compliance efforts align with the changing US legal landscape, and appropriately balance consumer data privacy with strategic growth goals.

This means each organization must measure their legal requirements through the lens of their own risk tolerance and compliance structure. If they do it right, eSports organizations can help insulate against liability. If they do it strategically, they can position themselves to increase market share. If they do both, they may just win the game.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.