If you intend to release your game on an app store, provide content to users, or collect data from users on your site, you’re going to run into the need for at least two of the three policies above, if not all three. Do you know what they do or how they differ? If so, then enjoy this picture of a piece of cake.
Get it? Because setting up your online presence is a piece of cake! Ha. Ha. Yeah—I love bad puns. For the record, that cake was ridiculously delicious, evidenced by the slightly blurred image, as I was practically drooling in anticipation as I took the picture.
For those who don’t know the difference, trust me, the cake-link-picture was not a lie. I will explain the differences between the three policies, as well as some issues to note for privacy policies, specifically with regards to California (yeah, we’re THAT state).
Privacy policies take up a bit of reading, but the later sections on Terms of Service and EULAs are pretty short in this article.
BUSINESS AND PROFESSIONS CODE SECTION 22575.
[Note that you have a grace period to get your stuff together, as stated below]:
An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
[Here’s what you have to do as a bare minimum]:
(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or
entities with whom the operator may share that personally identifiable information.
[“Personally identifiable information (PII) is any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. It includes information that is linked or linkable to an individual, such as medical, educational, financial and employment information.
Examples of data elements that can identify an individual include name, fingerprints or other biometric (including genetic) data, email address, telephone number or social security number.]
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
[So when you get an email about Facebook or Ebay changing their privacy policies, or see websites have an annoying banner at the top of their site proclaiming they’ve changed their privacy policies, this is why. It’s to protect your backside in the event you change your policies and someone tries to claim that they had no notice, and thus you’re in violation of the policy requirement].
(4) Identify its effective date.
[E.g. whenever you update your policy, state that day’s date. That way people have another way of knowing that it’s the most recent change, or if there WAS a recent change. It doesn’t matter if you’ve kept the same policy for 10 years, use that date of 10 years ago.]
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
[DNT signals were a good idea to begin with, but since websites aren’t required to honor DNT signals, it is, in my opinion, the equivalent to telling strangers on the street, ‘don’t look at me, please.’ As such, the law just requires that you state whether or not you honor DNT signals. If you do, be sure you continue to honor it. If you don’t, then that’s generally it, and the user is assumed to be informed about that if it’s in your policy.]
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
[Key words, here, are ‘other parties’. This means you can’t say ‘I don’t know what they do, so I’m not responsible for what 3rd parties do or don’t do on my website.]
That’s it. That is the bare minimum of information you have to explain in your policy, in whatever language you deem reasonable or in line with the tone of your website.
Risks With Keeping Too Much Data
Let’s try a metaphor. Say the data you collect are like first edition books loaned to you by your users. They’re valuable items, and for the most part you store them in your library/office in your home. You have easy access to them, and pretty good protection. However, some of the 1st editions you don’t need right now, so you store them in a shed outside. If there’s a fire or a break in and that destroys the house library as well as the shed, you’re liable to your users for both collections, whereas if you got rid of the shed books, you wouldn’t be liable to (having to pay or deal with) users for those books. Basically you’re taking on extra risk you don’t need to by storing information you’re not using—take a hard look at your practices and see if you really need to keep that extra weight and whether the potential benefit outweighs the risk of loss.
COPPA – The Kids One
Check out the government’s FAQ about what’s required—it goes by types of data collected and what you have to do about it.
Here’s the site to check out for general-audience websites—it goes over when/how you need to delete minor’s data.
CA’s New Eraser Rule – Effective January 1, 2015 (and the marketing restrictions)
If you allow your under 18 users (not just 13) to post comments, pictures, etc. on your site, you’ll need to allow them the option to delete all of their content at their request. It’s basically ‘the right to be forgotten.’
Bloomberg states: “On January 1, 2015, California’s minor “eraser button” law will go into effect. The law (California S.B. 568) will require the operator of a website, online service or application, or mobile application directed to minors under 18 – or an operator that has actual knowledge that a minor is using its service or application – to permit a minor who is a registered user of the service to remove or, at the operator’s discretion, request and obtain removal, of content or information posted on the service or application by the user. The law also requires the operators to notify registered users who are minors that such removal is possible and provide clear instructions for how to accomplish it.”
The issue many see with the law is the ability of others to share images and comments, which can then go viral, and how the website is supposed to deal with that—just because it’s deleted from that website doesn’t mean it’s actually erased. Protect yourself—talk to a lawyer about how to deal with this, if it’s an issue for you.
There’s also a marketing restriction attached to the bill in that if you know you have under 18 (again, not just 13) users on your site, you’re restricted from marketing products or services on your site that are only available to those 18 or over, such as drugs, vandalism, fireworks, etc. A privacy blog states this:
“The statute lists 19 categories of prohibited content covered by the law’s marketing restrictions, including, firearms, alcohol, tobacco, drug paraphernalia, vandalism tools and fireworks. Notably, the law does not require an operator to collect or retain the ages of users, and provides operators with a safe harbor for “reasonable actions in good faith” designed to avoid violations of the marketing restrictions.”
Terms of Service
What are Terms of Service?
A TOS is your arsenal to limit what users can and cannot do. This allows you to kick people off your site or service, protect your good users from abusers, and more. It also allows you to limit what liability you have to your users, which could potentially limit the kinds of situations in which you’re liable to the user, where they can sue you, and how they can sue you (e.g. arbitration vs court or class action).
There is no requirement to have a TOS, but it sure as hell is in your best interest to get one tailored to your needs. Copy and pasting only goes so far if the company you’re copying from doesn’t offer the exact same services as you, or doesn’t have the same requirements of their users as you would like. As such, it would be a great idea to make sure that this contract is just as tailored as any development or employment agreement you would have elsewhere in your business.
End User License Agreements (EULA)
A company will typically have a EULA when you’re giving the user a license to use or download a copy of the software, such as what Microsoft does with Office or Blizzard does with World of Warcraft, Diablo, and StarCraft.
If you’ve giving the user a copy of your software, you don’t want them to be able to copy or use it willy-nilly—you want to control and limit what they can legally do with the copy you’re giving them, which would be a license. However, you’ll still likely want a TOS IN ADDITION TO A EULA if you’re offering that kind of service. This is because the EULA typically applies to the use of the copied software, whereas the TOS applies far more generally to use of everything with regard to your services or products.
Note that if you’re offering Software as a Service (SaaS), a EULA is not generally what you want to use, because generally you’ll be offering access to the software through a terminal, rather than giving them a copy. As such, a EULA isn’t generally appropriate for SaaS, but a TOS would definitely be appropriate, because that would govern the user’s acceptable uses of the software.