Perspectives

Is your privacy management still loading?

Securing children’s data privacy in the gaming industry

Protect gaming adventures from risk

With the rapid integration of virtual and augmented reality, advanced connectivity, and artificial intelligence (AI) into gaming experiences, gaming is becoming more immersive and mobile, attracting a growing and diverse consumer base who expect a reliable, safe, and secure gaming experience with zero latency. Free-to-play and subscription games, indie games, esports, streaming, mobile gaming, augmented reality, and virtual reality are growing segments. The gaming industry is projected to reach a revenue of US$282.3 billion in 2024, and is expected to grow at an annual rate of 8.76% between 2024 and 2027, resulting in a projected market volume of US$363.2 billion by 2027.1

As such, gaming companies are having to innovate and expand features, modalities, experiences, and safeguards to meet consumer expectations. However, as consumer expectations grow, so does regulatory scrutiny. The enforcement of existing privacy regulations (e.g., Children’s Online Privacy Protection Act) has accelerated and new online safety regulations (e.g., Digital Services Act) are emerging across the globe. Growing consumer expectations and regulatory scrutiny are mandating that gaming companies proactively mature their compliance programs; embed data privacy and safety guardrails into the design of gaming experiences to keep consumers safe; and leverage emerging technologies, such as AI, to scale privacy and safety controls.

Is your privacy risk management playing by the rules?

Privacy and safety risks pose a disruptive challenge to gaming companies’ bottom line and ability to expand in certain markets. Significant fines have been issued to gaming companies for failing to obtain consent and improper data processing practices, especially with respect to processing children’s data. Violations are expected to be heavily penalized as demonstrated by the record setting $275 million fine—the largest ever imposed under the Children’s Online Privacy Protection Act (COPPA)—to one gaming company in 2023.² Failure to protect the most vulnerable user base could result in a damaging impact to gaming companies’ reputation and consumer trust.
As a result, implementing strategies that address data privacy and safety risks can potentially help a company protect its margins, capitalize on opportunities, and capture market share. For this reason, gaming companies should consider the following risks, which are likely to be a significant focus in the regulatory space:

Power up your risk management

Gaming companies should be aware of applicable regulations, determine whether their controls environment effectively and consistently enables compliance, and engage in cross-departmental collaboration to ensure privacy and safety measures are in place to maintain a safe environment for gamers. A misstep, especially when processing children’s data, can result in financial impact and could be extremely damaging to a company’s brand and reputation, not to mention putting the safety of their consumers at risk. There are several recommendations gaming companies can consider to proactively help strengthen their privacy posture.

${header-title}

${column1-large-text}

Understand and manage gamer risks

With the influx of privacy, safety, and AI regulations, gaming companies should take a systematic and programmatic approach to identifying risks and building compliance capabilities. Gaming companies should identify and prioritize existing and emerging regulations and develop a baseline rationalized requirement framework. Risk or impact assessments should be performed to help video game companies truly understand the risks present to their gamers and developers, enabling the businesses to make informed decisions.

${column1-button-text}

${column2-large-text}

Adopt trust-by-design for product and feature launches

Whether you’re developing a virtual reality headset, launching a new modality or product, or integrating GenAI into an existing feature, privacy, safety, and security practices should be accounted for in product development to comply with regulatory obligations and manage risk. Trust-by-design is the process of unifying privacy, security, and safety reviews of products and features prior to launch to demonstrate that the product can be trusted by consumers and regulators. Adopting a trust-by-design approach to product development can enable organizations to meet several data privacy objectives, such as keeping users safe, building trust with consumers, complying with regulatory obligations, protecting user rights, and minimizing online threats and vulnerabilities.

${column2-button-text}

${column3-large-text}

Leverage AI for privacy compliance

Although AI comes with certain risks, it can be a powerful tool for streamlining privacy compliance and safety operations with proper controls in place. As technology companies are racing to develop AI-based offerings, the market for privacy compliance and safety solutions is nascent, and use cases continue to take shape. AI capabilities are expected to emerge to support each phase—including data and compliance management life cycles—to bring more efficiency, consistency, and automation to manual and time-consuming tasks. Use cases are already being explored, such as using AI for data-subject access requests, training and awareness content generation, compliance chatbots, ingestion of regulatory requirements, and prediction of risks based on historical enforcement data and patterns.

${column3-button-text}

${column4-large-text}

${column4-title}

${column4-text}
${column4-button-text}

Take your gaming privacy to the next level

With the growing wave of emerging and increased regulatory scrutiny, it may no longer be a viable option for gaming companies to be reactive. The enhanced awareness of consumers and importance of trust require companies to place significant time, investment, and resources into their privacy program and trust and safety team. Implementing strategies, programs, and capabilities that address privacy and safety risks and meet regulatory obligations can help garner consumer trust and regulator confidence—and may help protect gaming companies’ margins and enable them to capitalize on opportunities.

Notes:

1Statista Market Insights, video gaming, accessed May 2024.
2United States v. Epic Games, Inc., No. 5:22-CV-00518-BO (4th Cir. Feb. 7, 2023).
316 C.F.R. 312.3.
416 C.F.R. 312.5.
5State of California, AB-2273 California Age-Appropriate Design Code Act (CAADCA).
6Kids Online Safety Act, S. 1409, 118th Cong. (2023–2024).
7Daniel Alanko, “The health effects of video games in children and adolescents,” Pediatrics in Review 44, no. 1 (2023): pp. 23–32.
8Shiona McCallum & Liv McMahon, “China to increase curbs on video gaming industry,” BBC, December 22, 2023.
9IAPP, “Evaluating the use of AI in privacy program operations,” September 27, 2023.

Contacts

Glenn Aga 
Managing Director
Deloitte & Touche LLP
glennaga@deloitte.com    

Thomas Elkington
Senior Manager
Deloitte & Touche LLP
telkington@deloitte.com    

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?
2024 Digital Media Trends

Media and entertainment companies should be thinking more about the world ahead than the one they’re being forced to leave behind.

Gaming in Web 3.0: Understanding the Potential of Blockchain Gaming

Deloitte’s three-part series examining the feasibility, viability, and desirability of blockchain enabled economies within the gaming industry.