Green Man Gaming and the GDPR Problem

You may have noticed that your inbox has been filling up recently. Companies you can’t even remember buying from are suddenly very keen to reconnect with you (when and why did I set up an account with GAME?). This is because the GDPR, or General Data Protection Act, came into force on 25 May 2018. It’s a new regulation that affects the protection and storage of personal data in the EU, including the United Kingdom. This also means that any international companies (e.g. video game publishers, retailers, and developers) that handle an EU country’s data must comply with the GDPR.

Still with us? Well done. You get the greatest gift of all: more information.

A number of changes are taking place. Apart from having a larger jurisdiction, greater fines for breaches, a change in the security protocol, and the need for companies to appoint data protection officers, there is also a right for people to request access to their data. Privacy and data protection must be central to the design of a company or site, not an after-thought.

But the reason you have been receiving more emails is due to the change to consent. Consent to hold personal data must be freely and actively given, not assumed, with the ability to withdraw consent easily. So, like many other companies, Green Man Gaming (a UK-based online video game retailer) sent out emails to their mailing list about the GDPR changes to get that consent. The problem is that the emails don’t seem to be meeting good practice guidance. At the very least, they look ethically dubious—at worst, they may also have broken the terms of the regulations.

On 4 May 2018, Angie received an email from Green Man Gaming with the subject line: “Win $1000 store credit and an i7 processor.” She can’t remember what offer tempted her to give up her email address to Green Man Gaming, or ever actually buying anything from their site. With that and the fact that Angie tends to ignore competition emails automatically, she clicked to mark it as Read, then moved on.

What wasn’t clear was that this was Green Man Gaming’s attempt to seek consent under the GDPR changes.

Article 12 of the GDPR states that when asking for consent, the language needs to be clear. Nothing in the subject line indicates this is about data protection regulations. Green Man Gaming is on dangerous ground, especially if any of those who received the email were minors.

The Information Commissioner’s Office is the UK’s independent body set up to uphold information rights. It advises that, with the GDPR, people must clearly understand what they are consenting to. If the receiver is likely to be a child, this should be in language so straightforward that they can understand it. Green Man Gaming have not made it immediately clear that this email is about obtaining your consent for them to hold your personal data, or what they will do with this information. Instead, there is mention of needing to “update your settings” or “refresh your preferences,” and yet at the time of sending, Green Man Gaming themselves hadn’t updated their privacy policy.

Children (defined as anyone under the age of 16) are afforded extra protection under GDPR. Without the experience of an adult, children might be less conscious of their data privacy and thus more likely to consent to agreements where a power balance between the child and the data handler could be exploited by the handler.

What’s worse is that during the week of 20 May 2018 (the same week GDPR went into effect) others received emails with the subject line “Order confirmation.” The email body contained the same text as before, but with a cheeky “not really, but while you’re here” line at the start.

It’s worrisome that a child could open this email and agree to the updated information based on the chance of free anything without understanding the more important context of data privacy. It’s unclear what possessed Green Man Gaming to think it was a good idea to send an email implying the receiver’s account was compromised and currently being pillaged. They did apologise for the alarm caused:

Last night some customers received a GDPR email from Green Man Gaming titled ‘Order Confirmation’. We’d like to unreservedly apologise for sending this email to some customers that received it. We messed up and we promise we will not do this again. Valuable customer feedback has been passed to our teams internally so that this is taken into account for future campaigns.

“On behalf of the Green Man Gaming team, I am very sorry for the data protection email with the subject ‘order confirmation’ that went out last night to some customers from our team. Although it was never the company’s intention to alarm customers, we acknowledge that some customers have been alarmed, and for this I sincerely apologise.

Because of this, I would like to assure everyone that we will never send out emails like this again and will always respect our customers wishes,” says Paul Sulyok, Founder and CEO of Green Man Gaming.

This announcement appeared on the Green Man Gaming site. While there’s an apology to customers who were upset about the “joke” email, there’s also nothing regarding whether the email was compliant. They still don’t seem to fully grasp that what they did may have broken regulations by failing to be clear in their language and intent.

Then there is the issue of the competition itself. The ICO states that “it may still be possible to incentivise consent to some extent,” especially if there is a benefit offered to the consumer. However, can entry into a competition, where there is obviously no guarantee you will win, really be termed a benefit?

It’s true that the receiver doesn’t have to opt in to qualify for the competition. Two nice big buttons offer the reader the opportunity to enter via either opting in or out. This poses a new problem. First, if you opt out of Green Man Gaming keeping your personal data, how are they meant to contact you?

GDPR mandates a positive opt-in option for companies seeking consent to process data, but pre-ticked boxes are not permitted. While Green Man Gaming’s use of a brightly colored box for the positive option isn’t necessarily a breach of this rule, it does make the positive opt-in more visible and appealing.

Second, there’s the issue of offering an opt-out option altogether. One of the biggest changes is that the GDPR states that when companies seek to hold someone’s personal data, people must actively “opt in” to give their consent. There is actually no need to “opt out” as inactivity, using default options, or silence from the customer are not viewed as consent.

Buried at the bottom of the email, in contravention of the guidance on communicating clearly, is a short paragraph about how there is actually no need to opt out to “update your settings.” This isn’t clear at all from the email, where the offer of a choice implies the customer must make one.

It’s a mess, one that Green Man Gaming isn’t alone in making. Some companies have contacted customers unnecessarily as they may already have appropriate record of consent that meets the GDPR guidelines.

And if they don’t already have this record? They might, according to Toni Vitale (head of regulation, data and information at the law firm Winckworth Sherwood), be breaking the Privacy and Electronic Communications Regulations, “which makes it an offence to email someone to ask them for consent to send them marketing by email.”

The GDPR aims to establish a higher level of consent, with the possibility of fines well over the current £500,000 limit under the Data Protection Act (1998) for those who breach the regulations. It will be worth watching what happens next with Green Man Gaming and whether the ICO or the government view the competition as an “undue incentive” for customers to give their consent.