Bethesda's had a rough few months, and things are getting a little more interesting with a Redditor's recent discovery.
First reported on GameWatcher.com, they found a popular Reddit thread discovered users are being opted-in to see ZeniMax ads automatically upon account creation. GameWatcher.com says that this is a "major no-no according to GDPR" and Reddit users on the now-removed thread also called the General Data Protection Regulation (GDPR) into question.
GDPR might sound unfamiliar to those outside of the European Union. GDPR's official website says:
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.This is a major law in the European Union, and so I reached out to both Strebeck Law and Morrison Rothman LLP, both firms practicing in areas such as video game law.
Zachary Strebeck of Strebeck law first corrected something from the GameWatcher article:
GDPR applies to EU citizens both located in the EU and those who are abroad. That's why companies generally want to just have these policies apply everywhere. IP Address isn't enough to differentiate.Besides that, he also outlined several points to be compliant with GDPR at a basic level. "That includes: a lawful basis for collecting and sharing the personal information," as well as "disclosure of what you're collecting and sharing, as well as who you're sharing it with and what the lawful basis for collection is."
He continued: "Information regarding targeted advertising is generally going to be considered "personal information" under the GDPR and most other privacy laws." Strebeck outlined three lawful bases so that a company can collect said information: consent (the opt-in in this case), fulfilling contractual obligations, and legitimate interest.
Still, while Bethesda users technically do opt in, Strebeck cites the UK Independent Privacy Authority (ICO). The ICO says that consent would require a "positive opt-in" and there should be no pre-ticked boxes. This is not the case with Bethesda accounts, since users have to manually opt-out.
Morrison Rothman LLP's opinion on the matter was equally interesting. I talked to Shaq Katikala, a privacy attorney for the firm. Katikala said that users being "automatically opted in" is not necessarily a GDPR violation:
For example, if they are only preemptively asking for this permission as a "just-in-case" but are not actually even doing any ad targeting with your email address, then they would not likely be violating GDPR.Katikala also suggested I reached out to ESRB. ESRB certifies privacy practices of companies, so Bethesda and ZeniMax would have done so. When I got a response from an ESRB spokesperson, they said:
WhileYou can disable this opt-in, but it's needlessly complicated. If you go to the Bethesda launcher, you have to click account management which will bring up a new page. You have to scroll down to opt out. I tried to do it on Bethesda's main website but wasn't able to unless I googled "Bethesda account" and went to its does offer guidance for member companies regarding the General Data Protection Regulation (GDPR), we do not yet certify or guarantee compliance with the GDPR. That said, when the EU Data Protection Authorities finalize a mechanism to approve GDPR certification programs, we hope to be selected. Additionally, it’s not our policy to comment on results of member audits.URL. The communication preferences there appear to let you alter it which is a different page then you'd get to if you went through the Bethesda Launcher, which takes you to an account management page... which is different then the account management page they link to in other places on their website making the experience far more painful than needed.
Is Bethesda and ZeniMax breaching GDPR? It really is hard to say - the attorneys seem to have different opinions on the matter. Meanwhile, there's not enough case law or general precedence to see what might happen with this situation. It's also hard to tell if this situation devolves into something greater.
What do you think of this practice? Do you think that it violates GDPR? let us know in the comments below!