As the General Data Protection Regulation (GDPR) legislation deadline looms, online and mobile gaming companies are adjusting their marketing efforts to comply with the personal data collection and retention requirements. Connected online games such as massively multiplayer online (MMO), mobile games and location-based titles, where users play alongside hundreds of others from around the world, once collected a great deal of data from users. But now many publishers have to address their long-standing communities without necessarily having the convenience of demographics data.

Compliance is mainly a matter getting explicit permission from players (or their parents, in the case of minors) to use their personal data for marketing purposes, and possibly removing all that information at the user’s request. However, “data” is a term that can be a little fluid when games are concerned, depending on how integrated it is with the gameplay.

In some cases, game companies may rather be safe than sorry by collecting as little information as possible from its players, since failure to comply with GDPR’s guidelines could lead to hefty fines from the European Data Protection Board. If a publisher originally collected data that is not compliant with GDPR’s requirements, then they’ll have to figure out ways to recollect the information in a compliant way or limit their use after the May 25 deadline. Personal data used to market to EU residents that may have been collected without expressed consent should be avoided.

“It’s swung back and forth like a pendulum over time,” said Scott Hartsman, CEO for Trion Worlds, recounting how the first generation online games collected explicitly personal information from users before letting them play. “If you look across most [modern] online games, it’s about quickly getting people into the game with as little friction as possible, which means collecting as little info as possible in the premium game space,” he explained.

Given that bumpy history, game companies have been preparing for GDPR differently. Hartsman explained that for Trion Worlds, being a PCI (Payment Card Industry) certified billing provider helped the company prepare for the upcoming regulations. For example, he said that the company makes a conscious effort to collect as little identifying information as possible, and it can quickly implement a system where the company will “forget” that a customer exists.

According to Hartsman, difficulty with compliance depends on whether data is treated as game content. For example, a social game that treats interactions such as “likes” on Facebook as content—which can be construed as personal data that drives targeted marketing—may have more difficulty forgetting its users.

On the other hand, mobile games—particularly those that rely on location data such as Pokémon GO—could be more sensitive to GDPR legislation. That may become problematic for companies and businesses that are partnering to benefit from the foot traffic they generate.

“Games that rely on location data or social features that necessitate the collection of personal data certainly will be subject to GDPR requirements,” said Debevoise & Plimpton lawyer Will Bucher, who works with video game legal matters. “Additionally, the use of location data and the associated monitoring of individuals’ activities is considered a high-risk activity by EU data protection authorities, so companies using this type of data can expect closer scrutiny from the government.”

But Bucher adds that these games won’t necessarily have to stop collecting data, they just have to do so within the scope of GDPR.

“In some ways, mobile games might even have an advantage, at least when it comes to the GDPR’s consent requirements,” he said. “Many consumers are already used to giving permission to apps on their smartphones, so they may be more comfortable providing the needed GDPR consent than a user who throws a disc in their gaming console.”

“So long as the information collected is not associated with any personal data of the user, a wide range of metrics can be collected, such as statistics about in-game performance, match times, etc.,” said Bucher. “But when those metrics are linked to any information that facially identifies the user, or could identify the user in the real world—such as an IP address, personal e-mail, credit card number or a cross-platform cookie—then the GDPR’s requirements might be triggered. Among those requirements is that there must be a valid legal basis to store and use users’ data, such as the users’ consent.”

Above all, Bucher emphasizes that it’s important for game publishers to keep in mind that the driving force behind the legislation is to give individuals back control of their data.

“Principally, that is accomplished through increased transparency,” said Bucher. “An increased focus on communicating with users about what data is collected and how it’s used goes a long way to meeting many of the GDPR’s requirements, although it is not a replacement for data protection impact assessments to ensure companies are complying with their legal obligations.”

Companies that choose to collect as little data as possible will have to become more hands-on with their community-based marketing and engagement efforts, since they won’t necessarily have any demographics information to work from when crafting their messages.

“This is going to sound super old school, but I still believe that there’s no better way to know what will resonate with your players than being one of your players,” said Hartsman.

Hartsman plays Trion’s games alongside the rest of the community, where he can listen to them and see their pain points. In fact, a requirement for working at Trion is to be a fan of at least one of its games because “people who are involved with the games and remain involved with the communities tend to service those communities best.”