Canada: What Video Game Studios Need To Know About Quebec's New Privacy Law Framework
Privacy & Cybersecurity Bulletin

The majority of the changes to Quebec's Act respecting the protection of personal information in the private sector (the "Act") came into effect on September 22, 2023. As a result of the new law, companies doing business in Quebec have had to significantly change the way they handle the personal information they process, as well as their data governance practices. The video game industry is no exception.

When do Video Game Companies Need to Comply?

There are two main triggers for compliance obligations. First, video game companies with employees physically located in Quebec must consider compliance with the Act where their employees' personal information is concerned. This is also the case for companies outside Quebec who work with freelancers located in Quebec, as well as Quebec companies with employees or freelancers working in other provinces or countries. Second, as video games often involve the processing of large quantities of personal information, studios must be aware of their new obligations to players.

It is important to remember that the Act does not just apply to major companies; small and medium-sized studios are also required to comply. Below are some key provisions that directly apply to personal information collected from players in Quebec.

What is Personal Information in the Context of Video Games?

The Act defines "personal information" as information which relates to a natural person and allows them to be directly or indirectly identified. ¹ Direct identifiers allow people to be identified without any additional information (for example, names, social insurance numbers, or email addresses). Indirect identifiers allow people to be identified in combination with other information.

In the context of video games, it is not always clear what is considered personal information, since many indirect identifiers are collected. However, Quebec's privacy regulator recently clarified in its consent guidelines a number of categories of personal information that may be collected from video game players, such as:

• Number of clicks in a gaming session.
• Number of hours played in a gaming session.
• Friends lists.
• Metadata on a person's device/system.
• Conversations on public servers.
• In-game scores, game history and usernames/pseudonyms. ²

Compliance with the Act thus begins with understanding what personal information is collected. Creating an inventory of personal information is a critical starting point for determining what measures are required.

When does a Video Game Require a Privacy Impact Assessment?

A Privacy Impact Assessment ("PIA"), is an evaluation of various factors related to the protection of personal information that businesses must undertake prior to taking certain actions. There are two situations where the Act requires a PIA:

When a business undertakes a project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. ³

This PIA would be required if a studio intends to implement a new system that involves the automatic collection of players' in-game data. This might involve a function that analyzes information such as the amount of time players spend on a particular level or where they disconnect from a session, in order to identify bugs or glitches that inhibit player progress.

When a business intends to communicate personal information outside Quebec. ⁴

This PIA would be required where a studio sends personal information collected from players in Quebec to servers located in another Canadian province or another country. For example, if a player in Quebec must connect to a server located in Ontario in order to play a MMORPG, ⁵ then a PIA is required.

When do Video Game Companies Need to Disclose Their Tech to Players?

The Act clarifies that players must be notified of any technologies used to identify, locate or profile them, and that these technologies must be deactivated by default. ⁶ This includes the collection of player data for the purposes of in-game targeted advertising, as well as geolocation functions. For example:

• A free-to-play game collects information regarding the player's preferences and demographics (age, education/occupation, other applications used, genre of games played) in order to create an individual profile on the player and deliver them more relevant third-party advertisements during gameplay.
• A mobile game that allows players to "check in" at certain real-world locations in order to receive in-game rewards stores information regarding the locations the player visits.

When do Players Need to be Informed About Automated Decision-Making?

When a decision is made based exclusively on automated processing of a player's personal information – for example, using artificial intelligence ("AI") or algorithms, a studio must inform the player of such processing before or at the time the decision is made. ⁷ This might be the case where, in a PvP ⁸ game, an algorithm sorts players into matches based on their respective skill level. In the absence of further guidelines, it is possible that such features will be considered automated decisions subject to the obligation of information.

How can Video Game Companies Obtain Valid Consent?

Consent to the use and communication of personal information must be clear, free and informed. ⁹ Therefore, if a studio wants to use the personal information of players for purposes that are not essential to playing the game, it must present a separate request for the player to provide their consent. In many cases, this consent must be explicit. It is to be noted that targeted advertising and profiling are not considered essential purposes.

Moreover, a studio cannot simply disclose its privacy practices within its Terms of Service (for example, at the title screen) and ask the player to accept them as part of the Terms of Service. ¹⁰ Rather, these practices should be disclosed in a distinct privacy policy. However, the studio cannot presume consent to nonessential purposes by simply presenting them in a privacy policy. This consent could instead be obtained using distinct check boxes where the player can confirm their acceptance of each nonessential purpose, or by using a specific online consent form.

However, where the personal information requested is strictly necessary for a purpose required to play the game, consent may be presumed if the player provides their personal information after such purposes have been disclosed to them in a distinct privacy policy at the moment of collection, among other obligations. For example, this may be the case where a credit card number is needed to purchase downloadable content in a free-to-play game, provided that this purpose is mentioned in the privacy policy at the time the player creates their account.

Footnotes

1. Act respecting the protection of personal information in the private sector, CQLR c P-39.1 at s 2.

2. Lignes directrices 2023-1 – Consentement : critères de validité (31 October 2023), online: Commission d'accès à l'information <https://www.cai.gouv.qc.ca/documents/CAI_LD_Criteres_validite_consentement.pdf> at p 39 (CAI).