GDPR and Branded Games

I’m sure you’re all aware of the new GDPR regulation and that you’re preparing for the big ‘switch over’ on May 25th.

We won’t get into the nitty gritty of GDPR regulation here, I’m pretty certain the internet does not need another blog about fines and penalties. And this is not a ‘checklist to compliance’ either; there are plenty of other trusted information sources out there doing just that. We found the ICO website itself particularly helpful in breaking down its 99 articles and this WIRED article provides a clear and concise overview in a non-scare-mongering way!

We’ve had a number of requests about how best to ensure compliance with regards to our games, for both the front end (data capture and competition best practice) and the back end (data storage, management and hosting).

So here are our responses to your GDPR FAQs for compliance with your games.

We hope you find it useful. Let us know if you think we’ve missed anything – like everyone else, we’re learning too!

This is a bit of a beast so if you want to jump around to a relevant question go ahead! We’ll cover…

What is the best way to capture data?

Will we get less marketing opt-ins?

How do you gain permissions for your re-engagement game email notifications?

What data does the game collect?

Where is it stored and is it secure?

Do the games use cookies?

Who’s responsible for data queries and deletion?

So let’s start us off with some FRONT END questions….


Q1. What’s the best way to capture data in a compliant way?

Being able to capture the details of those engaged with your brand and keep the conversation going is priority number one.

We’ve found that one of the best ways to incentivise data capture with our games is to offer a competition, the main changes to the current regulation within GDPR is that you need to have the consumer’s explicit consent if you want to add them to your marketing mailing list. They need to understand exactly what they are signing up for and what is going to happen to their information once they have.

The competition terms and conditions must be completely separate to any marketing activation to avoid any ‘confusion, coercion or penalty for refusal’, meaning you can’t automatically send marketing communications based on data used to enter a competition, and you certainly can’t refuse access to the competition if they choose not to sign up. Big, no no!

When it comes to asking for permission to send them further information about your products or services, you must always give the option to ‘Opt In’ rather than an ‘Opt Out’ tick box or indeed a pre-ticked box. It must also be very clear what you will do with the data you receive, in an easily accessible data policy that makes sense and is not an indecipherable bible of technical or legal jargon.

The magic word here is CLARITY.

Here’s an example of what our standard score submission screen will look like going forward.

We can supply a template ‘Team Cooper’ privacy policy for you to amend or we can link to your own existing version.

GDPR Compliant Submit Screen


Q2. What will all this mean for our data capture? Will we capture less email addresses?

Inevitably yes, but this is one of the fundamental principles behind GDPR. The new regulation gives back control to the data owner. The player. The user. Your audience. You.

And those willing to share their data openly are much more valuable to a brand than those who have been duped into it through a series of dark patterns. They are already engaged, connected and trust the brand and are open to further conversations – quality over quantity.

Q3. You have a re-engagement package, where the player receives email notifications about game results and friends scores etc. How do you gain permission for that and how does that comply?

Great question. While it could be argued that any communications directly related to the game and competition would come under ‘legitimate interest’, to ensure compliance we feel it best to include an explicit opt-in for this too.

To understand how this will work, let’s set the scene from a players’ perspective…

You’ve finished your game, and begin submitting your details to the leaderboard. You input your name and email, tick the opt-in boxes and hit the submit button.

The next screen asks if you would like to receive email notifications when you get knocked off the leaderboard or are beaten by a friend (which obviously you’d need to rectify immediately!).

To get the best engagement, this message needs to be as compelling as possible, assuring players that their email address won’t be used for any other purpose and they can unsubscribe at any point.

Our message system automatically stops emails being sent out to people who have unsubscribed.

Now we’ve cleared those up, let’s go technical and dive into some BACK END questions;


 Q4. What data does the game collect?

Our games collect personal data and behavioral data.

According to GDPR, personal data is any information relating to an identified or identifiable individual; meaning information that could be used, on its own or in conjunction with other data, to identify an individual.

Once a player submits their score to the leaderboard the personal data that the game collects is a first name, last name, email address and communications opt-in preferences.

Behavioral data is information about the how the game has been played, how many times, for how long, etc. This is mostly collected by Google Analytics where it is anonymous, but we also store some of this information in the game database for administrative purposes.

Q5. Where is all the data stored and is it secure?

If we’re hosting a game for you, all submitted game data is stored on a secure and encrypted database, hosted on cloud based servers within the EU.

Going forward, all the games we host will also come with an SSL certificate as standard, ensuring all submitted user data is encrypted to give your players instant peace of mind with that secure https URL.

You will have access to the leaderboard data from the game’s admin panel, allowing you to download the information in order to draw competition winners.

You will also be able to determine who has requested further information along with a record of the date and time in which they opted in, so you can confidently add those people to your marketing lists. You can also delete those who didn’t opt-in in accordance to your own privacy policies.

We will keep hold of data backups for a maximum of 2 months after the campaign ends, in accordance with our own policy.

Q6. Do the games use cookies?

Yes they do. Like most online websites and apps, the games use cookies to make everyone’s life easier.

We use them to remember player details on the score submission page so that players don’t have to re-type their details over and over again. We also use them to help track behavioral information, for example with Google Analytics.

We have recently incorporated a cookie notice at the start of the game which links to a cookie policy too. Again, you can use and adapt our version or we can link to your own.

Q7. What about the ‘right to erasure’ – how does this work?

Another of the main changes to legislation is the right to request what data a company holds on you and the right to request that it’s deleted without trace, like you never existed!

Within your game privacy policy, you will need to provide contact details so that a player can get in touch and request a copy of the information in a readable user friendly format, with a clear policy on how they can update or delete them.

You will be responsible for processing these requests but you will be able to manually delete these players via the game admin panel.

Q8. Is that it? Anymore for anymore?

Maybe! Truth be told, there aren’t many who really know how this is all going to pan out. There are no precedents here, and best-practices are yet to be defined. But so long as we are being clear, concise and transparent with the way we are requesting and processing people’s data, we should be on a good footing.

If you have any questions we haven’t answered or anything is unclear, please let us know and we’ll do our best to answer them.

For more information please email us at


Serious face disclaimer: We are not lawyers! This article is based on our opinion and understanding of the new GDPR regulation and shouldn’t be construed as legal advice. OK? Cool, Game on!

34SP.COM WordCamp Conga Arcade Machine
Beazley's Express Delivery
Beazley's Express Delivery
Easter Bunny Boost
Easter Bunny Boost
See you at Prolific North Live
We're exhibiting at Prolific North Live
Opus Energy Christmas Conga
Opus Energy Christmas Conga
DFDS Event Conga
DFDS Event Conga
DFDS Capital Conga
DFDS Capital Conga
Christmas Workshop
Christmas Workshop
Meet the Team: Leanne Orchard
Meet the Team: Leanne Orchard
Nurishment Filling Station
Nurishment Filling Station
Branded Christmas Games
Branded Christmas Games
4C Insights Maze Raider
4C Insights Maze Raider
Meet the Team: Phil Alderson
Meet the Team: Phil Alderson
DFDS Jack's Epic Adventure
Jack's Epic Adventure
Can Games Boost Marketing Campaigns?
Can games boost your marketing?
CKSK Coors Light Ice Cave Challenge
CKSK Coors Light Ice Cave Challenge
Can games increase footfall at your exhibition stand?
Increase footfall at your expo stand
White Label Conga Challenge
Conga Challenge
Every Second Counts Conga
Every Second Counts Conga
A Sackful of Christmas Games
A Sackful of Christmas Games
5 reasons to order a branded Christmas game
5 reason to order a christmas game
Melbourne Man
Melbourne Man
Beat the Beasts
Beat the Beasts
Santa's Rooftop Runner
Santa's Rooftop Runner
Win a Nintendo Classic Mini: NES
Competition Time!
White Label Rooftop Runner
Rooftop Runner
We do games, we love games, but why should you?
We do games, we love games, but why should you?
6 things to consider before commissioning a game.
6 things to consider before commissioning a game
Jack’s Quayside Kickabout
Quayside Kickabout
Beazley Conga Challenge
Beazley Conga


Be the first to comment on this post!

Add to the Comments