I'll be keeping everyone updated on what's going on. Bravo Fleet will be sharing information with me as well so the fleets can be on the same page with regards to keeping up with the new policies. So be sure to watch this space for more information.
As you may have already heard, the General Data Protection Regulation ("GDPR"), adopted by the European Union in 2016, goes into full effect on May 25, 2018. Between this and the growing concerns over Internet privacy as a whole, Bravo Fleet has decided to offer some general guidance to our players, sims and staff regarding the collection, management and processing of personal information.The information contained within this post and the communications with Bravo Fleet on this topic ("Communication") were prepared for informational purposes only. The Communication is not intended to be and should not be considered legal advice. The Communication is provided only as general information and may be incomplete and/or not reflect the most current legal developments. None of the Communication is intended to constitute an attorney-client relationship. You should not act upon any of this Communication without consulting professional legal counsel.
Why should you read this? Beyond simply respecting fellow members of this wonderful community because, if you are found in violation, penalties can be as high as €20 million for a website that produces no revenue (like a sim site).
What is GDPR?
GDPR is a legal framework designed to give individuals greater control over their personal data including not just physical information like names and postal addresses but also digital information like email and IP addresses. Under GDPR, websites must provide privacy policies, cookie policies, easy opt-out, breach notifications and reasonable security precautions, and they are restricted from using personal information for anything outside the stated purpose of why the individual provided it without receiving the individual's explicit consent.
While GDPR technically only protects the rights of EU citizens, it does so globally, whether or not you or your server reside within the EU. As long as an EU citizen can visit your website, you must comply with GDPR. Thus, in the context of Bravo Fleet, we recommend that all sim sites immediately take steps to comply with GDPR.
What about other privacy regulations?
In the process of preparing this recommendation, a legal review was also conducted of other international privacy laws. The recommendations provided forthwith are also intended to comply with the United States Electronic Communications Privacy Act, the Australia Privacy Act, the Canada Personal Information Protection and Electronic Documents Act, the Mexico Law on the Protection of Personal Data Held by Private Parties, the California Online Privacy Protection Act and the California Information Practices Act, among others. All EU privacy regulations besides GDPR have been, or are about to be (before May 25, 2018), deprecated by GDPR, hence why they were not considered separately.
The recommendations herein explicitly do not satisfy the requirements of Russia, Kazakhstan, China, Indonesia and Columbia, and it may not satisfy other regulations that were not directly considered.
What do I need to do to comply with privacy regulations?
The key of Internet privacy is informed consent by the individual.
If you are ever in doubt, measure the action you're about to take against whether you have received consent to take it. For example, when a user signs up for your sim, they give their email address to receive mission post emails and sim announcements. If you email them about something unrelated or you give their email address to someone outside the explicit purpose of your sim, you would be in violation of the GDPR and other international privacy laws.
Beyond this basic principle, we recommend concrete steps to comply:
- a. how you capture data;
- b. what data you store;
- c. how, if at all, you respect do not track browser signals;
- d. how long you intend to keep the data;
- e. how people can access and how you share the data you have stored; and
- f. how an individual may request their data removed from your system.
- 2. "Your California Privacy Rights" Page - Your website should include a page entitled "Your California Privacy Rights" with the following text (substituting in place of the placeholders): "If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by [INSERT: ORGANIZATION] to third parties for the third parties’ direct marketing purposes. To make such a request, please [INSERT: CONTACT INSTRUCTIONS]."
- 3. Website Security - Your website must implement a reasonable level of security. Assuming you are using standard simming software such as Nova, forum, or blogging software, this means mostly just configuration settings:
- a. enable SSL, which you can do with a free certificate from https://letsencrypt.org or, if you use bravofleet.games for hosting, by contacting @aio;
- b. ensure your server and software are up-to-date and check regularly for updates; and
- c. use strong passwords for your database and any account that can access others' information.
- 4. No Implied Consent - Your website should not pre-check any checkboxes regarding agreeing to terms or allowing the release of an individual's information. Nova and most forum and blog software already handle this correctly by listing terms and asking the user to press an "Agree" button.
- 6. Age of Consent - Because age of consent varies by country (even in the GDPR), rather than sorting through the varying laws for every applicant, we recommend adding to your sign up terms a statement such as "I affirm that I have the full right and authority to enter into this Agreement, including that I am of the age of majority in [INSERT: WEB HOST COUNTRY] and my own country." You may also include a clause allowing a parent or guardian to enter into the Agreement on behalf of the Individual. This is completely separate from your sim age rating.
- 8. IP Tracking - Do not store an individual's IP address (beyond your access logs, which should be deleted regularly), nor place third-party code or embeds on your site that track a user's activity. If you intend to do this, you will need to look into additional rules about this (beyond the scope of our recommendation).
- 9. Advertising and Marketing - Do not use an individual's personal information for any purpose other than simming (not even a simple email about something else), and do not provide an individual's personal information to any third party (no ads, marketing or lead generation tools). If you intend to do any of these things, you will need to look into additional rules about this (beyond the scope of our recommendation).
- 10. Data Breach Notification - If you suffer a data breach, you should notify all individuals with personal information that was compromised immediately. You should also consult individual privacy laws regarding additional requirements (beyond the scope of our recommendation).
Although we recommend you comply as soon as possible, because some of these recommendations stem from other laws, we recommend all sim sites come into compliance no later than May 24, 2018 in order to meet the deadline for GDPR enforceability.
Is there any help available to comply?
Additionally, Bravo Fleet is currently working with Anodyne Productions to see if we can release an update to Nova including the ability for users to delete their own accounts in order to better comply with the easy opt-out provision of GDPR.
Questions or concerns may be directed to JonM and the Bravo Fleet Command Council, although remember we are no replacement for the advice of a legal professional.
A TL;DR isn't a fitting replacement for reading this, but here's a recap...
If you run a sim site, by May 24, 2018, you should:
- implement reasonable security including HTTPS, server and software auto-updates, and strong passwords;
- remove any implied consent in your sign up process by adding explicit privacy consent accounting for the age of majority to your membership process;
- provide an easy way for individuals to remove all personal information you retain about them;
- stop sharing personal information with third-parties; and
- avoid tracking IP addresses or other identifying features of your users.