This is a very important post from Casper Tech, a Europe-based developer of Second Life content (vendors, in this case), pointing out that the EU is putting the General Data Protection Regulation into effect next month. And while the law might seem to target major companies like Facebook and Google (and it does), it also applies to third party developers for online worlds like Second Life, not to mention all the others now launching:
The GDPR now considers electronic information such as IP addresses and even usernames (including avatar names) to be personal data.
The GDPR makes you liable if your upstream provider (such as Second Life, your vendor system, webhost, cloud storage provider, email provider) breaks the rules or misuses your data.
The regulations apply based on the individual's location. If you do business in Second Life, you are certainly doing business with EU citizens.
The new regulations apply to every business, even if you're an unregistered sole trader who only makes a few transactions per year.
Linden Lab and other established companies will, of course, also need to comply with these regulations, but they already have the resources and staff to do so. Small third party providers -- even news blogs like the one you're reading now -- will have more difficulty complying:
"Basic sales data is perfectly fine as it is required for businesses. However, personal data such as IP addresses, email addresses, and locations [is regulated a]s well as demographics," SL developer Oobleck Allagash of Pocket Gacha tells me. The GDPR requires "that you disclose it, that you are transparent (in who you are) and that you allow your followers to opt out and delete it."
There are many virtual world brands that track this information, and will need to stop doing so. Other brands will need to change how they communicate with and market to users:
If you wish to send marketing (non-transactional) information to anyone through use of their avatar name or e-mail address, you are legally required to explicitly obtain consent to do this. This means that "greeters" which automatically add avatars to a mailing list are now illegal. Consent must also be very clearly stated. You can't bury it in your terms of service. You cannot pre-fill the checkbox, or include it with some other agreement... You can no longer hold marketing databases like "mailing lists" without EXPLICIT (opt-in) consent. This applies retroactively. If you have previously generated a mailing list without explicitly getting permission to do so from the individuals concerned, you must destroy this data (or obtain consent from each individual) before the 25th of May deadline.
I'm still learning about the subtleties of these regulations myself, so I'm not sure how exactly they'll apply to services based outside the EU. I'm also not sure how they'll be enforced against small companies. However, I can easily see them being used as a cudgel by competitors, much the same way the United States' DMCA can be weaponized for competitive purposes. More on this soon.
"The GDPR makes you liable if your upstream provider (such as Second Life, your vendor system, webhost, cloud storage provider, email provider) breaks the rules or misuses your data." (third paragraph)
Can you explain this further? Are you saying that if, for example, Second Life breaks the rules, it makes ME liable?
Posted by: Jane | Tuesday, April 17, 2018 at 02:26 AM
"This means that "greeters" which automatically add avatars to a mailing list are now illegal.""You can no longer hold marketing databases like "mailing lists" without EXPLICIT (opt-in) consent"
And thank god for that. It's been FAR FARRRR to ridiculous to remove yourself from mailing lists and spam lists in SL for FAR to long. I've been trying to remove my old main from these subscriber lists of all the (MANY) places that spam me with notices each day hoping I can use it again. People literally go out of their way to hide where the unsubscriber is. Some even go so far as to put them in areas that you can't reach without being booted from immediately by a bot. Some of these of course it's my fault that I added myself to them but if I want to remove myself I should have the option. It's dubious at best and a poor reflection on your store if you make it so it's hard,if not impossible,to remove myself from that list. Definitely doesn't make me want to shop there again. Making this illegal will be beneficial to even those NOT in Europe since it's easier to just remove everyone from a list then try to figure out whose from Europe and whose not.
Posted by: madeline blackbart | Tuesday, April 17, 2018 at 02:55 AM
It's a bigger deal for grids since they are generally the "Data Processor" in this case. But yes if a business is collecting and storing data about individual users as well they they too will need to have a way to both insure opt-in and a way to remove the data should an EU resident request that. In particular these requirements are especially problematic for the decentralized hypergrid. It would be interesting to see how this would be handled in the courts if a request for a takedown was made to a "home grid" and information about an individual was spread all over the HG destinations they touched. As the "owner" of the account I can see the courts making the home grid responsible for fulfilling the request...
Posted by: Mike Dickson | Tuesday, April 17, 2018 at 07:36 AM
Linden Lab no longer has a physical presence within the European Union and I seem to recall that Linden Research is a Delaware corporation, so, except for those physically within an EU nation, I don't believe the majority of SL business owners need to worry at all about compliance with these particular EU regulations. Our laws - here in the US at least - are quite different and take precedence. Nobody is going to have to go banning EU residents or anything draconian like that.
Posted by: David Cartier | Tuesday, April 17, 2018 at 06:36 PM
Mike Dickson wrote:
> In particular these requirements are especially problematic for the decentralized hypergrid.
Han Held replies:
The EU's attitude towards GDPR compliance takes the number of employees and the type of data into account.
I just did a quick google and found this tidbit about "enterprises" (is a home hobby even a enterprise? If you're not raising or exchanging funds it's doubtful that you'd be considered an enterprise):
"The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.
The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”."
https://www.itgovernance.eu/blog/en/does-the-gdpr-apply-to-me
If you run a grid from home DO YOUR OWN research, but when you do so you'll likely come to the some conclusion that I have. You don't make money, you have less than 350 employees then you're probably fine.
Of course, I'm not a lawyer
But then again, I'm also not Chicken Little (for a change!)
Posted by: Han Held | Tuesday, April 17, 2018 at 07:06 PM
Has anyone figured out how they will enforce this on non-EU residents?
As of 2013, there were 152 million bloggers...
How many are figuring out how totalitarian the nanny state is and how fast they are eating our freedoms in an effort to supposedly protect us?
The UK took guns. They were told criminals would use other weapons. Now the London mayor wants to control knives because London's murder rate exceeds NYC's. The nanny state's thinking doesn't work.
Posted by: Nalates Urriah | Wednesday, April 18, 2018 at 09:02 AM
@David Cartier
"Linden Lab no longer has a physical presence within the European Union and I seem to recall that Linden Research is a Delaware corporation, so, except for those physically within an EU nation, I don't believe the majority of SL business owners need to worry at all about compliance with these particular EU regulations."
However, they still have to abide by EU laws - I get charged 20% VAT (think sales tax) on my membership and tier payments simply because I live in the EU. With it's various cases against Google and Microsoft - it's not a stretch to believe the EU might decide that Linden Lab is responsible especially as data stored in scripts in greeters is on Linden servers.
Ultimately, I think it will mean that the greeters that add you to a mail list without a choice in the matter will disappear and to be on the safe side, it took me 10 minutes to add a "Privacy Policy" for our venue covering the regulations.
Posted by: ShenanigansSL | Thursday, April 19, 2018 at 04:54 AM