Home Trending Latest threads New posts Developer diaries

GDPR - automatic data collection?

Jump to latest Follow Reply
  • We have updated our Community Code of Conduct. Please read through the new rules for the forum that are an integral part of Paradox Interactive’s User Agreement.
Show only dev responses
Vjeldan

Vjeldan

Captain
94 Badges
May 9, 2016
414
419
  • Age of Wonders
  • Stellaris: Nemesis
  • Victoria 3 Sign Up
  • Hearts of Iron IV: No Step Back
  • Stellaris: Galaxy Edition
  • Hearts of Iron IV: By Blood Alone
  • Age of Wonders II
  • Age of Wonders: Shadow Magic
  • Age of Wonders III
  • Age of Wonders: Planetfall Sign Up
  • Age of Wonders: Planetfall
  • Age of Wonders: Planetfall Season pass
  • Age of Wonders: Planetfall Premium edition
  • Age of Wonders: Planetfall Deluxe edition
  • Age of Wonders: Planetfall - Revelations
  • Stellaris: Leviathans Story Pack
  • Crusader Kings II: Holy Fury
  • Crusader Kings III: Royal Edition
  • Crusader Kings III
  • Crusader Kings II: The Old Gods
  • Crusader Kings II: Sunset Invasion
  • Crusader Kings II: Jade Dragon
  • Crusader Kings II: Way of Life
  • Crusader Kings II
  • Stellaris: Digital Anniversary Edition
  • Stellaris: Federations
  • Tyranny: Archon Edition
  • Tyranny - Tales from the Tiers
  • Tyranny - Bastards Wound
  • Pillars of Eternity
  • Crusader Kings II: Monks and Mystics
  • Europa Universalis IV: Mandate of Heaven
  • Crusader Kings II: Rajas of India
  • Stellaris
  • Stellaris: Galaxy Edition
  • Stellaris: Galaxy Edition
  • Stellaris: Distant Stars
  • Stellaris: Lithoids
  • Stellaris: Synthetic Dawn
  • BATTLETECH
  • Hearts of Iron IV: Expansion Pass
  • BATTLETECH: Flashpoint
  • BATTLETECH: Season pass
  • BATTLETECH - Digital Deluxe Edition
  • BATTLETECH: Heavy Metal
  • Hearts of Iron IV: La Resistance
  • Stellaris: Ancient Relics
  • Shadowrun Returns
  • Shadowrun: Dragonfall
  • Battle for Bosporus
I want to ask if the General Data Protection Regulation that now has come into effect will change or has changed anything in regards to paradox games?

There was some discussion on automatic data collection some time ago.
The legal policy seems to have changed since then, but does this mean the games do no longer collect data on player behavior, computer software, hardware, etc.?
https://legal.paradoxplaza.com/privacy?locale=en

I realy like many paradox games and since i started playing these games i took every survey i found on this website aimed at improving the games, but i do not like passive data collection without beeing asked and without an option to opt out. As far as i understand this was done in the past and i want to know if this has changed. I didn't read anything about it in any patchnotes.
 
Last edited:
I think that as long as the data collected can't be connected to an actual individual / personal data any company can collect as much as they want without worrying about GDPR.

So if I understand the law they can't connect any data collected to your email, name, steam account, adress or ip for example without your concent. As long as the data is anonymous though it's just statistics and can be collected.
 
Alex_brunius said:
I think that as long as the data collected can't be connected to an actual individual / personal data any company can collect as much as they want without worrying about GDPR.

So if I understand the law they can't connect any data collected to your email, name, steam account, adress or ip for example without your concent. As long as the data is anonymous though it's just statistics and can be collected.
Click to expand...

Yeah one major factor for it to apply is data that is linked or linkable to a person. What exactly constitutes the ability to link data to a person is debatable. But if you just save some olaying habit data eg playtime and played games and played nation etc without saving the ip or mac adress or sth it should be ok
 
I'm by no means an expert at this, but I know as much that data IS still being collected. As mentioned, GDPR covers mostly non-anonymous data (and being clear what the data is being used for).
 
I looked into this a bit more, and this part of the Policy is relevant:
"Data we collect when you use our Services or games:
...
  • Steam ID, PSN ID, Gamertag/Xbox ID, IDFA (iOS), Advertiser ID (Android) or other game platform IDs like IP address, Google Play Advertising ID, Windows Phone Device ID, Twitch user ID, GOG ID or MAC address"
So the data is not anonymous as we collect your Steam ID. However, nothing about our data collection has changed, now it is simply clearer what data we collect, and why.
 
Thanks @Mrop.

In regards to anonymous or non-anonymous data the GDPR also specifies that enough "anonymous data" isn't anonymous any longer, as you can identify a person pretty precicely by pointing out a few "non-personal" information, the same way as you know who is meant when someone says "the tall person with a green shirt in this room". There is no name, but enough data to say who exactly is meant. And to do this with "anonymous data" is common practice.
Also it has to be absolutely clear which data is collected and the collected data has to be necessary(!) to run the service (not just for getting insights) and one has to be able at any point to opt out of data collection. Data can still be used with consent and as this regulation greatly helps to build trust with customers, consumers already are very willing to share data and even more so on basis of trust.
How dangerous unrestricted data collection can become can be seen for example in China (no offense) where you cannot buy a ticket for a plane if you're not in line with the ruling party. In many countries you can loose your job when some erratic program calculates a high probability of you planning a criminal act based on random things you said, or take a look at German history how this escalated even before the internet. It's not just about personalized advertises and market insights for better products, it's the tools for a dystopian future of totaliarianism ready at hand for every opportunity, for control of the masses and eliminating privacy. Yes, data can be of great help for many undertakings, but it's well possible to get these within a regulated and consentful scope, and in the middle to long run companies profit greatly from not having destructive anarchy but a somewhat lawful environment that helps to build trust.

@Paradox: May I ask Paradox to reconsider their practice of data collection and change this in accordance to this law and in responsibility to a changing world in which how we handle data will decide much of our future?
I greatly enjoy Paradox games and I do not wish Paradox games to have any legal or otherwise trouble with this, I like you. Please consider to make data collection optional and by consent, not by force!
 
Vjeldan said:
Thanks @Mrop.

In regards to anonymous or non-anonymous data the GDPR also specifies that enough "anonymous data" isn't anonymous any longer, as you can identify a person pretty precicely by pointing out a few "non-personal" information, the same way as you know who is meant when someone says "the tall person with a green shirt in this room". There is no name, but enough data to say who exactly is meant. And to do this with "anonymous data" is common practice.
Also it has to be absolutely clear which data is collected and the collected data has to be necessary(!) to run the service (not just for getting insights) and one has to be able at any point to opt out of data collection. Data can still be used with consent and as this regulation greatly helps to build trust with customers, consumers already are very willing to share data and even more so on basis of trust.
How dangerous unrestricted data collection can become can be seen for example in China (no offense) where you cannot buy a ticket for a plane if you're not in line with the ruling party. In many countries you can loose your job when some erratic program calculates a high probability of you planning a criminal act based on random things you said, or take a look at German history how this escalated even before the internet. It's not just about personalized advertises and market insights for better products, it's the tools for a dystopian future of totaliarianism ready at hand for every opportunity, for control of the masses and eliminating privacy. Yes, data can be of great help for many undertakings, but it's well possible to get these within a regulated and consentful scope, and in the middle to long run companies profit greatly from not having destructive anarchy but a somewhat lawful environment that helps to build trust.

@Paradox: May I ask Paradox to reconsider their practice of data collection and change this in accordance to this law and in responsibility to a changing world in which how we handle data will decide much of our future?
I greatly enjoy Paradox games and I do not wish Paradox games to have any legal or otherwise trouble with this, I like you. Please consider to make data collection optional and by consent, not by force!
Click to expand...


Well a buch of data that on its own wouldnt allow identification but collectivly can is indeed data thats linkable hence its inside the gdpr. But thats not new. For all firms that also were active in germany much of that was already the case. So i wont count on too great changes. The most noteworthy change is the amount of fines that can be ordered on the base of gdpr
 
I hope Paradox has taken this into account - a significant fine would wipe out future DLC and game plans ....

Some parts of GDPR are unexpected, so storing of IP’s is explicitly non compliant, even if an IP is not logically linked to an individual...

If servers are based outside the EU, but capturing EU citizen data is also a bit unclear
 
So, has any Paradox game added "opt out of in-program telemetry" option in patch yet? Or is the idea that in order to play their games you need to opt in, with no appropriate option to withdraw consent beyond stopping to play their games?
 
Still no opt-out option there. I fear Paradox might not take this into account. And im pretty sure the current practice of data collection is non compliant to the GDPR. I may be wrong, but this is nothing small since the fine would be either
"1) Up to €10 million, or 2% annual global turnover – whichever is higher."
Or
"2) Up to €20 million, or 4% annual global turnover – whichever is higher."
Depending on details.

And i would like Paradox to prosper and continue to make great games. - Just ask for consent before you collect data (within a reasonable scope).
It is like with many other things in life: they're pretty fun (and also good for growing in numbers too), but you should ask for consent first. ;)

Data protection and the GDPR are still underestimated by many, but this is quite important and it is a challenge as well as a chance for companies and consumers alike.
 
GDPR mostly affects you if you pass the data onto a 3rd party (or flat out sell it). Any analytics / diagnostics they collect wont matter as long as they keep them in house.

It's polite to ask but the law is not as draconic as you seem to think it is.
 
BeauNiddle said:
GDPR mostly affects you if you pass the data onto a 3rd party (or flat out sell it). Any analytics / diagnostics they collect wont matter as long as they keep them in house.

It's polite to ask but the law is not as draconic as you seem to think it is.
Click to expand...

It applies to data processing which is:

(2)

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Per Article 4.

The contentious part:

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Per Article 7 (emphasis added).

I suppose it falls down on if in-program telemetry is a necessary legitimate interest for video game development (though I'd remark video game development took place before telemetry, so it does not seem necessary in any absolute sense), in which case it would not be purely consent based and the right to easy withdrawal would not seem to apply. I'm also not clear if a service provider has right to refuse already-paid-for service if consent for data processing associated with it is withdrawn.

Link to regulation:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG
 
Last edited:
The data collection Johan outlined years ago in EU4 seems like it would clearly be in violation since it included your steam ID and a bunch of play data that wasn't necessary to the operation of the game. I'm curious if they removed all of that.
 
So far, not much has changed and no official statement?
 
We've made several changes to how we collect, process and store your data. In some cases we have stopped using solutions and partners altogether, in other cases we've made changes to further anonymize or "silo" the data, and furthermore we have left it as is to be able to provide online services like cloud saves, ownership etc where we think it's necessary to know which account has the right to access the data. To go through all the details here is not feasible, but we operate solely based on your trust and therefore try to be as transparent as possible.

There are several threads and statements/announcements revolving around our data practices, here are just a couple of examples;
https://www.reddit.com/r/paradoxpla...s_sharing_our_data_with_facebook_and/dz2j9mx/
https://forum.paradoxplaza.com/forum/index.php?threads/buffpanel-and-paradox-games.1111932/

There's even more if you search the forum.

As always, our support team is always available to handle your personal inquiries, which for the same as above reasons can only be discussed once you have authenticated yourself. Remember, we never ask for your password.

/John
 
You must log in or register to reply here.
Top Bottom
Back