In the fifth and final article in the series "Gaming, betting and eSports Law: what do you need to know?" we look at how companies can act ethically, responsibly and in compliance with applicable regulations.
The aim is to provide information that will help companies strengthen their legal security and properly manage the risks involved, so that they can make the most of the opportunities and reap better results from their practices.
Privacy and protection of personal data. Activities involving gaming and eSports practices, although they vary in terms of profile and governance structure, use personal data to carry them out. In other words, data that makes it possible to extract information about the individuals involved in these activities, especially players, bettors and employees.
It is essential that companies have solid governance of personal data in order to mitigate risks and be fully compliant with personal data protection legislation, in particular the General Personal Data Protection Law (LGPD) and its regulation by the National Data Protection Authority (ANPD). Solid governance will also be profoundly strategic if companies are to be able to use data in a legally compliant manner and be well-prepared to receive investments, positioning themselves consistently in the due diligences to which they are subjected.
- Companies also need to be ready to account for their activities. To do so, they must
- - have privacy as a key element of their vision and mission;
- - structure a team responsible for privacy issues and, above all, appoint a Data Protection Officer;
- - draw up and keep up-to-date data inventories, especially records of operations involving personal data, identifying and mapping all the legal bases and producing the relevant documents;
- - establish routines that consolidate the ideal of privacy by design so that privacy and the protection of personal data are integrated into all the organization's activities;
- - carrying out all relevant and necessary assessments, such as:
- o balancing tests for activities that draw on legitimate interest;
- o data protection impact reports for high-risk data processing and other situations;
- o artificial intelligence assessments;
- o supplier assessments;
- o assessments of information security controls and routines; and
- o relevant due diligence
- - drawing up and updating privacy policies and notices;
- - draw up and maintain a plan for responding to requests from personal data subjects.
- - implement training and awareness-raising measures for professionals;
- - properly prepare the company's contracts, with a clear configuration of the role of the processing agent and other relevant clauses;
- - adopt all technical or administrative measures to prevent any unlawful or inappropriate processing of personal data and privacy incidents, including drawing up a privacy incident response and remediation plan that includes simulated exercises to check risks and procedures in practice.
Nudges techniques and dark patterns. In order to maintain compliance with applicable legislation, especially on privacy and protection involving specific audiences such as children, adolescents and the elderly, it is highly recommended to avoid adopting nudges techniques and dark patterns.
Preventive technical and legal assessments are great initiatives to mitigate risks and avoid wasting investments. They can prevent the release of games that don't comply with best practices, or that require disrupting the production flow in order to make corrections or adjustments.
- Nudges techniques are resources used in the course of the game that guide or lead the user to follow the path that the developer wants. However, if the technique or this "path" harms the player's rights, these practices should be avoided.
- Dark patterns are nudges techniques that are more ostentatious or exert greater pressure on the user to choose what is best for the developer. Examples of what should be avoided in the initial evaluation and development of the practice, product or service - whatever its modality or platform of use - include the following features:
- play to skip, in which players are "invited" to pay a fee to make progress during the game;
- play to unlock, in which players are "invited" to pay an amount to unlock certain stages of the game or specific content; and
- dayly rewards, in which players receive prizes or in-game items on a daily basis, prompting them to play the game regularly.
Children and adolescents. Considered one of the main target audiences for these practices, there are concerns and risks directly related to the protection of children and adolescents. It is important to ensure that the development of practices aimed at this audience are in line with legislation, especially the Statute of the Child and Adolescent (ECA), the Consumer Protection Code (CDC) and the LGPD.
The mitigation of legal risks and the credibility of games are directly related to the ability of companies to include legal protection parameters in the game development process. Legal assessments and alignments are fundamental.
Among the main measures to be considered are:
- adopting mechanisms to identify players under the age of 18 with a high degree of accuracy and implementing tools and communications that discourage false declarations of age.
- prioritizing practices and initiatives that are not harmful to the health and well-being of children. For example, it is advisable to adopt measures to discourage playing games for long periods of time. These measures include:
- introducing frequent checkpoints;
- avoiding the use of loot boxes which make it a condition of eligibility to remain in the game for a long period of time;
- adopting age-related protocols to encourage players to take breaks; and
- not associating game results or success during the game with long periods of permanence.
- pay attention to misleading (not in line with reality) and abusive (taking advantage of the fragility or ignorance of children) advertising practices aimed at marketing games, services or related items.
- prioritize as a standard the non-adoption of profiling of players for marketing or advertising purposes, especially those related to monitoring user behavior.
- implement measures to monitor or control games, advertising and player migrations to third-party activities that may not be at the same level of suitability and compliance.
- avoid the use of nudges techniques and dark patterns in the players' journey, mainly due to the greater vulnerability of this audience.
- adopt appropriate means to identify inappropriate or illegal behavior in interaction spaces (video, chat, etc.), including extreme situations in which adults participate in the game to commit crimes related to exposure and/or child pornography.
Artificial intelligence. Practices use artificial intelligence tools in a large part of their processes and operations. It is important for companies to seek the legal certainty necessary for the use of artificial intelligence, by adopting best practices for the use of this technology, in order to minimize risks, maximize opportunities and guarantee adequate levels of ethics, transparency, reliability and information security.
Among the initiatives, we recommend:
- develop and apply frameworks and solutions for ethical governance and legal compliance, with the identification of applicable ethical parameters, legislation and national and foreign precedents, highlighting, for example, the recent approval of the AI Act by the European Union;
- drawing up applicable transparency policies and documents;
- preparing the necessary assessments, such as those relating to the protection of personal data and the use of artificial intelligence;
- evaluate and contract suppliers;
- monitor and audit artificial intelligence systems; and
- training and raising awareness among the teams responsible, including policies on the conscious use of these systems to protect personal data and the company's intellectual property.
Information security. Information security is also a highly sensitive issue. Companies need to be prepared to mitigate the risks of digital fraud, cyber attacks and crises, as well as being ready to respond appropriately to all these situations.
It is essential that companies focus on:
- preparation, developing appropriate plans and structures to manage cyber risk and respond to incidents quickly and effectively. To this end, it is advisable to draw up and review response plans, policies, contracts, campaigns, codes of conduct and corporate governance structures to reduce exposure to risk and guarantee the preservation of electronic evidence, based on best market practices, ISO ABNT 27.000 and 31.000 standards, COBIT, ITIL, NIST practices, comparative law and current legislation.
- response, remaining prepared to contain the negative impacts of the event, ensure business continuity and protect the brand's reputation. To this end, it is recommended that companies be ready to investigate incidents, preserve the necessary evidence, manage crises by interacting with authorities and regulators, senior management and other stakeholders such as employees, suppliers and customers.
- remediation, remaining prepared to mitigate the impact of legal actions resulting from the incident - including liability - class actions, administrative proceedings, among others. It is also recommended that companies be prepared to review incidents in a process of evaluating gaps and lessons learned that helps strengthen the organization's information security.
 Profiling is any form of automated processing of personal data that evaluates personal aspects relating to an individual. The aim is to analyze or predict aspects relating to the data subject's performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.