Scarberia brings up a lot of interesting points in his(?) analysis of the current state of the game business, but first reaction I have is, “Who’s business are we talking about exactly?”
Thinking of the game industry as a complex ecosystem is a good one, but often the lions of business neglect to recognize the full spectrum of cohabitants within the same environment. To say that many of the big companies in the game industry are hurting right now is a no brainer. However, that’s a limited point of view that fails to recognize that games, as a medium, are more vibrant and interesting and broader than they have ever been – and, in fact, there are tremendous business opportunities for those willing and able to grab at them.
Scarberia seems to lament over how the business was so easy back in the day. Well sure, the good old days are over and now we’ve got to really earn it. Sticking with the ecosystem metaphor, it is indeed survival of the fittest. And, in the fast changing game industry, fitness is more directly correlated to the ability to adapt than corporate might per se.
A recent analysis from DFC looked at the profitability of publishers across the West, Japan and the rest of Asia. In summary, the Western publishers are growing revenue, but profitability has been taking a nose dive. Conversely, publishers in Asia (Korea in particular) who are more service oriented may not be grossing as much, but are maintaining decent profitability. In part, this is due to their abandonment of the old ways of doing business. Or more precisely, they never bothered to adopt the old ways to begin with.
Korean publishers, as we all know, were quick to exploit online subscription models and leverage game cafĂ© play, largely as a way to jump over the piracy hurdle. Now they are pioneering the micro-transaction model (aka “free-2-play”). And, it is through these innovations in business and distribution models that tremendous new value has been created. (No disrespect to Korean developers, but from a design/content point of view, they’ve essentially been cloning the West.) As game biz veteran Mitch Lasky recently echoed at the Game Business Law Summit, Western publishers have not given innovation in business/distribution models much attention.
And why would they? The EAs of the world are the entrenched players – the lions at the top of the food chain – that are now trapped by their own success. This dilemma is not unique the game industry, but is one that is faced by all successful businesses in a changing marketplace. In order to embrace new ideas fully, they must abandon their current revenue streams (e.g., selling discs in boxes at retail, or selling shooters to young males, etc). Thus, a dilemma between what works today and what will work tomorrow is created, along with the ensuing aversion to the risk of switching. To reiterate, it is the very success that got EA (and the other big publishers) to where it is, that is now holding it back. In short, it is a species that is overly optimized for the old ecosystem, and is now struggling to adapt.
And so, it is often left to the new players – or the existing ones that are most adaptable – to dive into the chaos and succeed. Again, largely by pioneering the business and distribution side of things.
Bigger is not always better, and blindly following the tech curve for tech’s sake is not the answer anymore (refer to the anemic horsepower of the Wii or the dominance of Flash online). True talent will always find a market – not because they deserve to, but because they’ve earned it.
Much like the failings of the music business to hold onto their monopoly of pressing CDs and pushing them to retailers, I’m not much interested in maintaining the status quo within the game “business”. The music “business” (i.e., selling CDs at retail) may be on its last gasps, but music on the whole is booming and exploding with countless opportunities for talented artists. If the current economic climate forces the game ecosystem to evolve a little more rapidly than some would hope for, well too bad. On the whole, I see that as a good thing for the evolution of games.
Monday, February 23, 2009
Friday, February 20, 2009
Uh-Oh, we lost the data
Continuing with the theme of my last two posts, I want to touch on an issue facing more and more companies doing business in the U.S. That is, the loss, theft or other unauthorized access to the customer data you collect. And, more specifically, your obligations under various state laws when it happens.
It is, of course, quite common for companies to collect and retain information about the identities and buying habits of their customers. Various state and federal laws address what can be collected and the steps companies must take to restrict access to that information. As noted earlier, in the U.S., these rules generally apply only to specific types of protected information – financial, health, and information about children – and particular methods of collection. But, the fact that you may not collect information that is subject to these laws and regulations does not mean you are home free. To the contrary, even if the information you collect is not protected information, you may have obligations if the information falls into the wrong hands.[1] And, in some instances (as under Minnesota’s law), you may have financial liability for losses that result from a security breach.
The newspapers in recent months have been filled with stories of data breaches – accidental and intentional. This runs the gamut from selling a computer without removing the hard drive to a major hack of a company’s security system. If this happens to you and you have customers in the U.S., it is quite likely you will be subject to one (likely more) of the state laws governing data security and breach. Indeed, at this point more than 44 states have enacted data breach laws. Several have adopted or proposed laws that, in addition to requiring customer notification in the event of breach, go further and impose criminal penalties for failure to notify customers of a data breach and civil liability to banks for breaches of payment card data.
So, what is covered here and what are your obligations if it happens to you? As you might expect, the various state laws are not identical. As a result, if you are the victim of a data breach you will need to examine where your customers reside and examine/comply with the laws for each implicated jurisdiction.[2] Fortunately, however, these laws do have some common features:
First, most of these laws cover only personally identifiable information. That is, information from which a person might be able to identify the customer. This would include the customer’s name, social security number, date or place of birth, mother’s maiden name, identification card or credit card number in combination with a password or access code. Most, but not all, of the state laws provide a safe harbor for information that is encrypted.
Second, most states require you to give notice regardless of the potential risk that the information will be misused.
Third, the statutes define how you must deliver the notice and when. Typically, notice may be delivered in writing, electronically (with the customer’s consent) or by publication (web site or newspaper, etc.) if other methods are not likely to result in notice to the customer or the cost of notice would exceed a specified dollar amount, usually $250,000. Although some laws specific time periods within notice is required to be given (10- 45 days), others require notice “in the most expedient time possible and without unreasonable delay”.
Fourth, some state laws also require you to make arrangements for consumers to obtain a credit freeze to prevent disclosure of a credit report to a credit bureau.
Finally, many of the state laws provide forms for the notices you must use.
The bottom line here is that if you collect information from customers located in the U.S. you need to be aware not only of the rules governing the collection and security of such information, but your obligations if your security efforts fail. And, as part of this process, you should adopt policies regarding the collection and access to such information, with regular audits to confirm compliance with these policies. Of course, these policies also need to address who within your company will be responsible for determining if a breach has occurred and if notice or more aggressive steps are required to comply with applicable laws.
Be sure to tune back in a couple of weeks. We will look at user generated content and other ip issues. And, for questions about various privacy and data breach requirements, contact Scott Warner (sgwarner@gsblaw.com) or James Dunstan (jdunstan@gsblaw.com).
[1] This would be in addition to any contract liability you may have to your customer if you fail to comply with the terms of your privacy policy. And, remember, that in some states failure to comply with your privacy policy may be a violation of state law. See, for example, California Bus. and Prof. Code section 22575-22579.
[2] These laws are not limited to customer information; they apply to anyone about whom you collect information. And most impose obligations regardless of where you are located; the obligations are triggered based on where the customer resides.
It is, of course, quite common for companies to collect and retain information about the identities and buying habits of their customers. Various state and federal laws address what can be collected and the steps companies must take to restrict access to that information. As noted earlier, in the U.S., these rules generally apply only to specific types of protected information – financial, health, and information about children – and particular methods of collection. But, the fact that you may not collect information that is subject to these laws and regulations does not mean you are home free. To the contrary, even if the information you collect is not protected information, you may have obligations if the information falls into the wrong hands.[1] And, in some instances (as under Minnesota’s law), you may have financial liability for losses that result from a security breach.
The newspapers in recent months have been filled with stories of data breaches – accidental and intentional. This runs the gamut from selling a computer without removing the hard drive to a major hack of a company’s security system. If this happens to you and you have customers in the U.S., it is quite likely you will be subject to one (likely more) of the state laws governing data security and breach. Indeed, at this point more than 44 states have enacted data breach laws. Several have adopted or proposed laws that, in addition to requiring customer notification in the event of breach, go further and impose criminal penalties for failure to notify customers of a data breach and civil liability to banks for breaches of payment card data.
So, what is covered here and what are your obligations if it happens to you? As you might expect, the various state laws are not identical. As a result, if you are the victim of a data breach you will need to examine where your customers reside and examine/comply with the laws for each implicated jurisdiction.[2] Fortunately, however, these laws do have some common features:
First, most of these laws cover only personally identifiable information. That is, information from which a person might be able to identify the customer. This would include the customer’s name, social security number, date or place of birth, mother’s maiden name, identification card or credit card number in combination with a password or access code. Most, but not all, of the state laws provide a safe harbor for information that is encrypted.
Second, most states require you to give notice regardless of the potential risk that the information will be misused.
Third, the statutes define how you must deliver the notice and when. Typically, notice may be delivered in writing, electronically (with the customer’s consent) or by publication (web site or newspaper, etc.) if other methods are not likely to result in notice to the customer or the cost of notice would exceed a specified dollar amount, usually $250,000. Although some laws specific time periods within notice is required to be given (10- 45 days), others require notice “in the most expedient time possible and without unreasonable delay”.
Fourth, some state laws also require you to make arrangements for consumers to obtain a credit freeze to prevent disclosure of a credit report to a credit bureau.
Finally, many of the state laws provide forms for the notices you must use.
The bottom line here is that if you collect information from customers located in the U.S. you need to be aware not only of the rules governing the collection and security of such information, but your obligations if your security efforts fail. And, as part of this process, you should adopt policies regarding the collection and access to such information, with regular audits to confirm compliance with these policies. Of course, these policies also need to address who within your company will be responsible for determining if a breach has occurred and if notice or more aggressive steps are required to comply with applicable laws.
Be sure to tune back in a couple of weeks. We will look at user generated content and other ip issues. And, for questions about various privacy and data breach requirements, contact Scott Warner (sgwarner@gsblaw.com) or James Dunstan (jdunstan@gsblaw.com).
[1] This would be in addition to any contract liability you may have to your customer if you fail to comply with the terms of your privacy policy. And, remember, that in some states failure to comply with your privacy policy may be a violation of state law. See, for example, California Bus. and Prof. Code section 22575-22579.
[2] These laws are not limited to customer information; they apply to anyone about whom you collect information. And most impose obligations regardless of where you are located; the obligations are triggered based on where the customer resides.
Thursday, February 19, 2009
More Thoughts from Scott: Personal Information Collection Laws and Children
Continuing on the theme of issues relating to information collection and use (I will have another installment tomorrow on data breach obligations), my colleague in Washington, D.C., has put together a little something on COPPA and the CAN-SPAM Act. I know, these sound like the fixings for a sandwich. But truly, these are laws that can actually get you into real trouble if you don’t pay close attention. And, that’s not always easy. COPPA was well intentioned, but is not a model of clarity and the hoops you have to jump through to comply, well let’s just say, it is probably not the most efficient use of resources. Anyway, check out Jim’s report below and tune in tomorrow for a brief guide on your obligations if any of the information you collect gets into the wrong hands. Scott G. Warner (sgwarner@gsblaw.com) .
Hey Sony! Leave Those Kids Alone!: How Sony Managed to Run Afoul of the U.S.’s COPPA regulations to the tune of $1 million
Canadian game companies wanting to do business in the United States, whether it be offering games and gaming services to U.S. customers, or providing software or development services to U.S. publishers, need to be aware of several sets of U.S. laws related to privacy, and especially the private information related to children under the age of 13. Two of these, the Children’s Online Privacy and Protection Act of 1998 (COPPA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), have been in the news lately. What gets real interesting, which I’ll discuss below, is what happens when COPPA and CAN-SPAM run into each other headlong – think alphabet pea soup (or your own least favorite soup with random letters floating in it).
First, if you’re having problems wrapping your head around the concept of hashing e-mail addresses and building multiple layers of security systems into your website flow to make sure you don’t collect information you are not supposed to, take heart, even the giants stumble, and stumble badly.
Demonstrating that even the biggest companies can run afoul of privacy protection laws, Sony BMG Music has agreed in January, 2009, to pay the largest fine ever levied COPPA. The case makes clear that COPPA applies not only to Web sites that specifically cater to children under the age of 13, but also to Web sites that knowingly collect personal identifiable information (PII) from children under 13.
The United States Federal Trade Commission (FTC), delegated the authority to enforce COPPA in the United States, filed both a Complaint and a Consent Decree in the U.S. District Court in New York on December 11, 2008, charging that Sony operated some 1,100 Web sites promoting its music and recording artists, and of those websites, close to 200 collected visitors’ e-mail addresses, date of birth, gender, zip code, country, user names, and in some cases, street addresses (examples of PII). The FTC determined that over 30,000 children under the age of 13 registered on the Web sites, and Sony had actual knowledge that it had collected PII, without first obtaining parental consent as required by COPPA. Sony’s own Privacy Policy warned children under 13 not to provide such PII, but the offending Web sites required a visitor to enter the information in order to gain access to the Web site. Sony also allowed children under 13 to create their own fan pages, including posting their age and picture, without first receiving parental consent. The FTC summarized its charges as follows:
In at least 30,000 instances, Sony Music collected, used, and/or disclosed personal information from children without first providing their parents with notice of its information practices, either on the defendant’s Web sites or directly, without obtaining verifiable consent from the parents prior to the collection, use, or disclosure and without providing parents with reasonable procedures to access their children’s information and to refuse to permit its further use or maintenance.
Rather than fight the FTC, Sony entered into a Consent Decree agreeing to abide by COPPA and paying a $1 million fine.
Meanwhile, the Children’s Advertising Review Unit (CARU), has recommended that AOL modify its websites http://www.aol.com/ and http://www.kids.aol.com/ because, according to CARU, they may not comply with COPPA. It seems that when registering for an AOL e-mail address, potential registrants are asked to provide various forms of PII, including their first and last name and desired e-mail address. They are also asked for their date of birth. If a prospective member enters a birthday corresponding to an age below 13, a message appears stating, “You must be over 13 years of age to register for this service.” The registrant is then able to change the previously entered birthday to one indicating an age above 13 in the same window and complete the registration. There is no session cookie in place to prevent users from circumventing the age screening. As Homer Simpson would say: “D’OH!” Prohibiting kids from changing their ages to above 13, or backing out so they can reregister as a 12-plus are fundamental to COPPA compliance.
There’s even a wonderful website out there that collects up COPPA stories, and specifically the excuses people give to try and argue that they’re 13 or older. A few are listed below, but visit http://www.coppakids.com/ for a good laugh:
“i am 15 years old,DUH!,if you don’t let me sign up, i am going to make a big fuss about it.”
“I cannot sign up. I was 13 yesterday and just got into the habbit of smoking. Hope that does not effect the was I sigh up.”
“hey [company name] people can you erase the thing on my computer that says you are under the age of 13 because im 20. p.s. you are all bitch for doing that.”
“i cant register :) i have 14 years but this web show tat i have only 12 or under! i need a Girl Friend”
The fact that COPPA was enacted more than ten (10) years ago, and large companies still can’t seem to get it right should make smaller game developers shudder (or better yet, run to engage competent counsel who can help navigate the COPPA waters).
So, in a nutshell, here is what you need to do to be COPPA-compliant for all websites and online communities (including game communities):
You can’t collect “Personally Identifiable Information” (“PII”) of children under 13 years old unless you get prior parental consent. “PII” equals any information that can be used to identify and contact a child. This includes first and last name, street address, e-mail address, AND IM screen name if identified with a particular IM service
COPPA applies where: You host a site that can reasonably expect to be visited by a large number of children under 13, or you have actual knowledge, however acquired, that a particular visitor/subscriber is under 13. Special attention needs to be paid if you’ve got a game or website that’s got chat rooms where kids can blab PII around, especially if you (according to your Privacy Policy and Terms of Service) say that you are monitoring the chat.
In signing up subscribers you must be careful not to set up your site to allow under 13 visitors to lie about their age by asking questions that encourage a child to lie, or that allow a child to back out of a sign up process and then reenter an older age when it is clear that they can’t sign up if they are under 13 (see the discussion of American Online above).
In addition, COPPA requires that you:
Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected
Give parents the choice to consent to the collection and use of a child's personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties.
Provide parents with access to their child's information, and the opportunity to delete the information and opt out of the future collection or use of the information.
Not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity.
Maintain the confidentiality, security and integrity of the personal information collected from children.
We’ll visit CAN-SPAM in more depth in a future blog, but there is an interesting conflict brewing between COPPA and CAN-SPAM. CAN-SPAM requires that any advertising e-mail clearly identify itself as being advertising, contain a valid e-mail return address, contain a real world “snail mail” address, clearly identify the sender of the e-mail, and provide the recipient an opportunity to opt out of future advertising.
Last year, the FTC revised its CAN-SPAM rules to specifically say that “forward to a friend” promotional e-mails had to abide by both CAN-SPAM and COPPA. Here’s an example. Suppose hypothetical toy manufacturer WikiDolls has an online community that consists of children under 13. It runs a promotion whereby it invites its subscribers to send an e-mail to their friends inviting them to join. Little Janie is registered and her parents have agreed to WikiDolls collecting PII from her. Little Janie now enters her under-13 BFFL Suzy’s e-mail address in the forward to a friend e-mail form provided by WikiDolls. According to the FTC’s interpretation of CAN-SPAM and COPPA, WikiDolls can’t save Suzy’s e-mail address, because her parents have not consented to the retention of the PII. Further, the disclosure of Janie’s e-mail address to Suzy, even if wrapped in a CAN-SPAM proper wrapper, might itself violate WikiDoll’s Privacy Policy. The end result – WikiDolls is going to have a difficult time marketing its site in this manner. Again, quiver in terror, or get a good lawyer who can help you with this and understands all the nuances of hashing e-mail addresses.
I’ll close with one final anecdote. I had a client recently who complained bitterly that I was being too conservative in my approach to CAN-SPAM and COPPA, finally saying IN ALL CAPS in an e-mail, “Well XXXXXXXX doesn’t do it that way!” As it turns out, XXXXXXX was a Canadian company. When I pointed that out to the client, their response (in the moral equivalent of a very small font) was “never mind.” Funny thing is that the Canadian company sold out to a U.S. company that continues to fail to comply with CAN-SPAM and COPPA. But given the stories above, I guess that shouldn’t surprise anyone.
If you have any other questions about COPPA or CAN-SPAM compliance, please contact Jim Dunstan at (202) 298-2534 or jdunstan@gsblaw.com.
Hey Sony! Leave Those Kids Alone!: How Sony Managed to Run Afoul of the U.S.’s COPPA regulations to the tune of $1 million
Canadian game companies wanting to do business in the United States, whether it be offering games and gaming services to U.S. customers, or providing software or development services to U.S. publishers, need to be aware of several sets of U.S. laws related to privacy, and especially the private information related to children under the age of 13. Two of these, the Children’s Online Privacy and Protection Act of 1998 (COPPA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), have been in the news lately. What gets real interesting, which I’ll discuss below, is what happens when COPPA and CAN-SPAM run into each other headlong – think alphabet pea soup (or your own least favorite soup with random letters floating in it).
First, if you’re having problems wrapping your head around the concept of hashing e-mail addresses and building multiple layers of security systems into your website flow to make sure you don’t collect information you are not supposed to, take heart, even the giants stumble, and stumble badly.
Demonstrating that even the biggest companies can run afoul of privacy protection laws, Sony BMG Music has agreed in January, 2009, to pay the largest fine ever levied COPPA. The case makes clear that COPPA applies not only to Web sites that specifically cater to children under the age of 13, but also to Web sites that knowingly collect personal identifiable information (PII) from children under 13.
The United States Federal Trade Commission (FTC), delegated the authority to enforce COPPA in the United States, filed both a Complaint and a Consent Decree in the U.S. District Court in New York on December 11, 2008, charging that Sony operated some 1,100 Web sites promoting its music and recording artists, and of those websites, close to 200 collected visitors’ e-mail addresses, date of birth, gender, zip code, country, user names, and in some cases, street addresses (examples of PII). The FTC determined that over 30,000 children under the age of 13 registered on the Web sites, and Sony had actual knowledge that it had collected PII, without first obtaining parental consent as required by COPPA. Sony’s own Privacy Policy warned children under 13 not to provide such PII, but the offending Web sites required a visitor to enter the information in order to gain access to the Web site. Sony also allowed children under 13 to create their own fan pages, including posting their age and picture, without first receiving parental consent. The FTC summarized its charges as follows:
In at least 30,000 instances, Sony Music collected, used, and/or disclosed personal information from children without first providing their parents with notice of its information practices, either on the defendant’s Web sites or directly, without obtaining verifiable consent from the parents prior to the collection, use, or disclosure and without providing parents with reasonable procedures to access their children’s information and to refuse to permit its further use or maintenance.
Rather than fight the FTC, Sony entered into a Consent Decree agreeing to abide by COPPA and paying a $1 million fine.
Meanwhile, the Children’s Advertising Review Unit (CARU), has recommended that AOL modify its websites http://www.aol.com/ and http://www.kids.aol.com/ because, according to CARU, they may not comply with COPPA. It seems that when registering for an AOL e-mail address, potential registrants are asked to provide various forms of PII, including their first and last name and desired e-mail address. They are also asked for their date of birth. If a prospective member enters a birthday corresponding to an age below 13, a message appears stating, “You must be over 13 years of age to register for this service.” The registrant is then able to change the previously entered birthday to one indicating an age above 13 in the same window and complete the registration. There is no session cookie in place to prevent users from circumventing the age screening. As Homer Simpson would say: “D’OH!” Prohibiting kids from changing their ages to above 13, or backing out so they can reregister as a 12-plus are fundamental to COPPA compliance.
There’s even a wonderful website out there that collects up COPPA stories, and specifically the excuses people give to try and argue that they’re 13 or older. A few are listed below, but visit http://www.coppakids.com/ for a good laugh:
“i am 15 years old,DUH!,if you don’t let me sign up, i am going to make a big fuss about it.”
“I cannot sign up. I was 13 yesterday and just got into the habbit of smoking. Hope that does not effect the was I sigh up.”
“hey [company name] people can you erase the thing on my computer that says you are under the age of 13 because im 20. p.s. you are all bitch for doing that.”
“i cant register :) i have 14 years but this web show tat i have only 12 or under! i need a Girl Friend”
The fact that COPPA was enacted more than ten (10) years ago, and large companies still can’t seem to get it right should make smaller game developers shudder (or better yet, run to engage competent counsel who can help navigate the COPPA waters).
So, in a nutshell, here is what you need to do to be COPPA-compliant for all websites and online communities (including game communities):
You can’t collect “Personally Identifiable Information” (“PII”) of children under 13 years old unless you get prior parental consent. “PII” equals any information that can be used to identify and contact a child. This includes first and last name, street address, e-mail address, AND IM screen name if identified with a particular IM service
COPPA applies where: You host a site that can reasonably expect to be visited by a large number of children under 13, or you have actual knowledge, however acquired, that a particular visitor/subscriber is under 13. Special attention needs to be paid if you’ve got a game or website that’s got chat rooms where kids can blab PII around, especially if you (according to your Privacy Policy and Terms of Service) say that you are monitoring the chat.
In signing up subscribers you must be careful not to set up your site to allow under 13 visitors to lie about their age by asking questions that encourage a child to lie, or that allow a child to back out of a sign up process and then reenter an older age when it is clear that they can’t sign up if they are under 13 (see the discussion of American Online above).
In addition, COPPA requires that you:
Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected
Give parents the choice to consent to the collection and use of a child's personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties.
Provide parents with access to their child's information, and the opportunity to delete the information and opt out of the future collection or use of the information.
Not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity.
Maintain the confidentiality, security and integrity of the personal information collected from children.
We’ll visit CAN-SPAM in more depth in a future blog, but there is an interesting conflict brewing between COPPA and CAN-SPAM. CAN-SPAM requires that any advertising e-mail clearly identify itself as being advertising, contain a valid e-mail return address, contain a real world “snail mail” address, clearly identify the sender of the e-mail, and provide the recipient an opportunity to opt out of future advertising.
Last year, the FTC revised its CAN-SPAM rules to specifically say that “forward to a friend” promotional e-mails had to abide by both CAN-SPAM and COPPA. Here’s an example. Suppose hypothetical toy manufacturer WikiDolls has an online community that consists of children under 13. It runs a promotion whereby it invites its subscribers to send an e-mail to their friends inviting them to join. Little Janie is registered and her parents have agreed to WikiDolls collecting PII from her. Little Janie now enters her under-13 BFFL Suzy’s e-mail address in the forward to a friend e-mail form provided by WikiDolls. According to the FTC’s interpretation of CAN-SPAM and COPPA, WikiDolls can’t save Suzy’s e-mail address, because her parents have not consented to the retention of the PII. Further, the disclosure of Janie’s e-mail address to Suzy, even if wrapped in a CAN-SPAM proper wrapper, might itself violate WikiDoll’s Privacy Policy. The end result – WikiDolls is going to have a difficult time marketing its site in this manner. Again, quiver in terror, or get a good lawyer who can help you with this and understands all the nuances of hashing e-mail addresses.
I’ll close with one final anecdote. I had a client recently who complained bitterly that I was being too conservative in my approach to CAN-SPAM and COPPA, finally saying IN ALL CAPS in an e-mail, “Well XXXXXXXX doesn’t do it that way!” As it turns out, XXXXXXX was a Canadian company. When I pointed that out to the client, their response (in the moral equivalent of a very small font) was “never mind.” Funny thing is that the Canadian company sold out to a U.S. company that continues to fail to comply with CAN-SPAM and COPPA. But given the stories above, I guess that shouldn’t surprise anyone.
If you have any other questions about COPPA or CAN-SPAM compliance, please contact Jim Dunstan at (202) 298-2534 or jdunstan@gsblaw.com.
Wednesday, February 18, 2009
Response to Scarberia
Make sure to check out the new comment to Scarberia's post! This response comes from Jason Della Rocca, the long-time executive director of the International Game Developers Association (IGDA), though he recently surprised the community by announcing his forthcoming departure from the role. We asked Jason to comment on the business of games, specifically in reaction to Scarberia’s penalty box post from last month. (Note, these are his personal thoughts, and do not represent those of the IGDA.) Jason himself will be in the penalty box next week, updating us on the vibe from this year's D.I.C.E (Design, Innovate, Communicate, Entertain) Summit in between his travels.
Tuesday, February 17, 2009
Legal Issues in the Gaming Industry
I am really pleased to participate in “The Puck Stops Here”. It is great to see the Canadian Consulate supporting the Canadian game community.
My plan is to identify/discuss some of the familiar (and not so familiar) issues facing game companies (and others) doing business in the U.S. Over the next few weeks I will touch on various topics including:
COPPA and CAN-SPAM compliance;
Using music in games;
Integrating voice communications in games and avoiding potential liability under CALEA;
Do’s (mostly don’ts) re on-line gambling;
Protecting intellectual property and reducing exposure in publishing and license agreements;
Managing user generated content;
Compliance with safe harbors for copyright infringement and defamation;
Crafting and enforcing EULAs;
Reverse engineering and anti-circumvention rules under the Copyright Act;
Compliance with laws governing contests, coupons, lotteries, and prepaid cards;
Immigration issues in cross-border transactions; and
Rules for protecting against and responding to data breaches.
With any luck, these posts will generate questions and comments which will provide additional food for thought and topics for discussion. Of course, this is too much to cover in one bite or for one person, so I hope to cover these and other issues over several posts and with the help of several of my colleagues including Benjamin Lambiotte, James Dunstan, John Crigler, and Gregg Rodgers. You can view their bios at http://www.gsblaw.com/.
First things first. Today is a holiday in the U.S.: Presidents Day. For those unfamiliar with it, until 1971 this holiday was celebrated to honor George Washington’s birthday; February 22. But, from 1971 until the mid-80’s the party for George’s birthday was moved to the 3rd Monday of February. After that, it was a short step to bundling several other observances into a single holiday: Abraham Lincoln’s birthday (February 12) and, depending on which state you happen to be in, various other presidents. Just keep that in mind the next time you read a service agreement that excludes federal holidays. Now, to business.
As a start, I want take a look at a recent development in the area of personal privacy. This is topic that gets a lot of press and generates quite a lot controversy/confusion in the U.S. The fact that information about personal behavior and preferences can now be so easily and quickly collected/disseminated and, with increasing frequency, lost, has made the topic all the more controversial. To some, the fact that privacy is such a hot button in the U.S. may come as a surprise. After all, there are likely few places on earth with more rules and regulations than the U.S. But, the fact is that unlike Canada, the U.S. does not really have a centralized/uniform privacy regime. Instead, privacy in the U.S. is generally a matter of common law and legislation on state-by-state basis. I say generally, because there are exceptions.[1] Specifically, health care information, financial and credit information, and information about children. But, rather than legislating an overall policy on privacy, the U.S. generally deals with the issue in the context of specific types of information and how that information may/may not be used.[2] The mechanism to implement these policies is typically – but not exclusively – legislation. In some cases the federal government provides voluntary guidelines which are used by government agencies and courts to measure compliance with other laws. For example, while the Federal Trade Commission certainly promulgates regulations to carry out its mandates, it also develops guidelines and principles for use in evaluating compliance with laws it is charged with enforcing, such as Section 5 of the FTC Act which applies to unfair and deceptive acts or practices.
A recent development (released last week) on the voluntary side of things (we will talk about COPPA and data breach legislation, etc., later in the week) is the FTC Staff Report entitled: “Self-Regulatory Principles for Online Behavioral Advertising” (http://www.internetnews.com/ec-news/article.php/3802806/Advocates+Blast+FTC+Guidelines+on+Web+Privacy.htm). The Report follows up on previous work and public hearings by the FTC on the subject, which began in 1995. The Report sets forth 4 principles to govern “behavioral advertising – the practice of tracking an individual’s online activities in order to deliver advertising tailored to the individual’s interests”:
Web sites should provide a clear, concise, and prominent statement about their behavioral advertising practices. These notifications are to be separate from general privacy policies and should give consumers an easy-to-use method of opting out. Companies that collect information through mobile devices should ensure they have sufficient disclosure mechanisms.
Companies are encouraged to maintain reasonable security and retention practices with respect to the data they collect.
Companies are also encouraged to inform consumers of retroactive material changes to their data collection policies.
Companies are encouraged to receive express consent from consumers before collecting "sensitive data," such as information about children, health information, and Social Security numbers.
But, don’t let the title fool you. While these principles are not mandatory, there are likely consequences for failing to comply. Indeed, as the Report notes, these principles do not displace existing laws and companies engaged in this practice “should be mindful of the federal and state laws that may apply to their operations”. On this point, the FTC took pains to point out that it has been very active in conducting investigations and bringing law enforcement actions challenging deceptive privacy claims and improper disclosure of consumer data, noting that since 2001 the FTC has brought 23 such actions.
Still, the principles may not go far enough and the FTC has come under quite a bit of criticism for opting for “self-regulation”, rather than recommending Congress enact legislation on the subject. Bottom line: this is likely not the last you will hear on the topic of behavioral advertising.
So, if you are a game company in Canada selling products to consumers in the U.S. and collecting information about their buying and surfing behaviors, should you care what the FTC has recommended? The answer is clearly, yes. After all, the U.S. is a big market (1.33 Billion in January 2009). And, activities that violate these principles may be prosecuted in the U.S., even if you are located in Canada. But, don’t despair, you are probably a lot closer to compliance than many of your U.S. counterparts, since PIPEDA reflects many of the same principles and, unlike the FTC principles is mandatory. So, if you comply with PIPEDA, it is likely you will satisfy most, if not all of the principles announced in the Report. Note however, that the FTC principles apply to more than just “personal information” as defined in PIPEDA. As a result, if you are engaged in behavioral or contextual data collection (and most game companies are) you may need to adjust your practices to extend beyond personal information, to include any information that “could be associated” with a particular consumer or device.
Couple of other interesting tidbits (unrelated) to keep in mind:
Epilepsy Warnings – Continuing an effort he first began in 2001, Assemblyman Steven Englebright (D-Setauket), has introduced A4004 in the New York Assembly. This bill would require any person who sells or rents video games to display a warning sign with respect to the relationship between playing video games and epileptic seizures and establishes penalties for a violation of such provisions.
Games and Cigarettes – Rep Joe Baca (D-CA) has introduced H.R. 231, “The Video Game Health Labeling Act of 2009”. If enacted the bill would require developers to affix a warning label on any vide game rated T (teen) or higher by the ESRB similar to that required for cigarette packaging: “WARNING: Excessive exposure to violent video games and other violent media has been linked to aggressive behavior.”
Safe Harbor – 17 USC Section 512(c) (Copyright) and 47 USC 230 (Communications Decency Act) contain safe harbors for service providers against claims of copyright infringement and defamation. Several cases addressed these provisions in 2008, with differing results. At the extreme, the 9th Circuit ruled against the 230 defense in Fair Housing Council v. Roomates.com, 2008 WL 879293 (9th Cir. April 3, 2008) in an opinion that is both difficult to follow and reconcile with the plain language of the statute. A more reasoned opinion going the other direction is Goddard v. Google 2008 WL 5245490 (N.D. Cal. Dec. 17, 2008). On the copyright side, see Io v. Veoh 5:2006cv03926 (N.D. Cal. Aug. 27, 2008). This case involved claims for copyright infringement stemming from infringing videos uploaded to Veoh’s site by users. Veoh successfully defended the claim, relying on 512(c). The reason it succeeded, was that it followed the requirements of the safe-harbor to the letter and more: it responded to compliant DMCA takedown notices promptly, it notified users of its policies against copyright infringement, it registered a Copyright Agent with the Copyright Office, it terminated users who were repeat infringers and blocked new registrations from the same email addresses, and it used hashes to stop the same infringing videos from being uploaded by other users.
Bottom line here: If you are a service provider get familiar with the safe-harbors; they are your friends.
License vs. Sale – Whether a transaction is characterized as a license or sale is a big deal under U.S. law. Consider for example, the case of Vernor v. Autodesk, 87 USPQ2d 1501 (W.D.Wash. 2008), in which the court held that the unauthorized sale of used software on an internet auction site was permissible under the first-sale doctrine. This, despite the fact that the agreement under which the software was originally transferred was expressly characterized as a license and included language reserving all rights to Autodesk. Critical to the court’s determination that the transaction at issue was a sale (and not a license) was the fact that the agreement permitted the licensee to retain possession of the software in exchange for a single up-front payment. According to the court, this turned the license into a sale with the result that Autodesk exhausted its exclusive right to re-distribution under the copyright act when it sold the software.
As you might expect, Vernor is not the last (or the first) word on this subject. Following Vernor, several courts have held to the contrary. For example, in Blizzard v. MDY, CV-06-2555 (D. Ariz. 2008), the court examined the issue in the context of Section 117 of the Copyright Act (Vernor involved Section 109), which permits the owner of a software program to make multiple copies of the program. The court, evaluating the Blizzard EULA (which contained license language not dissimilar to that in Vernor) held that the users of a program created by MDY known as WowGlider, were not owners of the WoW program, but licensees subject the limitations on use set forth in the license. As a result, neither the WowGilder users nor MDY could take advantage of the Section 117 defense and MDY and its founder were held liable for contributory and vicarious copyright infringement. The key here (ignored by the court in Vernor) was that the agreement giving the user rights in WoW (a) made clear that the rights granted were as a licensee and did not include unlimited rights to copy or distribute the game and (b) imposed “significant” restrictions on the transfer of the game by requiring the user to transfer the original media and the packaging and documentation.
Bottom line here: Pay close attention to the terms of your EULA. One other note, the Blizzard case is also significant because a recent ruling in the case addressed the anti-circumvention provisions of Section 1201 of the DMCA. That will be the subject of a later post.
[1] Indeed, Justice Brandeis found the “freedom to be let alone” to be one of the most basic freedoms protected by the U.S. Constitution. So, it is not as though privacy is a foreign concept on the federal scene. It is just that, in the U.S., it is handled very differently.
[2] This all seems quite odd to folks who have been following the privacy debate for any length of time. Many of the basic principles incorporated into the EU Privacy Directive and PIPEDA were actually developed by the U.S. Dept. of Health Education and Welfare in 1971 as part of the “Code of Fair Information Practices”, which included five clauses: openness, disclosure, secondary use, correction, and security. Although these principles were adopted later by the OECD and others, they were only adopted in the U.S. on a limited basis.
My plan is to identify/discuss some of the familiar (and not so familiar) issues facing game companies (and others) doing business in the U.S. Over the next few weeks I will touch on various topics including:
COPPA and CAN-SPAM compliance;
Using music in games;
Integrating voice communications in games and avoiding potential liability under CALEA;
Do’s (mostly don’ts) re on-line gambling;
Protecting intellectual property and reducing exposure in publishing and license agreements;
Managing user generated content;
Compliance with safe harbors for copyright infringement and defamation;
Crafting and enforcing EULAs;
Reverse engineering and anti-circumvention rules under the Copyright Act;
Compliance with laws governing contests, coupons, lotteries, and prepaid cards;
Immigration issues in cross-border transactions; and
Rules for protecting against and responding to data breaches.
With any luck, these posts will generate questions and comments which will provide additional food for thought and topics for discussion. Of course, this is too much to cover in one bite or for one person, so I hope to cover these and other issues over several posts and with the help of several of my colleagues including Benjamin Lambiotte, James Dunstan, John Crigler, and Gregg Rodgers. You can view their bios at http://www.gsblaw.com/.
First things first. Today is a holiday in the U.S.: Presidents Day. For those unfamiliar with it, until 1971 this holiday was celebrated to honor George Washington’s birthday; February 22. But, from 1971 until the mid-80’s the party for George’s birthday was moved to the 3rd Monday of February. After that, it was a short step to bundling several other observances into a single holiday: Abraham Lincoln’s birthday (February 12) and, depending on which state you happen to be in, various other presidents. Just keep that in mind the next time you read a service agreement that excludes federal holidays. Now, to business.
As a start, I want take a look at a recent development in the area of personal privacy. This is topic that gets a lot of press and generates quite a lot controversy/confusion in the U.S. The fact that information about personal behavior and preferences can now be so easily and quickly collected/disseminated and, with increasing frequency, lost, has made the topic all the more controversial. To some, the fact that privacy is such a hot button in the U.S. may come as a surprise. After all, there are likely few places on earth with more rules and regulations than the U.S. But, the fact is that unlike Canada, the U.S. does not really have a centralized/uniform privacy regime. Instead, privacy in the U.S. is generally a matter of common law and legislation on state-by-state basis. I say generally, because there are exceptions.[1] Specifically, health care information, financial and credit information, and information about children. But, rather than legislating an overall policy on privacy, the U.S. generally deals with the issue in the context of specific types of information and how that information may/may not be used.[2] The mechanism to implement these policies is typically – but not exclusively – legislation. In some cases the federal government provides voluntary guidelines which are used by government agencies and courts to measure compliance with other laws. For example, while the Federal Trade Commission certainly promulgates regulations to carry out its mandates, it also develops guidelines and principles for use in evaluating compliance with laws it is charged with enforcing, such as Section 5 of the FTC Act which applies to unfair and deceptive acts or practices.
A recent development (released last week) on the voluntary side of things (we will talk about COPPA and data breach legislation, etc., later in the week) is the FTC Staff Report entitled: “Self-Regulatory Principles for Online Behavioral Advertising” (http://www.internetnews.com/ec-news/article.php/3802806/Advocates+Blast+FTC+Guidelines+on+Web+Privacy.htm). The Report follows up on previous work and public hearings by the FTC on the subject, which began in 1995. The Report sets forth 4 principles to govern “behavioral advertising – the practice of tracking an individual’s online activities in order to deliver advertising tailored to the individual’s interests”:
Web sites should provide a clear, concise, and prominent statement about their behavioral advertising practices. These notifications are to be separate from general privacy policies and should give consumers an easy-to-use method of opting out. Companies that collect information through mobile devices should ensure they have sufficient disclosure mechanisms.
Companies are encouraged to maintain reasonable security and retention practices with respect to the data they collect.
Companies are also encouraged to inform consumers of retroactive material changes to their data collection policies.
Companies are encouraged to receive express consent from consumers before collecting "sensitive data," such as information about children, health information, and Social Security numbers.
But, don’t let the title fool you. While these principles are not mandatory, there are likely consequences for failing to comply. Indeed, as the Report notes, these principles do not displace existing laws and companies engaged in this practice “should be mindful of the federal and state laws that may apply to their operations”. On this point, the FTC took pains to point out that it has been very active in conducting investigations and bringing law enforcement actions challenging deceptive privacy claims and improper disclosure of consumer data, noting that since 2001 the FTC has brought 23 such actions.
Still, the principles may not go far enough and the FTC has come under quite a bit of criticism for opting for “self-regulation”, rather than recommending Congress enact legislation on the subject. Bottom line: this is likely not the last you will hear on the topic of behavioral advertising.
So, if you are a game company in Canada selling products to consumers in the U.S. and collecting information about their buying and surfing behaviors, should you care what the FTC has recommended? The answer is clearly, yes. After all, the U.S. is a big market (1.33 Billion in January 2009). And, activities that violate these principles may be prosecuted in the U.S., even if you are located in Canada. But, don’t despair, you are probably a lot closer to compliance than many of your U.S. counterparts, since PIPEDA reflects many of the same principles and, unlike the FTC principles is mandatory. So, if you comply with PIPEDA, it is likely you will satisfy most, if not all of the principles announced in the Report. Note however, that the FTC principles apply to more than just “personal information” as defined in PIPEDA. As a result, if you are engaged in behavioral or contextual data collection (and most game companies are) you may need to adjust your practices to extend beyond personal information, to include any information that “could be associated” with a particular consumer or device.
Couple of other interesting tidbits (unrelated) to keep in mind:
Epilepsy Warnings – Continuing an effort he first began in 2001, Assemblyman Steven Englebright (D-Setauket), has introduced A4004 in the New York Assembly. This bill would require any person who sells or rents video games to display a warning sign with respect to the relationship between playing video games and epileptic seizures and establishes penalties for a violation of such provisions.
Games and Cigarettes – Rep Joe Baca (D-CA) has introduced H.R. 231, “The Video Game Health Labeling Act of 2009”. If enacted the bill would require developers to affix a warning label on any vide game rated T (teen) or higher by the ESRB similar to that required for cigarette packaging: “WARNING: Excessive exposure to violent video games and other violent media has been linked to aggressive behavior.”
Safe Harbor – 17 USC Section 512(c) (Copyright) and 47 USC 230 (Communications Decency Act) contain safe harbors for service providers against claims of copyright infringement and defamation. Several cases addressed these provisions in 2008, with differing results. At the extreme, the 9th Circuit ruled against the 230 defense in Fair Housing Council v. Roomates.com, 2008 WL 879293 (9th Cir. April 3, 2008) in an opinion that is both difficult to follow and reconcile with the plain language of the statute. A more reasoned opinion going the other direction is Goddard v. Google 2008 WL 5245490 (N.D. Cal. Dec. 17, 2008). On the copyright side, see Io v. Veoh 5:2006cv03926 (N.D. Cal. Aug. 27, 2008). This case involved claims for copyright infringement stemming from infringing videos uploaded to Veoh’s site by users. Veoh successfully defended the claim, relying on 512(c). The reason it succeeded, was that it followed the requirements of the safe-harbor to the letter and more: it responded to compliant DMCA takedown notices promptly, it notified users of its policies against copyright infringement, it registered a Copyright Agent with the Copyright Office, it terminated users who were repeat infringers and blocked new registrations from the same email addresses, and it used hashes to stop the same infringing videos from being uploaded by other users.
Bottom line here: If you are a service provider get familiar with the safe-harbors; they are your friends.
License vs. Sale – Whether a transaction is characterized as a license or sale is a big deal under U.S. law. Consider for example, the case of Vernor v. Autodesk, 87 USPQ2d 1501 (W.D.Wash. 2008), in which the court held that the unauthorized sale of used software on an internet auction site was permissible under the first-sale doctrine. This, despite the fact that the agreement under which the software was originally transferred was expressly characterized as a license and included language reserving all rights to Autodesk. Critical to the court’s determination that the transaction at issue was a sale (and not a license) was the fact that the agreement permitted the licensee to retain possession of the software in exchange for a single up-front payment. According to the court, this turned the license into a sale with the result that Autodesk exhausted its exclusive right to re-distribution under the copyright act when it sold the software.
As you might expect, Vernor is not the last (or the first) word on this subject. Following Vernor, several courts have held to the contrary. For example, in Blizzard v. MDY, CV-06-2555 (D. Ariz. 2008), the court examined the issue in the context of Section 117 of the Copyright Act (Vernor involved Section 109), which permits the owner of a software program to make multiple copies of the program. The court, evaluating the Blizzard EULA (which contained license language not dissimilar to that in Vernor) held that the users of a program created by MDY known as WowGlider, were not owners of the WoW program, but licensees subject the limitations on use set forth in the license. As a result, neither the WowGilder users nor MDY could take advantage of the Section 117 defense and MDY and its founder were held liable for contributory and vicarious copyright infringement. The key here (ignored by the court in Vernor) was that the agreement giving the user rights in WoW (a) made clear that the rights granted were as a licensee and did not include unlimited rights to copy or distribute the game and (b) imposed “significant” restrictions on the transfer of the game by requiring the user to transfer the original media and the packaging and documentation.
Bottom line here: Pay close attention to the terms of your EULA. One other note, the Blizzard case is also significant because a recent ruling in the case addressed the anti-circumvention provisions of Section 1201 of the DMCA. That will be the subject of a later post.
[1] Indeed, Justice Brandeis found the “freedom to be let alone” to be one of the most basic freedoms protected by the U.S. Constitution. So, it is not as though privacy is a foreign concept on the federal scene. It is just that, in the U.S., it is handled very differently.
[2] This all seems quite odd to folks who have been following the privacy debate for any length of time. Many of the basic principles incorporated into the EU Privacy Directive and PIPEDA were actually developed by the U.S. Dept. of Health Education and Welfare in 1971 as part of the “Code of Fair Information Practices”, which included five clauses: openness, disclosure, secondary use, correction, and security. Although these principles were adopted later by the OECD and others, they were only adopted in the U.S. on a limited basis.
Tuesday, February 10, 2009
Untold Entertainment's GDC Survival Guide
I've been intently following and commenting on the Puck Stops Here blog since its launch a few weeks ago. Now that it's my turn, I wanted to write about a topic so shocking, so outrageously incendiary that I would light the site on fire and generate a intensely passionate debate. Then we could all meet up at GDC have a good old fashioned gang brawl. I'm talking chains and brass knuckles. And maybe some fancy jazz hands, West Side Story-style.
The topic I had planned was so damning that I've decided to shelve it until I can afford personal bodyguard detail. So instead, as we find ourselves on the road to GDC (though I personally prefer to fly there), let me share some tips I've learned from my past two visits. I'll also share a few pearls of wisdom from my experiences at E3, the Game Developers Conference's coked-out train wreck of an older sibling.
Untold Entertainment's GDC Survival Guide
The Conference
The topic I had planned was so damning that I've decided to shelve it until I can afford personal bodyguard detail. So instead, as we find ourselves on the road to GDC (though I personally prefer to fly there), let me share some tips I've learned from my past two visits. I'll also share a few pearls of wisdom from my experiences at E3, the Game Developers Conference's coked-out train wreck of an older sibling.
Untold Entertainment's GDC Survival Guide
The Conference
- register before the conference starts, and take your swag bag back to your hotel. Go through it and toss out all the advertising. You've just shed five pounds. The most useful bits are the notepad and the pen – the normal pen, not the one that transforms into a rocket.
- conference tees go quickly. If you want a wearable keepsake, find out which convoluted hoops you have to jump through (wristbands, lottery systems, secret T-shirt kiosks in the sub-basement), and get you some swag
- try to ask a question at the mic after every panel, slyly introducing yourself and your company first. When the panel ends, all kinds of people who want to meet you or contract your services will come out of the woodwork. It's the next best thing to carrying around a megaphone (which is actually not allowed at GDC, I discovered. Read that fine print.)
- the roundtable discussions are a great place to gather candid intel in an intimate setting. Confidentiality is betrayed, and NDAs fly out the window, as folks divulge all their business secrets in the name of contributing to the discussion. It's like being in a self-help group packed with game industry insiders.
- don't miss the keynotes. This rule was conveyed to me by a wide-eyed delegate with all the gravity of a crucial life lesson, like “don't cross the streams”. He told me it was because Microsoft had once divided the delegates into four teams at their keynote, and gave a quarter of the attendees a free HDTV. The story is legendary. With GDC as big as it is, I doubt we'll see a repeat, but the “what if?” factor is enough to pack people in their seats at every keynote. Arrive early.
Food and Drink
- there's a yankee-fried Mexican restaurant near the Moscone Center called Chili's. Don't eat there. The food isn't authentic, but they've somehow managed to import all the Mexican water to the restaurant, if you get my drift.
- unless you have a group of high-powered execs to impress, don't buy dinner. It's a breeze to stumble across a party every single night, so you can subsist on horse doovers all week. One mini-hamburger may not tide you over, but pack away forty-seven of the little bastards and you'll be good to go.
Culture
- if you get a chance to meet one of your game design heroes at the conference, don't play it cool. You're in the game industry. Get your geek on. I had a total nerdgasm when I shook hands with Cyan's Rand Miller, the designer of MYST. And when I met Tim Schafer of LucasArts fame, I didn't wash my hand for two years. It became gangrenous and they had to amputate, but come on – Tim Schafer.
- every year, there's at least one outrageous party that everyone talks about, like the debaucherous spectacle at the Three Rings headquarters, or the CCP Games' whips-and-chains bacchanal last year at a San Francisco fetish club. But the parties I enjoyed most had music that was quiet enough to faciliate conversation, and comfy couch seats to kick back on. Autodesk's swank disco-era fete last year, replete with bean bag chairs and Atari 2600 consoles on every teevee tops my list of favourite parties.
San Francisco
- the city has TWO giant bridges: the Golden Gate Bridge, and the Other One. The conference center is closest to the Other One. Try not to look silly by extolling the virtues of the Other One, thinking it's the Golden Gate Bridge the whole time. People remember that type of thing. And then they blog about you years later in their GDC Survival Guides.
- the city hosts a lot of professional panhandlers. In contrast to Toronto's palm pilots, the fellas who prey on San Francisco's tourists put a lot more oomph into their pitch. Instead of a half-hearted “spare change?” muttered under someone's breath, I had three restaurant recommendations, a brief history of my hotel, and a bawdy joke. I rarely toss coins at our local folks, but the effort the Californians give it deserves a few greenbacks.
- don't bother visiting Alcatraz. If you've played the Alcatraz level in Tony Hawk's Pro Skater 3, you get the gist.
Travel
- if you're flying back to Ontario or parts East, the best flight is the Friday night red-eye. Sleep on the plane. When you wake up, it's morning in Montreal, and the risk of jet lag plummets. Sure, you'll miss out on that little packet of pretzels they offer on a six hour flight, but keep in mind that you just ate forty-seven mini-hamburgers.
- We're not guilty of this ourselves, but here's a hot tip: if your company received public funding for a project, and it's widely known that you blew your deadline and failed to launch the project with its original scope, don't fly first class. It's tacky.
See you all at GDC in March!
Thursday, February 5, 2009
More Thoughts from Rob: The Provinces
I separate the provinces like the new Canadian Football League. The differences between West and East start at the Saskatchewan and Manitoba border. The Western provinces (Saskatchewan, Alberta and BC) have some programs but not the tax credit incentives (other than SR&ED incentives) like the Eastern provinces (Manitoba, Ontario, Quebec, PEI and Nova Scotia). Ok so it doesn’t work so well when you take into account New Brunswick and Newfoundland and Labrador. Here is my quick synopsis heading West to East. Please chime in and comment on experiences and other programs I may have missed.
British Columbia
British Columbia is at the forefront of the video game industry in Canada. The creative games cluster in the lower mainland is one of the oldest and largest in Canada. The province has invested in programs such as the Masters in Digital Media. BC has also provided incentives with investments in the BC Renaissance Fund.
BC has taken a different approach and created the BC New Media Venture Capital Program Tax Credit. This program provides tax credits to those who invest in small new media companies such as game developers. It should be noted that BC has various tax credits for film and television productions but has yet to see the light on doing the same for video game developers.
http://www.investbc.com/businessincentives.htm
BC as well has a 10% tax credit which is refundable for Canadian-controlled private corporations (“CCPCs”) for scientific research and experimental development expenses. http://www.sbr.gov.bc.ca/business/Income_Taxes/Corporation_Income_Tax/tax_credits/scientific_research.htm
Alberta
I guess the leading incentive in Alberta is low taxes. I haven’t been able to find any programs or tax credits specifically related to the video game industry. There are some government funds geared towards the Information Technology sector such as the Alberta Ingenuity Fund that which may be relevant to a game developer in the province. http://www.albertaingenuity.ca/
Saskatchewan
The Saskatchewan government has created the Saskatchewan Film and Video Development Corporation. It appears its programs are mostly aimed towards film and television projects however they do mention interactive projects in some of their documents. There appears to be some minor funding available for travel and marketing. Again Saskatchewan has a tax credit for film and television but no mention of game developers. http://www.saskfilm.com/docs/assets5/SaskFilm_Program_Guidelines_May2008.pdf
Saskatchewan has a 15% SR&ED non-refundable tax credit as well that would be available to those who meet the criteria http://www.finance.gov.sk.ca/Default.aspx?DN=7210d60f-4263-4bf8-9f59-dbbbd8d64f7a
Manitoba
The Manitoba government has created a refundable Interactive Digital Media Tax Credit which provides a tax credit on 40% of eligible labour expenses up to a maximum tax credit of $500,000.
http://www.gov.mb.ca/stem/knowledge/idm_taxcredit.html
The province also has some small granting funds available for such things as market research, prototyping, product development and marketing assistance through the Manitoba Interactive Digital Media Fund as well as several other programs providing some assistance for technology commercialization or export market development.
In addition, Manitoba has a Research and Development Tax Credit that provides a 20% non-refundable tax credit on eligible expenses. http://www.gov.mb.ca/ctt/invest/busfacts/govt/rd_taxcredit.html
Ontario
The Ontario government has made significant strides over the last few years to make the province attractive to both foreign and domestic developers. The Interactive Digital Media Tax Credit is available to both Canadian-controlled and foreign-controlled Canadian corporations who have a permanent establishment in Ontario. The tax credit is equal to 30% of eligible expenses (mostly labour and some marketing) for qualifying small corporations. In addition larger corporations are eligible for a 25% tax credit and “fee for service” products may qualify for this tax credit as well.
http://www.omdc.on.ca/PageFactory.aspx?PageID=3257
In addition, the Ontario Media Development Corporation has several programs available to assist game developers. The Interactive Digital Media Fund provides funding up to $100,000 for up to 50% of the completion of an interactive digital media project. Other one off programs such as the Video game prototype Fund and the Screen-based Content Initiative have also provided funding for Interactive projects. It is hoped that some of these funds will be continued in future years. The government has also created the Entertainment and Creative Cluster Partnerships Fund which provides funding for collaborations between various partners in the creative cluster which would include interactive media.
http://www.omdc.on.ca/PageFactory.aspx?PageID=3258
Ontario also has an Innovation Tax Credit that provides an additional refundable 10% tax credit on SR&ED eligible expenditures spent in the province.
http://www.rev.gov.on.ca/english/credit/oitc/index.html
Quebec
Quebec with the establishment of many multinational game development studios in the province has become the fastest growing and is recognized as one of the global centres of game development.
The Quebec government established the Multimedia Titles tax credits which provides corporations in Quebec producing multimedia titles (which would include video games) a tax credit of up to 37.5% of eligible labour expenditures.
http://www.revenu.gouv.qc.ca/eng/entreprise/impot/societes/credits/adaptation/titresmultimedias.asp
Quebec also provides loans, loan guarantees and interim financing for tax credits amongst other programs.
http://www.investquebec.com/en/index.aspx?page=1764
Quebec provides further incentives on SR&ED performed in the province.
http://www.revenu.gouv.qc.ca/eng/publications/in/in-109-v.asp
Prince Edward Island
The government of Prince Edward Island provides an Innovation and Development Tax Credit of 35% on 150% of eligible production labour. The extra 50% is given to allow for other overhead in operating a development studio in the province.
http://www.gov.pe.ca/photos/original/ptrp_idtc_guide.pdf
The province also offers reduced personal taxation to employees of the developer and several other tax credits that may be relevant to a game developer as well as subsidized rent to companies wanting to establish in the Atlantic Technology Centre.
http://www.gov.pe.ca/development/ptrp/index.php3
http://www.gameplan.ca/programs.html
New Brunswick
New Brunswick offers a refundable 15% research and development tax credit which may be of use to game developers in the province.
http://www.gnb.ca/0024/tax/randd.asp
Nova Scotia
Nova Scotia offers a refundable tax credit equal to the lesser of 25% of all expenditures in Nova Scotia or 50% on eligible Nova Scotia labour expenditures plus an additional 5% on all expenditures or 10% of labour expenditures if the development takes place outside of the Halifax Regional Municipality.
http://www.gov.ns.ca/finance/en/home/taxation/businesstax/corporateincometax/digitalmediataxcredit.aspx
Nova Scotia also offers a refundable 15% research and development tax credit which may be of use to game developers in the province.
http://www.gov.ns.ca/finance/en/home/taxation/businesstax/corporateincometax/researchanddevelopmenttax.aspx
Newfoundland & Labrador
The province offers a refundable 15% research and development tax credit which may be of use to game developers in the province.
http://www.fin.gov.nl.ca/fin/scientific.html
British Columbia
British Columbia is at the forefront of the video game industry in Canada. The creative games cluster in the lower mainland is one of the oldest and largest in Canada. The province has invested in programs such as the Masters in Digital Media. BC has also provided incentives with investments in the BC Renaissance Fund.
BC has taken a different approach and created the BC New Media Venture Capital Program Tax Credit. This program provides tax credits to those who invest in small new media companies such as game developers. It should be noted that BC has various tax credits for film and television productions but has yet to see the light on doing the same for video game developers.
http://www.investbc.com/businessincentives.htm
BC as well has a 10% tax credit which is refundable for Canadian-controlled private corporations (“CCPCs”) for scientific research and experimental development expenses. http://www.sbr.gov.bc.ca/business/Income_Taxes/Corporation_Income_Tax/tax_credits/scientific_research.htm
Alberta
I guess the leading incentive in Alberta is low taxes. I haven’t been able to find any programs or tax credits specifically related to the video game industry. There are some government funds geared towards the Information Technology sector such as the Alberta Ingenuity Fund that which may be relevant to a game developer in the province. http://www.albertaingenuity.ca/
Saskatchewan
The Saskatchewan government has created the Saskatchewan Film and Video Development Corporation. It appears its programs are mostly aimed towards film and television projects however they do mention interactive projects in some of their documents. There appears to be some minor funding available for travel and marketing. Again Saskatchewan has a tax credit for film and television but no mention of game developers. http://www.saskfilm.com/docs/assets5/SaskFilm_Program_Guidelines_May2008.pdf
Saskatchewan has a 15% SR&ED non-refundable tax credit as well that would be available to those who meet the criteria http://www.finance.gov.sk.ca/Default.aspx?DN=7210d60f-4263-4bf8-9f59-dbbbd8d64f7a
Manitoba
The Manitoba government has created a refundable Interactive Digital Media Tax Credit which provides a tax credit on 40% of eligible labour expenses up to a maximum tax credit of $500,000.
http://www.gov.mb.ca/stem/knowledge/idm_taxcredit.html
The province also has some small granting funds available for such things as market research, prototyping, product development and marketing assistance through the Manitoba Interactive Digital Media Fund as well as several other programs providing some assistance for technology commercialization or export market development.
In addition, Manitoba has a Research and Development Tax Credit that provides a 20% non-refundable tax credit on eligible expenses. http://www.gov.mb.ca/ctt/invest/busfacts/govt/rd_taxcredit.html
Ontario
The Ontario government has made significant strides over the last few years to make the province attractive to both foreign and domestic developers. The Interactive Digital Media Tax Credit is available to both Canadian-controlled and foreign-controlled Canadian corporations who have a permanent establishment in Ontario. The tax credit is equal to 30% of eligible expenses (mostly labour and some marketing) for qualifying small corporations. In addition larger corporations are eligible for a 25% tax credit and “fee for service” products may qualify for this tax credit as well.
http://www.omdc.on.ca/PageFactory.aspx?PageID=3257
In addition, the Ontario Media Development Corporation has several programs available to assist game developers. The Interactive Digital Media Fund provides funding up to $100,000 for up to 50% of the completion of an interactive digital media project. Other one off programs such as the Video game prototype Fund and the Screen-based Content Initiative have also provided funding for Interactive projects. It is hoped that some of these funds will be continued in future years. The government has also created the Entertainment and Creative Cluster Partnerships Fund which provides funding for collaborations between various partners in the creative cluster which would include interactive media.
http://www.omdc.on.ca/PageFactory.aspx?PageID=3258
Ontario also has an Innovation Tax Credit that provides an additional refundable 10% tax credit on SR&ED eligible expenditures spent in the province.
http://www.rev.gov.on.ca/english/credit/oitc/index.html
Quebec
Quebec with the establishment of many multinational game development studios in the province has become the fastest growing and is recognized as one of the global centres of game development.
The Quebec government established the Multimedia Titles tax credits which provides corporations in Quebec producing multimedia titles (which would include video games) a tax credit of up to 37.5% of eligible labour expenditures.
http://www.revenu.gouv.qc.ca/eng/entreprise/impot/societes/credits/adaptation/titresmultimedias.asp
Quebec also provides loans, loan guarantees and interim financing for tax credits amongst other programs.
http://www.investquebec.com/en/index.aspx?page=1764
Quebec provides further incentives on SR&ED performed in the province.
http://www.revenu.gouv.qc.ca/eng/publications/in/in-109-v.asp
Prince Edward Island
The government of Prince Edward Island provides an Innovation and Development Tax Credit of 35% on 150% of eligible production labour. The extra 50% is given to allow for other overhead in operating a development studio in the province.
http://www.gov.pe.ca/photos/original/ptrp_idtc_guide.pdf
The province also offers reduced personal taxation to employees of the developer and several other tax credits that may be relevant to a game developer as well as subsidized rent to companies wanting to establish in the Atlantic Technology Centre.
http://www.gov.pe.ca/development/ptrp/index.php3
http://www.gameplan.ca/programs.html
New Brunswick
New Brunswick offers a refundable 15% research and development tax credit which may be of use to game developers in the province.
http://www.gnb.ca/0024/tax/randd.asp
Nova Scotia
Nova Scotia offers a refundable tax credit equal to the lesser of 25% of all expenditures in Nova Scotia or 50% on eligible Nova Scotia labour expenditures plus an additional 5% on all expenditures or 10% of labour expenditures if the development takes place outside of the Halifax Regional Municipality.
http://www.gov.ns.ca/finance/en/home/taxation/businesstax/corporateincometax/digitalmediataxcredit.aspx
Nova Scotia also offers a refundable 15% research and development tax credit which may be of use to game developers in the province.
http://www.gov.ns.ca/finance/en/home/taxation/businesstax/corporateincometax/researchanddevelopmenttax.aspx
Newfoundland & Labrador
The province offers a refundable 15% research and development tax credit which may be of use to game developers in the province.
http://www.fin.gov.nl.ca/fin/scientific.html
Monday, February 2, 2009
Financial Reasons to Work with Canadian Developers
Rob DePetris, Senior Tax Manager, Deloitte (Southern Ontario)Rob DePetris has developed a keen understanding of the interactive media sector through his past work as Vice-President of Silicon Knights and his involvement in creating an action plan for the Ontario video game industry. Rob is currently a senior tax manager in Deloitte's Southwestern Ontario practice has worked with the Interactive Ontario, the Ontario Media Development Corporation, the Ontario Ministry of Economic Development and Trade and the Ontario Ministry of Research and Innovation to create an action plan to create a vibrant video game industry in Ontario. He has also spear-headed the creation of nGen, the Niagara Interactive Media Generator. This organization has started the incubation of small interactive media companies in Niagara. Rob has an Honours Bachelor of Business Administration in Co-op Accounting from Brock University. He is also a graduate of University of Toronto Law School and was called to the Bar in 1994. He has previously worked for PricewaterhouseCoopers LLP in Toronto and articled at Lancaster, Mix and Welch. He is the chair of the Games Committee and Treasurer of Interactive Ontario. He is the chair of the Board of Directors of nGen (Interactive Niagara). He is chair of the Cities of St. Catharines and Thorold Prosperity Council. He is a member of the board of directors of the United Way of St. Catharines & District and is First Vice-President of the St. Catharines-Thorold Chamber of Commerce.
In Canada, we have the some of the most talented and creative game developers in the world. Every company has its own value proposition. Each game developer has his own special skill which helps to make them unique and able to sell their products to the world.
As GDC comes closer, I am sure many of you are scheduling meetings with potential publishers and distributors to pitch, re-pitch or demonstrate the creative ideas that you and your company have developed. Each game developer has a sense of what they can produce and they know the strengths, uniqueness and weaknesses of their ideas.
My background is finance and taxation. I will leave it to the creative voices in each company to develop the pitches of their game ideas for the meetings at GDC. I thought it would be interesting to talk about the advantages of working with Canadian game development companies. I propose to list some of the financial reasons why developing a game in Canada makes sense. I hope that this may provide some further ammunition to Canadian game developers to convince a publisher to choose their project. If this is all old hat to those reading then perhaps others can add their own insights whether it is information about tax credits, or other financial incentives that makes Canada one of the most economical places to make quality games. Today, I thought I would start by outlining the current advantages provided by our dollar and the federal government.
Our Dollar
In the past few years, our dollar has been a disadvantage as it continued to rise above par with the US dollar and then hovered around par for what seemed to be an eternity. But lately, our dollar has fallen back to a more comfortable US $0.80. Given that Canadian game developers expenses (labour and other costs) are in Canadian dollars, over the last few months Canadian Game Developers have become significantly cheaper to US publishers and to many other publishers dealing in other foreign currencies. Will this last? Who knows? But today, we are significantly cheaper and if a game developer has an opportunity to hedge or to convince their publisher to hedge then the dollar advantage today can be extended over the term of a project.
Federal Government
Canadian New Media Fund (“CNMF”)
The Canadian government just released the federal budget last Tuesday (January 27, 2009), and somewhere, buried deep inside, the government committed to provide $28.6 million of funding for the Canadian New Media Fund over the next two years and continually provide funding of $14.3 million for each year thereafter. http://www.budget.gc.ca/2009/plan/bpc3e-eng.asp
Telefilm, the federal agency who administers this fund states that “The Product Assistance component of the Fund provides conditionally repayable advances for the development, production and marketing of Canadian interactive digital cultural content products in both official languages that are intended for the general public.” http://www.telefilm.gc.ca/03/311.asp?lang=en&fond_id=3
The guidelines for the CNMF are not simple and the funding is granted through a competition so not all worthy products receive funding. As well, matching funds must be found and intellectual property rights retained. All that said, the fund provides potential funding to Canadian Controlled corporations of up to $550,000 for each of the development, production and marketing segments of the interactive product.
What would be even better would be for the federal government to increase this fund to a much greater level - similar to the $100 million Canadian Television Fund - and also provide a tax credit similar to the Federal Film Tax Credit. Perhaps the industry can push for this in next year’s budget.
Scientific Research and Experimental Development (“SR&ED”)
Canada Revenue Agency sets out that “The SR&ED program is a federal tax incentive program to encourage Canadian businesses of all sizes and in all sectors to conduct research and development (R&D) in Canada that will lead to new, improved, or technologically advanced products or processes. The SR&ED program is the largest single source of federal government support for industrial research and development.” A Canadian-controlled private corporation that qualifies can receive a refundable tax credit of up to 35% on eligible expenditures of up to $3 million dollars. This is significant funding on an annual basis. Much of the programming work done by game developers may qualify for this tax credit. That said, I would strongly recommend that game developers not try and prepare this claim themselves. They should hire experienced accountants to prepare the claim to ensure they qualify and they are getting the maximum cash back from the program.
In addition to the benefits received, many of the provinces have additional tax credits and other advantages for SR&ED in the particular province.
National Research Council-Industrial Research Assistance Program (NRC-IRAP)
In addition to SR&ED, the federal government provides non-repayable assistance to small and medium Canadian corporations who are developing commercial uses of technology. http://irap-pari.nrc-cnrc.gc.ca/financialassistance_e.html#rd
There are local advisors in each region in Canada who can be contacted to discuss qualifications and opportunities.
Next Blog - The Provinces
I must admit that I live in Ontario and am very familiar with the various advantages here. That said, I will try to outline in my next post some of the advantages in each province. If I miss some, please chime in and let us know.
As GDC comes closer, I am sure many of you are scheduling meetings with potential publishers and distributors to pitch, re-pitch or demonstrate the creative ideas that you and your company have developed. Each game developer has a sense of what they can produce and they know the strengths, uniqueness and weaknesses of their ideas.
My background is finance and taxation. I will leave it to the creative voices in each company to develop the pitches of their game ideas for the meetings at GDC. I thought it would be interesting to talk about the advantages of working with Canadian game development companies. I propose to list some of the financial reasons why developing a game in Canada makes sense. I hope that this may provide some further ammunition to Canadian game developers to convince a publisher to choose their project. If this is all old hat to those reading then perhaps others can add their own insights whether it is information about tax credits, or other financial incentives that makes Canada one of the most economical places to make quality games. Today, I thought I would start by outlining the current advantages provided by our dollar and the federal government.
Our Dollar
In the past few years, our dollar has been a disadvantage as it continued to rise above par with the US dollar and then hovered around par for what seemed to be an eternity. But lately, our dollar has fallen back to a more comfortable US $0.80. Given that Canadian game developers expenses (labour and other costs) are in Canadian dollars, over the last few months Canadian Game Developers have become significantly cheaper to US publishers and to many other publishers dealing in other foreign currencies. Will this last? Who knows? But today, we are significantly cheaper and if a game developer has an opportunity to hedge or to convince their publisher to hedge then the dollar advantage today can be extended over the term of a project.
Federal Government
Canadian New Media Fund (“CNMF”)
The Canadian government just released the federal budget last Tuesday (January 27, 2009), and somewhere, buried deep inside, the government committed to provide $28.6 million of funding for the Canadian New Media Fund over the next two years and continually provide funding of $14.3 million for each year thereafter. http://www.budget.gc.ca/2009/plan/bpc3e-eng.asp
Telefilm, the federal agency who administers this fund states that “The Product Assistance component of the Fund provides conditionally repayable advances for the development, production and marketing of Canadian interactive digital cultural content products in both official languages that are intended for the general public.” http://www.telefilm.gc.ca/03/311.asp?lang=en&fond_id=3
The guidelines for the CNMF are not simple and the funding is granted through a competition so not all worthy products receive funding. As well, matching funds must be found and intellectual property rights retained. All that said, the fund provides potential funding to Canadian Controlled corporations of up to $550,000 for each of the development, production and marketing segments of the interactive product.
What would be even better would be for the federal government to increase this fund to a much greater level - similar to the $100 million Canadian Television Fund - and also provide a tax credit similar to the Federal Film Tax Credit. Perhaps the industry can push for this in next year’s budget.
Scientific Research and Experimental Development (“SR&ED”)
Canada Revenue Agency sets out that “The SR&ED program is a federal tax incentive program to encourage Canadian businesses of all sizes and in all sectors to conduct research and development (R&D) in Canada that will lead to new, improved, or technologically advanced products or processes. The SR&ED program is the largest single source of federal government support for industrial research and development.” A Canadian-controlled private corporation that qualifies can receive a refundable tax credit of up to 35% on eligible expenditures of up to $3 million dollars. This is significant funding on an annual basis. Much of the programming work done by game developers may qualify for this tax credit. That said, I would strongly recommend that game developers not try and prepare this claim themselves. They should hire experienced accountants to prepare the claim to ensure they qualify and they are getting the maximum cash back from the program.
In addition to the benefits received, many of the provinces have additional tax credits and other advantages for SR&ED in the particular province.
National Research Council-Industrial Research Assistance Program (NRC-IRAP)
In addition to SR&ED, the federal government provides non-repayable assistance to small and medium Canadian corporations who are developing commercial uses of technology. http://irap-pari.nrc-cnrc.gc.ca/financialassistance_e.html#rd
There are local advisors in each region in Canada who can be contacted to discuss qualifications and opportunities.
Next Blog - The Provinces
I must admit that I live in Ontario and am very familiar with the various advantages here. That said, I will try to outline in my next post some of the advantages in each province. If I miss some, please chime in and let us know.
Subscribe to:
Posts (Atom)
Posts
