Indie Dev Business Basics: Privacy, EULAs, and all that fun stuff


By Zachary Strebeck

Welcome to the fifth post in the Indie Dev Business Basics series. In this last installment, we’re going to discuss two documents that are very important for your game release: your Terms of Use and Privacy Policy.

Coming to terms with your Terms of Use

The Terms of Use (sometimes called a “Terms of Service”), is an agreement between you and your user. In order for it to be effective, the user must agree to this prior to playing your game. It is sometimes referred to as an End User License Agreement (EULA), though the EULA is usually just a small part of the overall Terms of Use.

What should be included in a comprehensive Terms of Use?

A comprehensive Terms of Use is a complete agreement that covers your butt in a number of ways. Some of the issues dealt with in these agreements are:

  • Minimum age requirements (this comes in handy when avoiding COPPA, which we discuss below)
  • The terms of your software license. For instance, they can’t use your software commercially and can’t resell it (this is the EULA part)
  • An “acceptable use policy,” laying out what is and is not acceptable conduct within the game
  • Limitations on liability and warranties, so you can’t be held liable if your game doesn’t function properly, etc.

One vital part of a properly-drafted is a class action waiver and arbitration agreement. This does two things: it limits any disputes to one-on-one, and forces those disputes to be handled in arbitration, rather than in the courts. As the developer, these are extremely important. A class action lawsuit against you could be extremely costly. Additionally, the court system can take years to shake out just one case, so resolving that dispute through arbitration can save a ton of time and money.

Obviously, this isn’t an issue unless your game is successful, but it’s generally a good thing to plan ahead and be prepared for both success and failure.

How do you show that they’ve agreed?

Your Terms of Use is a contract. That means that each side must take some affirmative action to agree to it, if you want it to be legally binding. It’s not enough to just stick the agreement up on your website or bury it somewhere within your game’s menu system.

The usual “best practices” for getting users to agree to your Terms of Use include the following:

  • A pop-up that either has the entirety of the Terms in it, or has a prominent link to your Terms (and the Privacy Policy)
  • A check box labeled “I have read the Terms of Use and Privacy Policy”
  • A button labeled “I agree” or something to that effect
  • Keep the latest Terms of Use and Privacy Policy available on your website and linked from somewhere within the game

You can even do things like forcing a scroll through the entire Terms before the checkbox and button become active, but that may be going a bit far and could turn off users.

Privacy Policies

Governments of the world take data privacy and people’s personal information very seriously, and so should you. When your game takes personal information from users (whether it’s their name, email address, location, or photograph), you need to disclose what you’re taking and how you’re using it.

Unlike the Terms of Use, a Privacy Policy isn’t a contract. It’s a disclosure document – meaning that you can basically ask for or collect whatever personal information you want, as long as you disclose it (with some exceptions, of course). This includes what you collect, how you collect it, how you use it, who you share it with, and what security measures you take with the users’ data. You should also discuss how to resolve disputes over your use of personal information, how they can see what information you’ve collected, and what they can do about it.

One good “best practice” is to link to your Privacy Policy whenever and wherever you are doing the actual gathering of personal information. Keep the link visible in close proximity to where the information is being entered by the user. This is the general recommendation from government privacy agencies.

The Children’s Online Privacy Protection Act

This law, usually abbreviated to COPPA, deals with the collection and protection of personal information from users under 13 years of age. If you:

  • Target and advertise to children under 13
  • Have a product that could reasonably be targeting children under 13, even if you don’t do it explicitly (if you have cartoon characters, for instance), or
  • Know that you have a number of users under 13

you will most likely have to comply with COPPA. You can read this document from the FTC to get an idea of what your responsibilities are. There are also third-party services, like AgeCheq, that assist developers and publishers with COPPA compliance.

The EU/US Privacy Shield

Another important aspect of privacy law for US developers is known as the EU/US Privacy Shield. This deals with personal information collected in the EU and transferred to the US. For US developers who are moving info from the EU to their domestic servers, Privacy Shield compliance is important.

There are several aspects to compliance, but the essentials are:

  • Proper disclosure
  • Ensuring third parties that you contract with are compliant
  • Using an approved dispute resolution mechanism, and
  • Self-certification

For more info on the Privacy Shield requirements and to self-certify, check out the website here.

Moving forward

That’s it. Hopefully these five posts have given you a head start on getting your indie game business up and running, legally speaking. I will continue posting articles and podcasts discussing the finer points of indie game law and business issues on my blog. Additionally, sign up for the mailing list at Indie Game Startup to be the first to hear about my new business and legal course for indie developers (including the contracts you need to get started!).