On May 25, Europe’s Data Protection Regulation (GDPR) laws will go live. Companies doing business in the European Union will need to comply with a new set of regulations designed to protect the private data of Europe’s citizens. The new regulations will require more overt explanations of private data being collected, how it will be used, and—in specific cases—the hiring of a Data Protection Officer to oversee compliance.
As a result, the cost of doing business in Europe is about to go up. It costs to come into compliance with the new directives, and it’ll cost more to operate in Europe going forward. It’s the strictest set of government privacy laws regulating data on the internet so far, and it’ll be years before we understand its full effects.
Some companies are already feeling the burden. “I'm very sad to announce that Loadout's end of service will be on 5/24/2018,” the online shooter for PC Loadout said in a prepared statement on its Facebook page. Loadout had several reasons for shutting down—including increased costs unrelated to the new regulations—but the GDPR was at the final straw.
“There is a pretty lengthy list of changes required by GDPR,” Rob Cohen, Loadout’s CEO, told me via email. “We’d have to update our client, server, database, and more. It’s a pretty big amount of development work for a game that is no longer in development.”
The GDPR requires companies collecting data have to make that data available to customers upon request within one month, totally free. If that customer wants their data deleted, the company must also be able to completely scrub them and all their data from its systems.
Existing customers will have to positively opt back into data collection, which means Loadout would need to contact everyone they’ve ever collected data from over the past few years.
“It's tricky, because it affects every aspect of software, and the regulations are very particular, but they don't anticipate the huge variety of uses of data,” Cohen said. “Any piece of software with any kind of memory is fundamentally about collecting and processing data, and suddenly everything has lots of new constraints on collecting and processing data…I'm still trying to understand what they want—very unclear and complicated.”
Cohen said he can’t just update his old systems to work in the new system. “Loadout is dependent on legacy third party services that are being discontinued rather than overhauled for GDPR compliance,” Cohen said. “It's a lot of work to rewrite online platforms like Ubernet [Loadout’s network back end] and Loadout to follow those prescribed methods. It touches a lot of pieces, and there are no allowances to grandfather old software or meaningful exceptions for small companies. The potential penalties are astronomical—up to 20 million Euros per infraction or 4% of revenue, whichever is greater."
Cohen didn’t give me a detailed breakdown of the cost, but said the total number would be in the six figure range. It’s too much for an independent publisher. Loadout was Team Fortress 2-style shooter with Loony Toons violence with a small, but dedicated fanbase.
A lot of the compliance costs come down to overhauling the third party systems that ran the game. Some companies operating in Europe, such as Loadout, are shutting down or starting over rather than updating. “There is still a significant burden on small companies to be compliant,” Cohen said.
The size of Loadout’s team made compliance an issue. Larger companies will absorb costs and move on. “For small companies, they probably need to have a couple people working on GDPR issues for one to two months,” Cohen said. “Every product and company is in a different spot in terms of resources and profitability. Some will be pushed over the line, like Loadout and some of the services that Loadout depended on.”
Loadout is far from the only game GDPR is killing. Free-to-play MMORPG Ragnarok Online is shutting down its European servers. The MOBA-style shooter Super Monday Night Combat is also shutting down.
Uber Entertainment developed Super Monday Night Combat and maintains the network back end for both it and Loadout. “The changes needed to allow us to meet the specifications of the GDPR would mean we either need to rewrite large parts of Ubernet or port the game to run on Playfab [a backend platform owned by Microsoft],” Uber— Super Monday Night Combat’s developer—told Rock Paper Shotgun. “We’ve tried to keep the game going as long as we could as it was break even or close to break even on monthly server costs up until now, but both of these options are unfortunately out of range of the budget we have set aside for Super MNC.”
According to Cohen, that’s just a small sampling. “I have recently heard from some other small developers that are panicking, and figuring out their next steps. Hopefully things work out for them,” he said.
Cohen said that making a new game that follows the regulations will be less expensive than brining Loadout into compliance. Still, he wishes things could be different. “I think it should be up to the consumer to consider the tradeoffs and make their own choices, provided everything is up front and disclosed,” he said. “I passionately value privacy and protection of privacy. It’s really just a matter of making sure we have the right regulation and understanding that going too far has consequences, especially for small businesses.”