This article is written by Vasu Manchanda, a student of Faculty of Law, Delhi University.
Table of Contents
Introduction
Ludo King is a free-to-play mobile game application developed by an Indian company named Gametion Technologies Private Limited. It is readily available on IOS, Android, Kindle, and Windows smartphone platforms. It follows the traditional rules and old school look of the Ludo board game. Ludo can be described as the modern version of the royal game of Pachisi that originated in medieval India and was played between kings and queens in ancient times.
Though it was launched in 2016, it has recently risen to fame amidst the nation-wide lockdown due to the COVID-19 pandemic. It is widely advertised on television and Youtube channels in the form of a song that claims the application to be the best in its domain. It features famous pop singer Mika Singh. With over five million reviews, four ratings, and a hundred million plus downloads on just Android phone platforms, it is one of the most beloved free gaming applications among the people belonging to all age- groups.
Ludo King might be free to download intrinsically, but in order to access it, the app operators seek users’ consent to access, collect, store, and share their personal and non-personal data with third parties. By consenting to such privacy policy, users end up trading their personal information to play a game as harmless as Ludo.
It is imperative to mention that though the users give their consent voluntarily, in the absence of negotiating power, the same is not an informed and prudent choice. While the privacy policies of the majority of mobile-applications operational in India are beyond the comprehension ability of a layman, or someone not belonging to a legal background, an attempt has been by the author, in this article, to demystify the application’s privacy policy, for the greater benefit of readers and users (of the application).
Privacy policy
As per the privacy policy, the users, by consenting to the agreement, give an unfettered right to the app operators to collect, record, and use “any” personal and non-personal information provided by the users. They can collect the same without further permission when a user accesses any of Gametion Technologies Private Limited’s applications or services, visits their website, registers for contests and/or events, access their services using a third party ID such as social media sites or platforms such as Facebook, purchases any product or service within the application or through the companies’ online store, requests for technical support, uses ‘email this page’, ‘share this code’, ‘tell a friend’, or any other similar feature available on the application.
It is pertinent to mention that the collected personal identification information of the users may include but is not limited to a user name, password, IP-address, device ID, and email address. The same can be supplemented by the parent company with data received from third parties pertaining to advertisement, demographic, market, analytics survey, and/or services. Further, non-personal identification information collected includes but again is not limited to – the type of device, Device ID, model and brand of device, MAC address, IP address, application usage data, hardware type, installed software, browser information, unique identifiers in browser cookies, HTML5 local storage, operating system information, flash cookies, internet, online usage information, in-game information, country, location and whether the user is using a point package. It is noteworthy that the phrase “includes but is not limited to” emphasizes the fact that the app operators might collect any other information also that may not be mentioned in the privacy policy and for which the consent is not given.
Furthermore, it has been stated that the app operators may obtain information from other sources and combine the same with information collected within the gaming application. This infers that if users log into the Ludo King application from any third-party site or social media platform such as Facebook (the preferred choice of users), the app operators may access their personal or non-personal information readily available on such a site or platform, such as their profile photo, screen name, and friend list. Not only this, but the app operators also get the right to collect information about the users from the app store (on IOS) or play store (on Android) from where any of the parent company’s applications are downloaded or updated.
It is noteworthy that by logging into the application using a third-party site or platform; it is warranted that the user is above thirteen years of age. It can be inferred that a user below thirteen years of age can also access the gaming application by simply lying about his/her age as no verification is required of the same. This defies the very purpose of having the age restriction in the first place.
While the app operators do not collect any data about users’ credit card, billing information, phone number, email address, and home address, as the same is stored by Google instead and the company (Gametion Technologies Pvt Ltd.) only receives an order ID or transaction ID for any transaction, they do collect personal public information such as users’ user name, profile photo, Facebook name, profile photo, user ID, location, etc. “Etc” in the end implies that the above-mentioned details are only illustrative and not exhaustive. App operators may collect more personal data if they deem necessary without any notification.
The object stated behind the collection and storage of personal data is the enhancement of gameplay experience, and the rationale behind the collection, storage, and usage of non-personal information is, in addition to that, to provide data for third party analytics and advertising purposes.
Collection of social media data
Subject to the terms and conditions of social media applications, the app operators may integrate social media services in the games’ competitive services for sharing scores and achievements between users and non-users. This means that by logging in from the Facebook Account, allows the app operators to share users’ scores and achievements with the general public or friend list of the users, depending upon the configuration option provided by the social media entities. Thus, by accessing the gaming application through Facebook or other social media accounts, the app operators get unbridled access to users’ social media data, such as, name, user ID, email address, current city, birthday, gender, profile photo, URL and also the user IDs of the users’ Facebook friends who have connected their social media accounts with the application. In addition to it, the app operators can also cache data that they receive from Facebook or other social media applications to improve their users’ experience.
Storage of data
Data collected by the app operators is stored by them for as long as they deem necessary for the following purposes – to provide, maintain and improve the application; develop new applications, sites, and services; provide and deliver products, services, news, updates, security alerts, send technical notices, support and administrative messages; monitor and analyze trends, personalize content, link information collected from others; and carry out any other purpose for which the data was collected. It is pertinent to mention that the data will be stored further by the company to establish, exercise, or defend a legal claim or to comply with applicable law.
It is imperative to mention that data stored with the company is deleted or anonymized as soon as it stops serving any of the above-mentioned purposes. However, it can be further retained according to the discretion of the app operators for a maximum period of three years after the interaction of a user with the company has ceased. This creates ambiguity and arbitrariness concerning the decision to store users’ data beyond the stipulated period.
Sharing of data
App operators have the right to share users’ data with third parties with whom they have a strategic relationship, for instance, analytics providers and ad networks. Further, in accordance with the General Data Protection Regulation, the advertising ID of users can be shared with advertising network companies for the objective of serving behavioral advertisements to the users within the application.
Disclosure of information
Personal data of the users can be disclosed by the app operators if they are required to do so by law, or law enforcement agencies; to prevent a serious crime or situation of emergency, and/or to their business partners or organizations that provide payment processors or hosting services to Gametion. It is noteworthy that in any of the above-mentioned circumstances, a written record of such disclosure is to be made by the company.
Further, the parent company reserves the right to disclose the collected personal data of users for the objective of advertising by the company, its partners and contractors, or by third parties employed by it for ad serving technologies.
The collected non-personal data can also be disclosed for analytic services by the company or its partners and contractors. The same may also be accessed and used by third parties employed by the app operators. The information collected may include but is again not limited to the user’s device type, device ID, IP address, MAC address, software, hardware type, brand, model, operating system and browser information, country, time zone, geolocation, usage information, and in-game information.
What the privacy policy fails to explain is why geolocation, profile photo, user ID of users’ friends on the social media platform, and other personal details required to enhance the gaming experience of the users.
Remedy to prevent sharing of data
The only remedy offered to the users not to let third-party ad serving and analytic technologies, integrated with the Ludo King application, to collect and use their data, is not to access the gaming application altogether.
Furthermore, the app operators have absolved themselves of all accountability for the privacy practices of linked websites and online services – links of which are provided on the gaming application. It is pertinent to note that the operators of such linked websites may collect, use, and disclose information of the users without their consent. In this regard, the users are advised by the app operators to review the privacy policies of such third-party linked sites before accessing them from the application. Thus, the onus is on the users not only to read the privacy policy of the gaming application but also of all third-party linked websites and online services before accessing its services.
Security of the stored data
It has been stated in the privacy policy that while the app operators follow the generally accepted industry standards and take reasonable safeguards to ensure the integrity, privacy, and security of the users’ information in their possession; they do not guarantee that their security measures will prevent hackers from illegally obtaining access to such data. They do not warrant that users’ data will be protected against any loss, alteration, or misuse by third parties. However, if such an event occurs, the users shall be notified in not more than seventy-two hours of such occurrence.
It is pertinent to note that users are not apprised of what generally accepted security practices are being followed by the app operators. This creates a paranoia regarding the application’s security features.
Rights of users
As per the privacy policy, the following rights are granted to the users:
- The right to request access to the data that the app operators are processing on them. This includes information about the purpose of processing, categories of personal data, recipients to whom their data has been or will be disclosed, and the duration for which their data will be stored.
- The right to obtain a copy of the above-mentioned personal data undergoing processing. However, access to the same can be restricted by the app operators if they feel that it concerns trade secrets or intellectual property of the company. It is noteworthy that this condition can give rise to arbitrariness and reduce transparency on the part of the operators to restrict access to the users.
- The right to object to the processing of their personal data. However, the same can be denied by the operators if they feel that there are compelling legitimate reasons for processing data that override users’ rights, interests, and/or freedom, or if processing their data is essential to defend, exercise, or establish some legal claim. Again, there is no transparency or set ground on which users’ right to object the processing of their personal data can be denied.
- The right to receive personal data being processed by the app operators in a commonly-used, machine-readable, and structured format.
- The right to rectify or erase inaccurate personal data on the fulfilment of the following conditions – if the same is no longer necessary for the purpose for which it was collected, user’s consent is withdrawn, there is no legal obligation for processing the data if a user has objected to the processing and there are no overriding legitimate grounds to deny the request, in compliance with central or state law, and/or if the personal data has been unlawfully processed.
- The right to transmit data so obtained to another controller in case the processing is based on contract performance or consent.
The above-mentioned rights can be exercised by the users by sending a mail at [email protected]. A request is processed by the app operators in a maximum of a month, i.e. 30 days unless a longer time is required due to the complexity of the request. In the latter case, up to three months can be taken by the app operators to respond.
Right of the company
It is imperative to mention that the company has an arbitrary right to modify, update, and revise the privacy policy from time to time without any further notice to the past, existing, or new users. The onus is on the users to check regularly for any updates or changes in the terms and conditions of the policy. Their continued use of services shall denote their acceptance of the subsequent changes in the privacy policy.
Concluding Remarks
From the terms and conditions of the privacy policy, it cannot be transpired whether the app operators are complying with the rudimentary data protection provisions of the Information Technology Act, 2000 (“IT Act”) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The rules set out obligations for the collection of sensitive personal information which includes passwords and other information that is not freely available or accessible in the public domain.
The privacy policy is arbitrary and one-sided. In the absence of privacy legislation in India, users have no adequate legal recourse than to claim a violation of the adequate provisions of the IT Act. However, even the act does not address all the persisting data protection issues and requires to be revamped.
Thus, the only plausible solution for users to safeguard their personal and non-personal data is not to log into the Ludo King application using a third-party site or platform such as Facebook, via friend invite, or sharing requests. Rather users can access the application as guest users by setting a user name and animated profile photo in order to play Ludo online with their family, friends, and/or strangers.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:
