It is not just a click: protection of in-game behaviour data as biometric data under the GDPR

Abstract

This article investigates the potential classification of players’ in-game behaviour data from basic computer peripherals, like keyboards and mouses (behavioural telemetry), as biometric data under the General Data Protection Regulation (GDPR). Modern technologies allow these types of data to reveal a wealth of personal information, including age, gender, emotional states, collaboration abilities, problem-solving skills, economic status, consumption habits, and character traits. The analysis is structured into three sections: understanding the nature of in-game behaviour data, assessing its alignment with the GDPR’s definition of biometric data, and examining the repercussions for gaming companies if such data is deemed biometric. The conclusion asserts that behavioural telemetry and gameplay metrics can indeed be considered biometric under the GDPR, as it plays a crucial role in player identification and exhibits similarities with biometric systems in the context of game analytics processes. This classification implies heightened legal responsibilities for gaming companies, triggering risk-based provisions within the GDPR. The article introduces a novel perspective by suggesting that seemingly innocuous in-game behaviour data may fall under the purview of biometric data.