I’ll use an example to set the stage for the discussion:
Little Jill Jellybean is a new user to Facebook. She signed up because everyone in her peer group was on there and South Park had an episode on it (so you know it’s a moral imperative to join). A friend posts on her wall about an exciting new game, so Jill installs the application, Uranium Enrichment City, and begins playing. Jill builds the foundation of her nuclear core, but quickly finds that the only way to enrich uranium quickly enough to become a higher level atomic scientist is through microtransactions, so she puts in some money to buy spent fuel rods. Also, since her reactor may melt down without constant monitoring, she utilizes the Enrichment City application on her smart phone to monitor radiation levels. Things progress marvelously.
It all seems so innocent…but there lurks a unspoken legal reality beneath the playful surface: Little Jill Jellybean’s interaction with the game may touch upon 4 or more privacy policies (with 4 or more separate entities collecting information relating to her and her activities).
We can see where the different privacy policies come into play when we break down the example:
- Smart Phone: When Jill boots up the Enrichment City mobile application, the smart phone may begin to collect information about her and transmit that information to the developer of the smart phone’s app platform. Information such as her name, location, usage habits and so forth.
- Social Network: The game resides on a social networking platform, where it can access Jill’s friend ecosystem and grow through a variety of viral means. While Jill plays, the social network will collect information relating to Jill (namely the information she puts on her profile), and perhaps how Jill is interacting with the applications on the platform (which applications Jill is downloading, how much money she is spending on those applications, etc.) Jill may get her friends involved in this process by inviting them to assist her in the development of her heavy water reactor for example.
- Social Game Developer: As Jill enriches uranium with breathtaking efficiency, her interaction with the game will also be subject to information collection. The game may ask her to register an account or perhaps it will receive information from the social network or the smart phone relating to Jill’s user characteristics.
Now, Jill has presumably agreed to each one of these privacy policies at some point (if not actively, then passively through use). However, Jill may not be aware of which activities are being governed by which privacy policies and how that information is being transferred among the entities associated with the application.
Explain how the entities are involved. You may not be able to state what information the associated entities are collecting (particularly since this is likely a moving target), but you can explain to your user how the various entities are related to your game. For example: