Can Unity’s new runtime fee even be implemented in Europe under data protection law?

Introduction

Unity is one of the most popular game development platforms in the world and has recently introduced a new fee structure that includes a so-called “runtime fee”. This fee is charged for the use of the Unity engine in certain commercial projects. An interesting aspect of this new fee structure is the necessary tracking of user data to calculate the fee. This naturally raises questions with regard to data protection, especially in Europe, where the General Data Protection Regulation (GDPR) applies. It is important to note that many technical details of the new fee structure are still unclear. Therefore, this article can only serve as a brainstorm for the legal aspects. In particular, the focus will be on data protection aspects. The fee structure has already received a lot of criticism from game developers, and it’s unclear how it will play out in practice.

The runtime fee and tracking

Unity’s new runtime fairy has caused quite a stir in the developer community. The model is based on the number of users who use a particular game or application. Tracking is required to determine these user numbers. However, this tracking may conflict with European data protection regulations, especially if personal data is collected. It is also important to note that the reliability of tracking can vary depending on the platform. For example, both Apple and Android have taken measures to limit tracking in the past. Therefore, it is questionable how reliable the data used to calculate the runtime fee will be.

The GDPR is a comprehensive regulation and sets strict requirements for the collection, processing and storage of personal data. Companies that operate in Europe or have European citizens as customers must comply with these rules. Violations can result in heavy fines, which can be as high as 4% of a company’s annual global sales. Given these strict regulations, it is imperative that Unity and developers using the platform fully understand and comply with the GDPR.

Consent and transparency

One of the most important aspects of the GDPR is the need for consent for data collection. If Unity collects personal data for tracking, the company must ensure that users are informed about this and give their consent. This must be done in clear and understandable language. Users must be able to revoke their consent at any time. In addition, consent must be specific to the purpose of the data collection and the data may not be used for other purposes.

In addition to consent, companies must also take technical and organizational measures to ensure data security. This could mean that Unity needs to ensure that the data it collects is encrypted and stored securely. In addition, the company must be able to effectively report and manage data breaches. The GDPR also requires that companies follow the principle of data minimization, which means that only the data necessary for the respective purpose may be collected.

Challenges for developers

For developers who want to use Unity for future projects, the question is how to bring the new fees and associated tracking in line with the GDPR. Including tracking in new apps or updates could cause these apps to violate European data protection laws. This could lead not only to legal consequences for the developers themselves, but also to a loss of trust among users. In addition, the lack of clarity on the technical details of the fee structure could lead to further legal challenges.

One option for developers could be to integrate a GDPR-compliant consent form into their apps, which is displayed before tracking starts. In addition, developers could consider whether there are technical solutions that enable tracking in a way that does not collect personal data or anonymizes it. However, it is important to emphasize that these solutions are speculative due to the lack of clarity in the technical details of the fee structure.

Conclusion

The introduction of Unity’s new runtime fee is a controversial move that raises many privacy issues, especially in Europe. Companies using the Unity engine should therefore take a close look at the requirements of the GDPR and seek legal advice if necessary. Since many technical details are still unclear, this article can only serve as a brainstorm for the legal aspects, with a focus on the data protection aspects.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.