You may have received a flurry of emails from various companies relaying that they had updated their privacy policies. These changes stem from the California Consumer Privacy Act, which went into effect January 1, 2020.

But for us at Kongregate, our "privacy for all" mindset did not start in 2020 because of CCPA; we overhauled our privacy policy back in 2018, when CCPA’s “father,” GDPR, went into effect. Instead of just throwing all these abbreviations at you, let us further explain what all this means.

What is the GDPR?

The General Data Protection Regulation -- or “GDPR” -- is a set of European regulations introduced by the European Union to protect online information and privacy by granting citizens and residents of the EU more control over their personal data. These regulations went into effect May 25th, 2018.

Okay...what exactly does that mean?

In the most normal human speak I can manage, the GDPR was created with the end goal that companies be more responsible with user data. In this particular context, the word “responsible” includes (but is not limited to):

• Clearly Outline Real and Legal reasons to collect data: In an attempt to prevent companies from just collecting all the information they possibly can, companies need to provide a rationale for collecting your data.
• Setting rules for how long data is kept and sticking to deletion schedules: Companies should not be keeping your data forever. Much of this is security-related or policy-based
• Writing privacy policies people without law degrees can read and comprehend: The good news is that we are not writing sneaky legal jargon where you signed off your firstborn without knowing it, but we do need to explain lots of obligations and rights. While we attempt to write in “plain English,” there are some privacy concepts that are a bit complicated, quite dull and uber-long.

How does ::gestures arms broadly at everything:: this affect Kongregate?

Many companies affected by the GDPR have resorted to making memes with which to channel their frustrations and anxieties, because it truly is a lot of work, no matter the company size. And because GDPR is only an obligation on the company’s part for EU residents, many companies will only extend these rights to the European users.

Here at Kongregate, however, we believe in fairness and doing the right thing. So, although GDPR applies only to EU residents, we extended these rights to ALL of our users, regardless of where they live. Furthermore, we’re “glass half full (and also it’s not water; it’s your favorite flavor of ice cream)” kind of people, so we saw it as an opportunity. What kind of opportunity, you ask? The opportunity to adopt a “Privacy First” mentality: building new processes consciously, and critically examining existing processes with an eye that asks, “How can we be even more responsible with our data?”

What did Kongregate do to prepare for GDPR?

There are two kinds of people in the world: people who will shiver with excitement at what I’m about to say, and people whose brain will turn off and they’ll scroll past this section entirely.

No matter what kind of person you are, it’s important you understand that we take data privacy very seriously, and consider this work the first step in what will be a continuing process of iteration, learning, and improvement.

Documentation, Process, and Training!

• Documentation: Part of being compliant means taking stock of what data you’re collecting, why you’re collecting it, how long you’re collecting it for, and many, many other fields explaining how we’re taking and caring for our users' data. The GDPR requires this so that companies can prove that they’re showing their due diligence.
• Process: We added (then documented) a bunch of new processes to complement this documentation due diligence. These processes are for all sorts of things related to data.
• Training: Part of GDPR compliance is training the entire company on these new processes, and what the GDPR means, and what privacy means, and how it affects the company. (The secret to successful company-wide training is to chug a Pumpkin Spice Cold Brew beforehand. Trust me on this.)

What does the future look like?

It looks like a glass half full of your favorite flavor of ice cream! (In our case the flavor is “GDPR compliant.”) I mean, of course, it means continued documentation, continued process, continued training for us all. Additionally, to be real for a moment, GDPR was just the beginning. The California Consumer Privacy Act had everyone kicking off 2020 with privacy matters, and there’s really no doubt more are to follow. But complying with privacy laws is nothing that a company with a “Privacy First” mentality like us can’t tackle.

Just so you know, as we did with GDPR, we are extending CCPA rights to each and every one of our users, not just those in California. Cheers to you and cheers to us!