"None of our competitors are compliant." is NOT a sensible GDPR strategy.

So I am sitting here now in a daze after a conversation with two lead privacy counsels for a global video game company where for thirty minutes I heard nothing but excuses about why they are not compliant with EU law.

First and foremost it should be noted that I contacted them both, as a player of a one of their popular titles out of respect given that I was connected to them both - rather than my usual route which is to simply file a complaint. So I went in to this conversation with a mind of trying to discuss the situation and find solutions.

Unfortunately, from the onset it became clear that they were approaching this from a completely different perspective of trying to blow smoke up my ass.

The image in the head of this article is a screen shot of the consent mechanism for the game and it does not comply in any way with either the GDPR, the ePrivacy Directive or the Planet49 judgment from the Court of Justice of the EU in October.

The notice is misleading (uses dark patterns) and the information provided does not meet the transparency requirements of GDPR.

There is no information about parties with whom they share data;

There is no information about what specific data is processed;

There is no information about the purposes data is being processed;

There is no information about retention periods;

There is no information about Data Subject rights;

I could go on but to be clear there is not a single GDPR transparency obligation which has been met in this case.

Furthermore, the privacy policy is bundled with other terms and contracts - this is not permitted under GDPR. There is no opportunity to Reject (simply a big Accept button) and if one does happen to click on the more information link one will find that they are Opted-In to marketing and data sharing by default with pre-ticked boxes (in direct conflict with the Planet49 judgment).

There is active use of analytic and marketing SDKs which are not mentioned anywhere - the only reason I know about them is because they mentioned them on the call. Use of these SDKs without consent does not comply with the ePrivacy Directive or the Planet49 judgment.

After explaining these issues to them both (one is head of Global privacy and the other is head of EU privacy) in a very friendly and approachable manner - I was simply handed a barrel of excuses:

"None of our competitors are doing any of these things so we can not be the first to do so."

"CNIL told us we *must* wait for their new guidance in 2020 before complying with the law."

"We can't do anything which isn't in line with ICO, Spainish and other SA guidance."

"We know there are some issues with the text and we have a roadmap to fix it" (note this particular game was released *last week* so they released a new product to market *knowing* that it did not comply with the law)

When I calmly explained to them that I was talking to them as a data subject who has had his fundamental rights violated by them and as such I am not interested in what their competitors do, what guidance they are waiting on or any other excuse - I am interested in what the law says and how case law has interpreted it - they simply repeated the same excuses (several times in fact).

So let me lay a few things on the table to help clarify some of these points.

1. Relying on how bad your competitors are at compliance as a strategy for your own compliance, is a piss poor strategy and frankly anyone who uses this as a strategy should be fired. The law does not say "do marginally better than your competitors" - the law says you must comply with these specific obligations.
2. I know *all* the supervisory authorities and have met face to face with most of them. Guidance from Supervisory Authorities is not legally binding (and funny enough when marketing teams see guidance which is an impediment to their desired activities they always make this statement) the law is and case law makes that absolute. There is nothing I raised today with this particular company which if they fixed it would be in violation of any supervisory authorities guidance (now or in the future). It may well go above their baseline requirements but given that such guidance cannot contradict case law from the CJEU - complying with such judgments will *always* be acceptable with regulators.
3. Releasing a new product using policies which you *know* (and have documented) is not compliant places you at severe risk under Article 83(2)(b) of GDPR and in fact under the German Fining Schedule could see your penalty vastly increased from baseline daily rate. In fact if we use the schedule to calculate a penalty for such a breach using only moderate factors, the minimum penalty (before aggravating factors are taken into account and based on 2018/19 reported revenues) for this particular corporation would be 5.5M Euros with an upper limit of 44.5M Euros and a mean of 37.5M Euros (adjusted for aggravating factors under Article 83(2)(b) of GDPR).

Sadly, I am seeing a great deal of similar decisions being made by global corporations and the fact that Supervisory Authorities are dragging their heals doesn't improve the situation and in is being used as one of the excuses for non-compliance by companies.

Furthermore, after discussing my concerns they then asked me to provide them with information about how my other clients are managing these issues. To be clear here I was talking to two qualified lawyers and they were asking me to breach the confidence of my clients because they had failed to do their own job. It didn't stop there, they wanted me to do a great deal of research for them on how other companies are managing this on a global scale and after I explained to them that I was approaching them as a data subject not as the CEO of a company which works with global companies on compliance issues (and if they wished to engage on that level it would need to be a separate conversation) - they quickly back peddled and said they have an entire team of privacy experts working with them so they are confident they can manage on their own (which is clearly not the case given the existing evidence).

So now after attempting to be nice and resolve this with them in a friendly way - I am forced to file legal complaints against them on behalf of myself and my friends who also play this game. This could all have been avoided by simply following the law instead of ignoring it and making excuses.

So my free advice to everyone reading this who has a similar GDPR strategy, is (and I said this to them as well):

1. Stop making excuses;
2. Stop delaying the inevitable;
3. Stop basing your strategy on how bad your competitors are;
4. Create a "best-in-class" privacy strategy which you can market as a competitive differentiator, build trust and loyalty in your brand and comply with the law.

Because if you don't then don't be surprised when it bites you in the ass.