Legal Documents for Mobile Games

When publicly distributing your mobile game, it's important to make sure you have all the necessary legal agreements and policies in place. Not only do you need to comply with various regulations on user data and privacy, but you also need to make sure you follow app store requirements where you wish to distribute your game.

This article will highlight the most commonly needed legal agreements and policies for mobile games, why they're important, what information they should contain, and how to best display them to your mobile game users.

EULA

An End User License Agreement (EULA) is a legal agreement that does the following:

  • Grants end users a limited license
  • Sets out what the limits and scope of the license are
  • Limits the developers legal liability
  • Declares ownership over intellectual property and other proprietary content

Your EULA will define which types of licenses you grant to users and what the limitations and restrictions of use are. Possible license limitations could include prohibitions against:

  • Reverse engineering the software
  • Cracking the software by changing the free trial end date in the code to allow unlimited usage of the free trial
  • Modifying the software or creating derivative works
  • Sharing, selling, leasing, or transferring ownership of premium accounts

An EULA is also a good place to define other usage restrictions. Those can include finding bugs in the software to level up or win, developing scripts to take advantage of these exploits, or otherwise cheating and causing disadvantages to other users.

Let's take a look at Fortnite's EULA, where it defines may of these restrictions in its "License Conditions" section:

Fortnite EULA License Conditions clause

SLA

A Service Level Agreement outlines the commitments you make to your customers. It's important if you are developing a game for a client who will sell the game under their own branding.

While not an absolute requirement for games that you publish under your own copyright, it's still a good idea to include it for games with a premium tier. Remember, an SLA has the service provider's interests in mind, not the client's.

Your SLA is where you outline things like:

  • Minimum uptime (how often interruptions can be expected)
  • Maintenance (how quickly you will release patches for bugs)
  • Continuous development (how often you will release new versions and features)

Of course, only promise what you can deliver. That way, if downtime occurs, and it was within the acceptable limits as per your SLA, your client can't claim that you didn't fulfill your contract.

Privacy Policy

If you collect any sort of data from users, you need to include a privacy policy to stay in compliance with legal regulations. A privacy policy is necessary to stay in compliance with laws such as the GDPR (EU), CCPA (California), DPA (UK), and PIPEDA (Canada).

Your privacy policy should inform users which information you collect, how you store and process the data, what you use the data for, and which third parties you share it with (if any).

Let's take a look at the Niantic Privacy Policy. Niantic Labs is the developer of Pokémon GO, a popular mobile game.

The privacy policy explains which data is collected from users and why. For example, Pokémon GO relies heavily on the player's location - the goal of the game is to capture virtual Pokémons that appear in the user's environment, based on their real-time location. Therefore, it collects location-based data.

Niantic Privacy Policy excerpt

If you share any data that you collect with other companies, such as advertising companies, you must disclose that in your privacy policy. Niantic Labs makes it clear that not only is data shared with advertising partners, but some data is also shared with service providers, other players, parents, and law enforcement (as necessary).

If you share data with third parties, tell users what kind of data you share. Is it anonymized data? Under which circumstances might you share personal (non-anonymous data) with third parties?

Niantic Privacy Policy excerpt 2

To comply with privacy regulations, you should also inform users about their rights regarding their privacy. For example, tell them how they can opt out of data processing for marketing purposes or how they can contact you to access or delete their personal data permanently. Once again, Niantic Labs is a perfect example.

Niantic Privacy Policy Rights and Choices clause

Finally, it's also important to provide a notice regarding child privacy. If you don't allow children to use your services, and you don't collect any personal data from children, you can provide a brief section stating that.

If you do allow children to use your game, it's important to inform parents about it to comply with COPPA (Children's Online Privacy Protection Rule). Parents should know that they must provide consent before you collect data from children. Additionally, inform parents about their rights, such as their ability to opt their child out of further processing and to have their child's data deleted permanently.

Niantic Privacy Policy Childs data clause

When publishing an app on one of the app stores, you must also make sure that your privacy policy complies with its rules.

For example, Apple requires the following:

  • A link to your privacy policy
  • Obtaining consent before collecting or sharing data
  • Allowing account deletion within the app

Meanwhile, Google requires that you include a link to your privacy policy both within the designated field in the Play Console and within the app itself (you can alternatively include the full text of the privacy policy within the app instead of a link to an externally hosted policy). The privacy policy must be clearly labeled as "Privacy Policy."

Google requires that your privacy policy disclose how your app accesses, collects, uses, and shares user data. It should also discuss what type of data you process, with whom you share the data, your data retention and deletion policy, and whom users should contact regarding concerns about their personal data.

Xbox requires that you provide a policy notice to users when they create an account with you.

Cookie Policy

Another important section is your cookie policy. Having a cookie policy will help you stay in compliance with laws such as the GDPR and ePrivacy Directive.

Your cookie policy should inform users what kind of cookies you collect, including essential cookies, advertising cookies, third-party cookies, and tracking cookies. You should explain why each type of cookie is collected and for which purpose. If you collect non-essential cookies, users should be able to opt out of them.

It's good practice to separate your cookie policy into a separate document, like Niantic Labs has done. You can link to it from your privacy policy.

Niantic cookies policy excerpt

Community Standards

It's important to define community standards if your game supports social interactivity between players. If players can chat with each other in the game, for example, you'll want to enforce standards that ensure people remain respectful to each other.

Overall, this section is pretty self-explanatory. You'll want to ban behavior that is aggressive, abusive, endangering children, promoting harm, promoting discrimination, and so on.

Roblox is an excellent example. It breaks its Community Standards guidelines into several sections, including Safety, Civility, and Integrity, as well as various subsections. The Safety section contains subsections such as:

  • Threats, Bullying, and Harassment
  • Child Endangerment
  • Discrimination, Slurs, and Hate Speech

Your Community Standards can contain different sections. In general, though, your goal should be forbidding harmful behavior while using your game.

Roblox Community Standards excerpt

Terms and Conditions

Your Terms and Conditions or Terms of Use document tells users how they are allowed to use your game. It's a general document that often incorporates several other legal documents, such as the EULA and Community Standards.

Let's take a look at the Terms of Use of Inner Sloth, the creator of the popular mobile game Among Us. It features a Prohibited Uses section, which restricts users from cheating, trying to hack a game, or using a game to send spam.

Inner Sloth Terms of Service: Prohibited uses clause

Your Terms and Conditions is also a good place to address termination, limitation of liability, governing jurisdiction, and indemnification. All of those concerns are addressed in Inner Sloth's Terms of Use.

Furthermore, the Terms of Conditions is a good place to talk about in-app purchases, fees, and what happens when users delete their accounts. Are you required to provide a refund? Let's see how Say Games, a popular developer of mobile games, does this.

Say Games Terms and Conditions excerpt

The Terms of Use is also the right place to talk about other payment fees.

If your game requires a subscription, what happens if a payment method fails? Will users lose access to the platform? Will they lose access to special perks, such as virtual items, and how soon do they have to pay their subscription to restore access before such data is deleted permanently?

If you offer a free trial, you should also make it clear that if users don't cancel, they will be charged automatically. You should also inform users how they can cancel their subscription to avoid auto-renewal. For example, Say Games gives users 24 hours before the renewal date to cancel their automatic subscriptions.

Say Games Terms and Conditions excerpt 2

App Store Requirements

When publishing an app to the app stores, you must also comply with their requirements.

Google

If you allow account creation, Google requires that you include a delete account URL. Users must be able to delete their account within the app and from outside the app (so they can request account deletion even if they deleted the app from their devices). This URL must also be entered into a special field in your console.

When a user requests that their account be deleted, you must also delete all personal data associated with the user and not just freeze their account.

If you collect any data that is not within reasonable expectation of what would be required for the game to function properly, you must include an in-app disclosure. This disclosure must be prominently displayed within the app and be separate from your privacy policy.

Furthermore, you must display this disclosure via a pop-up if you ever request that the user consent to data collection or runtime permissions during in-app usage of the game. You must obtain clear and unambiguous consent to this disclosure via ticking a checkbox before you can proceed to collect such data. Simply navigating away from the page or closing the pop-up does not count as giving consent for this purpose.

Google also requires that you fill out a Data Safety form that talks about how you collect, use, and share user data. This form can be found in the App Content section of your Play Console. You'll need to explain which data you collect, what you do with the data, and whom you share it with and why.

Apple

Apple has the following requirements for developers:

  • Obtain consent before collecting user data and before using and sharing someone's personal data
  • Only use the data for purposes for which consent was given
  • Allow users to withdraw consent at any time
  • Not secretly build a profile on users based on their behaviors
  • Only request access to user data as necessary for the app's features
  • Allow users to use the game without an account if your game doesn't include significant features that are only possible with an account
  • Allow users to delete their accounts within the app if account creation is allowed
  • Only request access to contact details (such as name and email address) if you make it optional for users to provide this information
  • Only use location services if necessary for the game
  • Comply with COPPA if the game is targeted towards children

Xbox

Xbox has the following requirements for developers:

  • If your product contains user-generated content, you must make Terms of Service or Content Guidelines available to users
  • You cannot request additional data from players other than information already provided by Xbox
  • Gain consent before linking of the user's existing account (which may have been created on your website) with their Microsoft account, and allow users to de-link their accounts
  • If a separate account with you is required for users to play the game, disclose that in the title

How to Get Consent for Your Legal Agreements

The best way to get consent for your Terms and Conditions and Privacy Policy is to require users to check a box or click a button confirming their consent when they first use the app after downloading it. Here's an example:

8 Ball Pool accept button

Summary

When publishing a mobile game, don't overlook the legal requirements. You should have a:

  • Privacy and cookies policy
  • EULA
  • SLA (if developing the game for a client)
  • Community Standards
  • Parental Consent Form

Make sure you are also complying with all of the app store regulations, such as including a delete account URL for the Google Play Store.