CFPB Banking in Video Games and Virtual Worlds

CFPB Banking in Video Games and Virtual Worlds

April 25, 2024

CFPB Banking in Video Games and Virtual Worlds

By: Jordan Briggs

Converting your dollar to donuts,[1] or whatever in-game currency you choose, has never been easier. As microtransactions online become easier to execute and more prevalent, the in-game economies start to resemble traditional banking—minus the standard banking protections. This issue is not lost on the Consumer Financial Protection Bureau (CFPB).

Earlier this month, the CFPB released an Issue Spotlight on “Banking in video games and virtual worlds.”[2] The report finds that (1) the immense value of gaming assets has led to the creation of new financial products and services; (2) these new financial products and services do not have the same consumer protections as traditional banking and payment systems, despite increased reports of hacking, theft, and scams; and (3) gaming sites and third parties can collect, sell, and trade immense amounts of surveillance data about users, further exposing players to risks of hacks, fraud, theft, and scams.

In identifying which parts of this new financial system expose gamers to the most risk, the CFPB report focuses in large part on “third-party systems” that “facilitate the buying, selling, and trading of in-game currency, virtual items, and even entire player accounts.”  These third-party systems include both those engaged by the gaming site and unaffiliated secondary markets. The report highlights that these systems can expose players to scams and hacks that can result in the loss of both in-game and IRL[3] funds with very few, and often no, options for recourse.

The CFPB identified two main ways that third parties expose players’ data. The first is through misleading terms and conditions. Third-party sites and their use are governed by their own terms and conditions. The CFPB warns that these terms and conditions can mislead users or obscure the risks of using the site. For example, many games and third parties collect comprehensive behavioral data to allow for targeted ads and more personal tailoring of gameplay, but these sites may not tell users (1) how much data is collected (2) from where or (3) how it actually affects gameplay. In some instances, behavioral data collection is so comprehensive that a user’s offline habits can be easily deduced and recorded. Third parties may offer donuts for watching advertisements or turning on location services or providing survey responses, but gaps in the terms and conditions leave the door open to “risks like credit card fraud, malware, and identity theft.”

Second, the third-party system itself may not be secure. The CFPB warns of an industry-wide security issue, evidenced by increasingly more common data breaches and hacks. These third-party systems need to collect information about the game user, connect it to their gaming account, and then process payments from the user. If the third party is not vigilant about privacy and security, or is itself fraudulent, the CFPB warns that this personally identifiable, behavioral, and financial information can be exposed. Particularly, the report cautions that third parties helping users barter or sell in-game currency may expose users to heightened risks of malware and privacy risks.

Finally, the CFPB tells companies to “take appropriate data security steps” as these markets evolve. Though the agency does not lay out these steps for companies, it is evident from the risks the CFPB highlights that handling large amounts of sensitive data requires clear terms and conditions and a commitment to functioning data security.

From our experience, third party system operators can make their terms and conditions more transparent by telling users up-front (1) who is party to the terms, (2) that the terms are a contract and are enforceable as such, (3) when the terms become effective, and (4) when changes to the terms may be made and become effective.

Further down in the terms, operators should also include a section on how user data is used and/or sold by the operator. This section can address different types of user data, for example, offering different disclosures and information on how each of banking information, personally identifiable information, behavioral data, user-generated content, and gameplay statistics are used by the operator and/or sold. Operators may also consider adding disclosures to specifically address how behavioral user data may affect gameplay. Any section in the terms and conditions about user data should also be cross-referenced with the system’s privacy policy and reflect the same disclosures.

Even though the report is meant to remind consumers to be vigilant about their own data, third party system operators can also heed the reminder to be clearer about what player data may be exposed by using the system. Clear terms allow for better informed consent and more robust contract protections.

The CFPB is monitoring this industry closely and publicizing complaints against companies made by consumers. Additionally, the CFPB is referring any non-public complaints, including of criminal activity, to the appropriate agencies, including law enforcement.

[1] Donuts are an in-game currency in The Simpsons: Tapped Out mobile game. As with many in-game currencies, a small number may be accumulated for free, but you may also purchase donuts at a starting rate of $1.99 for a dozen donuts or up to $99.99 for 2400 donuts.

[2] https://www.consumerfinance.gov/data-research/research-reports/issue-spotlight-video-games/

[3] In real life.

Jordan Briggs

Jordan Briggs

Jordan Briggs’ experience in government, in-house, and in private practice at one of the country’s most renowned global law firms informs her multi-dimensional approach to risk management and compliance across a broad range of sectors and issues.

Massachusetts Cracks Down on Gambling at Internet Cafes
Ifrah on iGaming |
Jul 15, 2011

Massachusetts Cracks Down on Gambling at Internet Cafes

By: Ifrah Law

Subscribe to Ifrah Law’s Insights