Legal challenges for devs in the augmented reality space

The recent phenomenon Pokémon Go was downloaded onto more than five per cent of Android phones in the US within just two days of its release and exceeded both Snapchat and Twitter in terms of daily active users.

And it demonstrates the rising power of augmented reality in the gaming industry. It’s been estimated that the AR market could account for $120bn by 2020, according to Digi-Capital.

Facial recognition, geo-location and real-time data harvesting via AR games allows for novel legal challenges. Developers will find themselves alongside other stakeholders in the AR ecosystem, including game owners, advertisers and analytics service providers. The potential liabilities are significant which makes it important to pin down as far as possible the responsibilities and roles of the parties. Various legal challenges may also arise in relation to copyright and advertising.

Data Protection

AR is a rapidly expanding technology but it’s important to keep in mind that deployments of AR must still fit within the UK legal framework for data protection if data relating to identifiable individuals are being collected or otherwise used.

Personal data means data that relates to a living individual who can be identified using those data or other information which is in the possession of, or is likely to come into the possession of, the data controller. Personal data can include:

• Name
• IP address
• Social-media handle
• Email
• Geo location
• Appearance
• Health.

A basic requirement of UK (and EU) data protection law is that individuals have to be made aware of how their data will be used, shared and handled and which entity is responsible. This is typically done via a privacy policy.

Failure by AR companies to comply with data protection rules can have significant consequences. Breach of data protection law can result in fines of up to £500,000.

As well as the need to be transparent and keep their data properly secure, users have the right to a copy of their data, and to have it deleted in certain circumstances; processes need to be in place to enable this. Building up big datasets about a large user base could sound enticing, but it brings significant responsibilities.

Much of the data collected by AR will be personal data. For example, the Pokémon Go app asks for access to the user’s camera, contacts, GPS location, and SD card contents. Given AR’s capacity for “always on” data recording, there is the potential for significant amounts of data to be collected which could be linked back to the user – even if that is not the intention. Developers should therefore be aware of one of the key data protection principles: personal data collection must be adequate and relevant for the specific purpose but not excessive.

Security

Like any rapidly evolving technology ecosystem, AR will be inherently vulnerable to security breaches. The potential for rogue, malware-laden versions of AR apps is inevitable; developers and game owners also need to take stringent measures to prevent hacking and ensure the security of what’s collected. Encryption is increasingly becoming standard, particularly for data in transit.

Developers should look to the ‘privacy by design’ approach, which promotes privacy and data protection compliance from the conceptual design stage of any project, rather than trying to "bolt on" privacy or security driven features later.

Sanctions

Failure by AR companies to comply with data protection rules can have significant consequences. Breach of data protection law can result in fines of up to £500,000.

As well as bad publicity, fines and other sanctions, individuals are entitled to sue for compensation if they have suffered damage resulting from unlawful use of their personal data. Pokémon Go developer Niantic is already in the spotlight and privacy regulators are starting to ask searching questions around data collection and storage.

Given AR’s capacity for “always on” data recording, there is the potential for significant amounts of data to be collected which could be linked back to the user – even if that is not the intention.

Copyright

Augmented Reality can also raise copyright issues. For example, who owns content created by a user which is integrated with digital information from an app? How does the freedom of panorama defence (which permits taking photographs and videos of buildings and sometimes sculptures and other art works which are permanently located in a public place) operate in an AR scenario, where footage could be augmented for commercial purposes, e.g. a virtual banner on a national monument?

Developers will need to have the correct rights clearances throughout their games to protect themselves from copyright infringement claims. When negotiating with rightsholders, developers should ensure that the rights granted are as broad as possible. Ideally, there should be no limitation on devices that can be used and there should be a right to distribute on “internet-connected devices”.

Advertising

AR will create unique advertising opportunities: imagine real life “product placement” whereby products can be incorporated directly into the user’s experience. This could create high levels of engagement.

However, any advertising and product placement will also have to comply with UK advertising regulations, which require, among other things, advertisers not to mislead consumers and make sure marketing communications are clearly identifiable as such.

Gregor Pryor is co-chair of Reed Smith’s entertainment and media group, while Kate Brimsted is partner for data privacy and information security. You can get in touch with Gregor by emailing gpryor@reedsmith.com.