A noteworthy subject nowadays with increasing data regulation and the escalating frequency of data breaches, user data privacy must be critically assessed when deploying digital experiences and platforms to ensure mutual protection for users and digital providers.
Based on the PIPEDA (2016)’s Fair Information Principles (“FIPS”), this assessment was for the new and popular mobile video game Pokémon GO™. The application was evaluated against these data principles and best practices, and a “report card” was prepared. These slides provide a summary of the findings. The detailed report may be accessed here.
Developed by Niantic, Inc. for Nintendo Company (and its international subsidiary), the game is an augmented reality exploration adventure. Users roam to find new Pokémon animals and can “duel” with other users using the Pokémon animals they collect. The app itself is free to use, however in-app purchases are available.
While the Pokémon GO™ app was assessed against all 10 of the FIPS, only a handful of these produced significant results which swayed the overall score assessed for the app’s data privacy. FIPS-3, FIPS-6, and FIPS-9 were all positive; the remainder were negative, with FIPS-1, FIPS-4, and FIPS-5 being the most significant deficiencies.
The app was assigned a “C” letter grade, on a scale of “A+” (best possible score) to “D-” (worst possible score). Pokémon GO™ is more vulnerable to privacy breaches than “B”-scored peers. The platform lacks details on its data safeguards and policies. Additionally, some information (e.g., GPS coordinates) collected may be sensitive in nature, causing an elevated risk to data integrity.
While the shortcomings in data privacy and integrity appear to be substantial in this assessment, these four recommendations, if implemented, would significantly improve the app’s “privacy scoring”. These recommendations align with future Canadian data privacy laws (e.g., the expansion of PIPEDA’s mandate) as well as regulations internationally (e.g., the General Data Protection Regulation [“GPDR”] in the European Union).