ESO Logs consent is not GDPR Compliant. Very promising.

anitajoneb17_ESO · April 2019

MartiniDaniels wrote: »

anitajoneb17_ESO wrote: »

MartiniDaniels wrote: »

Your game is info is open to add-ons of other players already, and you are not complaining. Why complain now?

Upload and storage onto a 3rd party site with search functionality.

There are hundreds of similar sites for different online games, where you just need to enter @userid and got information on his "statistics". They were never objects of legal cases or anything, it's like nobody cared before that gaming info is stored somewhere and others may look into it.
I mean look at Starcraft or Overwatch, those are public cyber-sport games and yet all info is online, even available with graphs, trends, list of latest plays etc.. i doubt that Blizzard may overlook something that may backlash them from law side.

The question was "how's that different from what's already in ESO". I answered that question.

Other games are something else. Just because something is "normal" in WoW doesn't mean we all HAVE TO welcome it on ESO. We play ESO, not WoW. And there are reasons why we play ESO and not WoW. Some/Many of us may feel like "MMO players" but some/many of us feel like "ESO players". And I believe the ESO audience to be significantly different from the usual MMO crowd.

Also, just because Blizzard does it doesn't mean it's legal. Companies get into legal trouble all the time.

Ogou · April 2019

RANKK7 wrote: »

The user MUST be informed of the purposes of the cookies up front.

The cookies arranged in comprehensible categories based on their purposes (can be Marketing, Preference etc..), and the user may then tick or untick the types of cookies, that one wishes to accept and reject.

One may also choose to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

These are facts and I helped my English with this text from dedicated and serious websites about GDPR and cookies, hope it's all clear, Eso Logs has nothing at present like this and the banner consent at present is not complaint at all.

There must be transparency about cookies and a detailed consent.

So yes, very promising.

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

anitajoneb17_ESO · April 2019

Ogou wrote: »

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

I guess you're not in the EU.
Every single , even remotely professional site (= "serious") has now a very, very detailed procedure of getting consent from every single user, with very detailed explanations as to what's being collected, for what purposes, and where the info is redirected, if that's the case.
Some companies (Google, for instance) are trying to trick people by making this information overdetailed, and changing it very often, so that people end up agreeing to anything and everything in order to avoid this huge pile of information. These companies are currently facing mass lawsuits, too.
So yes, it's an issue.

LiquidPony · April 2019

RANKK7 wrote: »

The site appears to be in breach of GDPR compliance, the consent put there (in a hurry it seems after this thread came out) is a joke, that's NOT compliant at all.

That's a dummy consent, the "learn more" just bring the user to a cookies and you page, are you serious?

Any DGPR compliance scans give results about cookies for which the users must give consent.

The user MUST be informed of the purposes of the cookies up front.

The cookies arranged in comprehensible categories based on their purposes (can be Marketing, Preference etc..), and the user may then tick or untick the types of cookies, that one wishes to accept and reject.

One may also choose to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

These are facts and I helped my English with this text from dedicated and serious websites about GDPR and cookies, hope it's all clear, Eso Logs has nothing at present like this and the banner consent at present is not complaint at all.

There must be transparency about cookies and a detailed consent.

So yes, very promising.

BTW since we are at it, let's see in depth what is needed to be answered to be compliant when collecting data, these are the simple questions that must be answered:
1. Do any data subjects you are collecting data from, including your employees, reside in the EEA/EU?
If you are collecting data from citizens or employees that reside in EEA then GDPR applies to you, even if you are based in a country outside the EU.

2. Is your organisation aware of what personal data means under the GDPR?
The GDPR's definition of personal data is ‘any information relating to an identified or identifiable natural person’. There is, however, a wide interpretation - it could mean a nickname, an ID number, an IP address or other indirect identification.

3. Have you assessed the impact of the new definition of consent under the GDPR and how this affects your surveys?
GDPR’s revised approach means you must have clear documentation that the audience is happy for you to email them. And remember, you will need to obtain new consent from any current contacts in your database as well.

4. Do you have a process for breach notification?
There will be a duty for all organisations to report certain types of data breaches and, in some cases, inform the individuals affected by the breach as well.

5. Have you given the data subject the right to access his or her information?
Individuals must have the right to access any personal data that you store about them and this must be provided free of charge.

6. Where a data subject has asked for his or her information, is the information given in a commonly useable and machine readable format?
When asked, you must use “reasonable means” to supply the information. For example, if the request is made electronically, you should provide the information in a commonly used electronic format.

7. Does your organisation have the process of erasing the subject’s data at his/her request?
Make sure you have a process in place for when an individual asks you to delete their personal data. Would you know where to find the data, who has to give permission to delete it and what internal processes are in place to make sure that it happens?

8. Does your organisation hold and process data only if it is absolutely necessary for the completion of its duties?
GDPR will introduce the concept of ‘privacy by design' and by default to encourage organisations to consider data protection throughout the entire life cycle of any process. Organisations will need to implement internal policies and procedures to be compliant.

9. Have you trained your staff on the GDPR and how to properly handle data?
The majority of data breaches occur because of human error. To make sure staff are aware of their obligations, organisations are encouraged to implement GDPR staff awareness training and provide evidence that they understand the risks.

10. Have you considered if you need to appoint a Data Protection Officer (DPO)?
For many businesses, it will be mandatory to appoint a DPO, for instance if your core activity involves the regular monitoring of individuals on a large scale. You should consider now whether or not you need to appoint a DPO and to make sure they have the required expertise and knowledge.

Now let's see what are the fines for infringement directly from www.gdpreu.org/compliance/fines-and-penalties/

You @ZOS I'm waiting to see what are your actual plans with all this Logs thing, this may be the actual finishing blow to my love for this game. Total transparency about collecting and managing data is needed!

You are out of your mind.

You don't know anything about GDPR or how actual websites comply with it. The cookie consent banner has *always* been there.

Go to, say, mercedes.com and tell me if you see some ridicululous multi-step form for consenting to various cookies.

No? You don't? It's just a single banner that you accept that covers their whole Privacy Policy just like basically every other website in the world?

Weird.

MartiniDaniels · April 2019

anitajoneb17_ESO wrote: »

MartiniDaniels wrote: »

anitajoneb17_ESO wrote: »

MartiniDaniels wrote: »

Your game is info is open to add-ons of other players already, and you are not complaining. Why complain now?

Upload and storage onto a 3rd party site with search functionality.

There are hundreds of similar sites for different online games, where you just need to enter @userid and got information on his "statistics". They were never objects of legal cases or anything, it's like nobody cared before that gaming info is stored somewhere and others may look into it.
I mean look at Starcraft or Overwatch, those are public cyber-sport games and yet all info is online, even available with graphs, trends, list of latest plays etc.. i doubt that Blizzard may overlook something that may backlash them from law side.

The question was "how's that different from what's already in ESO". I answered that question.

Other games are something else. Just because something is "normal" in WoW doesn't mean we all HAVE TO welcome it on ESO. We play ESO, not WoW. And there are reasons why we play ESO and not WoW. Some/Many of us may feel like "MMO players" but some/many of us feel like "ESO players". And I believe the ESO audience to be significantly different from the usual MMO crowd.

Also, just because Blizzard does it doesn't mean it's legal. Companies get into legal trouble all the time.

This is just strange.
All the time I play multiplayer games, all the time people act like people, i.e. celebrating or mocking each other with results, sharing achievements and losses and it was normal for years, and this is exactly how it works IRL too. In schools there are statistics on how students perform, at work there are whole complex artificial systems to evaluate employees.
Now all the sudden ESO can't be part of this, though devs allow option for anonymity (which is right thing to have such option).

DClem85 · April 2019

I'm a privacy consultant and working with companies all over to help them deal with GDPR and now the CCPA. This isn't surprising, it will get fixed eventually. The regulators arent going after companies with simple cookie notice issues right now, why not submit an access request or then complain? I'm not saying this isn't wrong, and i will assert it is in violation of the GDPR, but of all the issues, this isn't worth throwing a tantrum. A polite "hey you probably want to fix this btw..." would have done just fine.

Idinuse · April 2019

Ogou wrote: »

RANKK7 wrote: »

The user MUST be informed of the purposes of the cookies up front.

The cookies arranged in comprehensible categories based on their purposes (can be Marketing, Preference etc..), and the user may then tick or untick the types of cookies, that one wishes to accept and reject.

One may also choose to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

These are facts and I helped my English with this text from dedicated and serious websites about GDPR and cookies, hope it's all clear, Eso Logs has nothing at present like this and the banner consent at present is not complaint at all.

There must be transparency about cookies and a detailed consent.

So yes, very promising.

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

I take it in your line of work you don't have any business online with EU, If you do I would strongly suggest you make your website GDPR compliant. And I seriously don't mean that in a snarky way.

VaranisArano · April 2019

Idinuse wrote: »

VaranisArano wrote: »

DocFrost72 wrote: »

One thing I don't understand, supposedly this system (exactly or incredibly similar) is already in WoW and FF. It has not been legally challenged in either game, has it? Why is ESO different? Is there something special about this particular setup the others do not have?

If I had to guess....

1. GDPR is relatively new, coming into effect in 2018. As some posters have mentioned, compliance hasn't been tested in court yet

2. ESO has a large portion of single player gamers, here from the TES games, some of whom are rather adverse to the data sharing that seems (or so I'm told) to be normal in other MMOs

3. Until this point, ESO's handing of add-ons that give other players access to your combat info has been to disallow directly tying your combat data to your character id. ZOS says ESO Logs is fine because its not in real time. Many players are still concerned because our consent is assumed and its a 3rd party site - neither of which has happened before in ESO. As currently implemented, ESO Logs reverses the status quo by assuming all players consent to have their character id tied to shareable, searchable public logs.

So to answer your questions:
Why now and not before? The GDPR is new.

Why ESO and not others? This is something new for ESO. It reverses the status quo on privacy of combat data. Before, no one could directly tie our combat data to our character id without our consent by posting it. With ESO Logs, every player's consent is assumed by default to share their character id in the logs, which can be shared or made public (public allows them to be searched and ranked on leaderboards.)

That being said, the above is somewhat tangential to the thread topic, which has less to do with ESO Logs itself, and more to do with their Cookies policy.

That's an even simpler answer.

Why now?
Because the GDPR is new, and the website's Cookies aren't currently in compliance with it.

Indeed. Also do I even have to be an ESO customer or even have a game account to register on the Esologs website and brows the content?

I have not signed up myself, but the sign-up screen is here: https://www.esologs.com/register/
It seems to require an email, which is pretty normal for signing up for most online services.

As for browsing, I was able to browse a fair bit of public info on the Warcraft Logs without ever having been a WOW player. However, not being a WOW player, I don't really have the context for telling what info I'm looking at or how that will translate to ESO...so please, take that with a BIG grain of salt.

RANKK7 · April 2019

Ogou wrote: »

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

Prety much any website with detailed info Webmasters had to consult from the time GDPR has been out, me included.

The info on the web about what cookies are and the importance to get a GDPR compliant consent are massive.

You maybe don't own a website if your are so clueless about this.

Try checking to inform yourself, you just can type: "cookies GDPR compliance", or "cookies GDPR compliance check", or "cookies how do I know if my website is GDPR compliant?"

anitajoneb17_ESO · April 2019

MartiniDaniels wrote: »

This is just strange.
All the time I play multiplayer games, all the time people act like people, i.e. celebrating or mocking each other with results, sharing achievements and losses and it was normal for years, and this is exactly how it works IRL too. In schools there are statistics on how students perform, at work there are whole complex artificial systems to evaluate employees.
Now all the sudden ESO can't be part of this, though devs allow option for anonymity (which is right thing to have such option).

We're talking ESO here.
After talking "other games", you're talking "work", "schools" ? What's next ? You're going to tell me that I shouldn't worry about my privacy and being judged because God knows everything about me and will judge me some day anyway ?
Let's keep it ESO. That thing with logging wasn't here before, it's here now, it has pros and cons within the context of ESO and the privacy of ESO players.

Idinuse · April 2019

LiquidPony wrote: »

RANKK7 wrote: »

The site appears to be in breach of GDPR compliance, the consent put there (in a hurry it seems after this thread came out) is a joke, that's NOT compliant at all.

That's a dummy consent, the "learn more" just bring the user to a cookies and you page, are you serious?

Any DGPR compliance scans give results about cookies for which the users must give consent.

The user MUST be informed of the purposes of the cookies up front.

The cookies arranged in comprehensible categories based on their purposes (can be Marketing, Preference etc..), and the user may then tick or untick the types of cookies, that one wishes to accept and reject.

One may also choose to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

These are facts and I helped my English with this text from dedicated and serious websites about GDPR and cookies, hope it's all clear, Eso Logs has nothing at present like this and the banner consent at present is not complaint at all.

There must be transparency about cookies and a detailed consent.

So yes, very promising.

BTW since we are at it, let's see in depth what is needed to be answered to be compliant when collecting data, these are the simple questions that must be answered:
1. Do any data subjects you are collecting data from, including your employees, reside in the EEA/EU?
If you are collecting data from citizens or employees that reside in EEA then GDPR applies to you, even if you are based in a country outside the EU.

2. Is your organisation aware of what personal data means under the GDPR?
The GDPR's definition of personal data is ‘any information relating to an identified or identifiable natural person’. There is, however, a wide interpretation - it could mean a nickname, an ID number, an IP address or other indirect identification.

3. Have you assessed the impact of the new definition of consent under the GDPR and how this affects your surveys?
GDPR’s revised approach means you must have clear documentation that the audience is happy for you to email them. And remember, you will need to obtain new consent from any current contacts in your database as well.

4. Do you have a process for breach notification?
There will be a duty for all organisations to report certain types of data breaches and, in some cases, inform the individuals affected by the breach as well.

5. Have you given the data subject the right to access his or her information?
Individuals must have the right to access any personal data that you store about them and this must be provided free of charge.

6. Where a data subject has asked for his or her information, is the information given in a commonly useable and machine readable format?
When asked, you must use “reasonable means” to supply the information. For example, if the request is made electronically, you should provide the information in a commonly used electronic format.

7. Does your organisation have the process of erasing the subject’s data at his/her request?
Make sure you have a process in place for when an individual asks you to delete their personal data. Would you know where to find the data, who has to give permission to delete it and what internal processes are in place to make sure that it happens?

8. Does your organisation hold and process data only if it is absolutely necessary for the completion of its duties?
GDPR will introduce the concept of ‘privacy by design' and by default to encourage organisations to consider data protection throughout the entire life cycle of any process. Organisations will need to implement internal policies and procedures to be compliant.

9. Have you trained your staff on the GDPR and how to properly handle data?
The majority of data breaches occur because of human error. To make sure staff are aware of their obligations, organisations are encouraged to implement GDPR staff awareness training and provide evidence that they understand the risks.

10. Have you considered if you need to appoint a Data Protection Officer (DPO)?
For many businesses, it will be mandatory to appoint a DPO, for instance if your core activity involves the regular monitoring of individuals on a large scale. You should consider now whether or not you need to appoint a DPO and to make sure they have the required expertise and knowledge.

Now let's see what are the fines for infringement directly from www.gdpreu.org/compliance/fines-and-penalties/

You @ZOS I'm waiting to see what are your actual plans with all this Logs thing, this may be the actual finishing blow to my love for this game. Total transparency about collecting and managing data is needed!

You are out of your mind.

You don't know anything about GDPR or how actual websites comply with it. The cookie consent banner has *always* been there.

Go to, say, mercedes.com and tell me if you see some ridicululous multi-step form for consenting to various cookies.

No? You don't? It's just a single banner that you accept that covers their whole Privacy Policy just like basically every other website in the world?

Weird.

Let's break down Ferrari's Privacy/Cookie notice.
(I hope I don't infringe on any copyright here.)

First they inform me that they are using cookies. Next they inform me that they are also using third party cookies. After that they inform me that I can look at and change the cookie settings (allow or not allow) by clicking the link "Cookie Policy" (even if it takes a couple of steps to do just that). Last and this is really important they ask me to consent to all this by continuing using the website. If I don't consent I can simply either change the mentioned cookie settings or simply not use the site.

It doesn't have to be any more complicated than that, but it shows that data is collected, informs me of third party data collecting, gives me an option to disable that data collecting (not just setting me Anonymous) and thus gives me an opt out option. Other data and information gathering may well need an opt in option.

Edit* This might very well be something that only is displayed if your IP shows you are connected from inside EU. If from outside EU or using a VPN it might not show. The entire GDPR debacle is EU exclusive btw, (other country's or regions' laws may also be included). Also the law has been active since 2018. It's understandable that not all online services have had time to be GDPR compliant for residents inside of EU yet.

Ogou · April 2019

anitajoneb17_ESO wrote: »

Ogou wrote: »

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

I guess you're not in the EU.
Every single , even remotely professional site (= "serious") has now a very, very detailed procedure of getting consent from every single user, with very detailed explanations as to what's being collected, for what purposes, and where the info is redirected, if that's the case.
Some companies (Google, for instance) are trying to trick people by making this information overdetailed, and changing it very often, so that people end up agreeing to anything and everything in order to avoid this huge pile of information. These companies are currently facing mass lawsuits, too.
So yes, it's an issue.

Idinuse wrote: »

Ogou wrote: »

RANKK7 wrote: »

The user MUST be informed of the purposes of the cookies up front.

The cookies arranged in comprehensible categories based on their purposes (can be Marketing, Preference etc..), and the user may then tick or untick the types of cookies, that one wishes to accept and reject.

One may also choose to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

These are facts and I helped my English with this text from dedicated and serious websites about GDPR and cookies, hope it's all clear, Eso Logs has nothing at present like this and the banner consent at present is not complaint at all.

There must be transparency about cookies and a detailed consent.

So yes, very promising.

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

I take it in your line of work you don't have any business online with EU, If you do I would strongly suggest you make your website GDPR compliant. And I seriously don't mean that in a snarky way.

RANKK7 wrote: »

Ogou wrote: »

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

Prety much any website with detailed info Webmasters had to consult from the time GDPR has been out, me included.

The info on the web about what cookies are and the importance to get a GDPR compliant consent are massive.

You maybe don't own a website if your are so clueless about this.

Try checking to inform yourself, you just can type: "cookies GDPR compliance", or "cookies GDPR compliance check", or "cookies how do I know if my website is GDPR compliant?"

I see a lot of personal attacks here but still no proof that the GDPR requires users to have the ability to accept only certain types of cookies.

VaranisArano · April 2019

NupidStoob wrote: »

VaranisArano wrote: »

NupidStoob wrote: »

DocFrost72 wrote: »

One thing I don't understand, supposedly this system (exactly or incredibly similar) is already in WoW and FF. It has not been legally challenged in either game, has it? Why is ESO different? Is there something special about this particular setup the others do not have?

No it isnt different. Every game that has a competitive ladder is tracking users statistics and in most they can be reviewed on external websites. Eso leaderboards also existed for the longest time, but I guess that didn't matter to people who would never get on there anyways. If you played ESO for some time there is a high chance you have walked past a streamer or youtuber while they were recording as well. Nothing about ESO logs is a big deal, it's just ESO forum warriors blowing something completely out of proportion.

I check these threads from time to time to see what new ridiculous ideas the nay sayers are bringing to the table, but every time I feel dumber reading this. Huge waste of time honestly. There are real issues about data security out there in the world folks. If you really care so much do something about them, start by deleting all your social media and not whine about your combat logs in an online game.

A. This thread is about one of those real world issues of data security...cookies on websites, and how the GDPR requires websites to be upfront and allow users to consent to their use.

And how the ESO Logs site currently isnt conpliant when it comes to their Cookies.

B. I confess I don't understand the logic of the argument that goes like: "if you aren't concerned with ALL data security issues EVER, you can't possibly be concerned with how THIS data security issues might impact your gaming experience in ESO."

I don't feel the need to demonstrate the depth of my concern about data usage on Facebook, Google, social media, etc to your satisfaction before I can talk about my concerns about how ESO Logs assumes our consent to publicly share our character ids, or in the case of this thread's topic, any concerns that the ESO Logs site is serving EU players without being compliant with their law regarding things like Cookies.

A. Let's not pretend like we don't know what it's really about. It's just a front.

B. Like I said, there are real issues and non real issues. Nothing about your combat log could be considered sensitive data whatsoever. It won't ever affect your real life in any way. All the data willingly shared by people is usually way more sensitive. The stuff people write on the forums alone is more sensitive. If someone could connect their forum account to their real identity it could have disastrous real life consequences depending on the kind of opinions they shared. But on the other side nobody would care about anyone's combat logs in the real world. I can safely assume that 99.9% of the people who are being outraged by this have or are sharing more implicating data about themselves voluntarily. I find that hypocritical.

"Negative impact on their gaming experience": There is none. You will still not play with people you dislike. If you dislike people that use these logs then you simply don't play with them and the problem has been solved. If you want to join a guild that have these logs as requirements they will also already require CMX so nothing there changes. If you're worried about your data from random dungeons floating around because other people upload them you can just turn it off and it won't affect you either. They can search your name on the website but find nothing as the website doesn't do the extrapolation people are scared about. If you are worried about being judged real time in dungeons/trials, well CMX already exists and there is not even a need for it as anyone can look at the boss HP and take a stopwatch to calculate DPS. I just need to know how much DPS I usually do which I can also easily calculate myself and I can see how much % group DPS I approximately do.

In the end people simply don't want that it's by default on and honestly I don't care less if ZoS decides to do that or not. People could just make threads simply asking for it to be turned off, but instead we have all these massively blown out of proportion fearmongering threads, spreading misinformation and so on. Sorry if my tone is a bit aggressive, but this is frankly quite annoying.

A. Front or not, the problem with ESO Logs Cookies under the GDPR worth considering if it is, in fact, an actual issue for the EU players. I totally get the objection to forum lawyering, especially when the GDPR is rather new and lots of people and companies are still working out their compliance issues. I do think that's important for folks to keep in mind before trying to use the GDPR as a club against a new gameplay development they don't like. There may be room for improvement (which generally takes time - I think it was 2 years before GDPR took effect from 2016), but that's not necessarily something that should cause the site or the new ESO Log to be scrapped or avoided.

Personally, I'm an American. I'm accepting the site as is for my own use.

B. For me, this comes down to consent. I have to join the forums, and everything I post here is voluntary. Same thing for social media - I had to join it and anything I post or click on is voluntary.

However, when the default is not anonymous, its assumed that I consent to have my character id shared in logs that can be made publicly available. I'm especially concerned about new or returning players who may not known or realized that they need to "just turn it off". That's something different than what we get with CMX, which only allowed our combat data to be known by extrapolation - it shares more information, in a more public setting by design, and assumes that we consent to having that info directly attached to our character id.

So I don't find it hypocritical to see a distinction between the stuff I post voluntarily vs having ESO Log's default assuming that I'm totally fine with anyone posting info including my character id. Or more precisely, ESO Log's default setting assuming that every player ever is totally fine with anyone posting log info with their character id.

On the other hand, what we have with CMX is pretty much identical to the experience of an anonymous player with ESO Logs. That's precisely why I want everyone to be anonymous by default, with the option to check a box to share your character id.

And hey, I totally understand that the fearmongering and misinformation gets annoying. Personally, I find that giving reasoned explanations is the best way to convince people that the fearmongering is incorrect or to debunk misinformation, rather than dismissing it.

But to each their own! Everyone has a different level of patience with this debate, and that's totally fine. I've got my own pet issues where even as a teacher I'm like "How do you even think that? Argh!" So I understand, if you are at that point.

Billdor · April 2019

Mayrael wrote: »

Lol... GDPR is about personal data - your nickname from a game doesn't count unless it's attached to your real name or at least email address. Nick of a character is not a personal data period.

GDPR is about personal IDENTIFIABLE data that can be used to identify you. I.E Name, Address, Email. A UserID =/= GDPR,

You @ZOS I'm waiting to see what are your actual plans with all this Logs thing, this may be the actual finishing blow to my love for this game. Total transparency about collecting and managing data is needed!

[edited to remove insulting or baiting commentary]

Sasyk · April 2019

Hello casuals crying about your perceived breach of privacy. No one cares about your combat logs. Literally no one. Please get over yourselves. No one is interested in your casual ESO performance, nor do they want to study your boring logs and post them anywhere as they are very uninspiring, irrelevant, and not worth talking about.

FierceSam · April 2019

Billdor wrote: »

You may as well quit now then, because if you're throwing a child tantrum over website cookies that in no way shape or form tracks your personal identifiable data ... Sometimes I do cringe at the thought of a human being writing some of these posts.

Except I would imagine that you associate yourself rather closely with the username Billdor and the characters Billdor and Lord Seht - they are as much YOUR identities as your real name is. And would feel good if these were commented on favourably. If, say, ESO logs showed that you were pulling down significantly good dps and someone highlighted it in a blogpost. Equally you might feel the opposite way if someone referred to these identities negatively.

It's clear ZOS feel the same way, which is why there is a policy of no naming on the forums. Equally, it's why they disabled real time stats in the first place.

The issue here is about privacy and consent. If you want to share your gaming data great, go for it. If you want to see or share mine without my knowledge or consent, not great.

anitajoneb17_ESO · April 2019

Sasyk wrote: »

Hello casuals crying about your perceived breach of privacy. No one cares about your combat logs. Literally no one.

1/ It has nothing to do with "casuals".
2/ You don't know that noone cares. You literally don't know and you have no way to tell.

FierceSam · April 2019

And on this thread you can already see people using existing combat metrics to put down and abuse other players. Not cool at all.

https://forums.elderscrollsonline.com/en/discussion/468847/necro-class-just-another-rolling-nerf#latest

VaranisArano · April 2019

Ogou wrote: »

anitajoneb17_ESO wrote: »

Ogou wrote: »

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

I guess you're not in the EU.
Every single , even remotely professional site (= "serious") has now a very, very detailed procedure of getting consent from every single user, with very detailed explanations as to what's being collected, for what purposes, and where the info is redirected, if that's the case.
Some companies (Google, for instance) are trying to trick people by making this information overdetailed, and changing it very often, so that people end up agreeing to anything and everything in order to avoid this huge pile of information. These companies are currently facing mass lawsuits, too.
So yes, it's an issue.

Idinuse wrote: »

Ogou wrote: »

RANKK7 wrote: »

The user MUST be informed of the purposes of the cookies up front.

The cookies arranged in comprehensible categories based on their purposes (can be Marketing, Preference etc..), and the user may then tick or untick the types of cookies, that one wishes to accept and reject.

One may also choose to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

These are facts and I helped my English with this text from dedicated and serious websites about GDPR and cookies, hope it's all clear, Eso Logs has nothing at present like this and the banner consent at present is not complaint at all.

There must be transparency about cookies and a detailed consent.

So yes, very promising.

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

I take it in your line of work you don't have any business online with EU, If you do I would strongly suggest you make your website GDPR compliant. And I seriously don't mean that in a snarky way.

RANKK7 wrote: »

Ogou wrote: »

What are those serious websites you're talking about? Because this directly relates to my line of work and I can tell you that there is no requirement for the users to have the ability to accept only certain types of cookies.

Prety much any website with detailed info Webmasters had to consult from the time GDPR has been out, me included.

The info on the web about what cookies are and the importance to get a GDPR compliant consent are massive.

You maybe don't own a website if your are so clueless about this.

Try checking to inform yourself, you just can type: "cookies GDPR compliance", or "cookies GDPR compliance check", or "cookies how do I know if my website is GDPR compliant?"

I see a lot of personal attacks here but still no proof that the GDPR requires users to have the ability to accept only certain types of cookies.

Maybe its just that I'm a teacher, but I can't resist when someone says "Just Google it, the sources are out there!"

So here we go, some of the sources I found interesting - and please, if someone has better ones, let me know! Also, please note that I'm doing this for research purposes with an eye towards websites that clearly explain the minutiae of it for the reader, not for forum lawyering. None of these sources are a substitute for actually talking with a lawyer who specializes in this field of law if this is something that concerns you. I'll also note that this is something that ESO Logs is probably aware of as a company.

This website provided a clear explanation, with links to the additional relevant policies about cookies, if you want to read the legalese directly. It also provides possibly relevant insight about what types of cookies do not require consent. http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

This article also has a good explanation of how websites can better comply with the GDPR policies on cookies: https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies

This study looked at the readiness of respondents to meet most or all of the GDPR's requirements as of Jan 2019, or within a year. The map of readiness by country on page 4 is rather enlightening, and if the ESO Logs wesbite isn't ready to meet GDPR standards right now, they certainly aren't alone in that. The study also found overall that GDPR ready companies suffered less data breaches than companies that weren't ready.
https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf

Again, as a teacher, I've pulled up some sources I found useful to understand this for myself. Please don't take this as forum lawyering, but as a chance to learn more about the issues brough tup here. I highly encourage anyone curious about this to look it up themselves, and if those sources don't suffice, find some more. Being informed about different aspects of the situation is one of the best ways we can resist the temptation to be afraid of new developments while also being aware of the possible consequences of change. I'm thrilled that I'm learning more about EU privacy laws and cybersecurity than I knew when I woke up this morning!

Billdor · April 2019

FierceSam wrote: »

Billdor wrote: »

You may as well quit now then, because if you're throwing a child tantrum over website cookies that in no way shape or form tracks your personal identifiable data ... Sometimes I do cringe at the thought of a human being writing some of these posts.

Except I would imagine that you associate yourself rather closely with the username Billdor and the characters Billdor and Lord Seht - they are as much YOUR identities as your real name is. And would feel good if these were commented on favourably. If, say, ESO logs showed that you were pulling down significantly good dps and someone highlighted it in a blogpost. Equally you might feel the opposite way if someone referred to these identities negatively.

It's clear ZOS feel the same way, which is why there is a policy of no naming on the forums. Equally, it's why they disabled real time stats in the first place.

The issue here is about privacy and consent. If you want to share your gaming data great, go for it. If you want to see or share mine without my knowledge or consent, not great.

Bruh its just a username, they have nothing in common with my real name. If I pull terrible DPS I need to git gud, people can refer to me negatively and you're welcome to do so. Know why because thats your opinion.

Hallothiel · April 2019

@VaranisArano

Thank you for your posts!

I work in the EU about GDPR and done bits of it, as you have clearly re-iterated, and I posted earlier, are still a somewhat untested legal minefield.

Was discussing these issues raised on the forums at work today with other GDPR people and when it comes to gaming, things get very grey & messy - it’s still not taken that seriously even though is a multi million pound industry.

And just because these logs are in other games does not necessarily mean that they are not in fact now breaking the law.

And many people do get their privacy notices, cookie consent etc utterly wrong - even big companies.

(And no, Sasyk, NupidStoob and others saying that those complaining just have rubbish dps - it’s bloody not. It really isn’t. I’m on the PS4 so this doesn’t actually personally affect me. It’s about the principle - understand what that is?!)

Nebthet78 · April 2019

Privacy is a huge issue in this day and age and more and more people are educating themselves about it. Governments are actively updating Privacy laws within the last couple of years, and this is partially why we are seeing more and more people up in arms about these type of programs and websites now, unlike before.

I posted this in the Combat area of the Forums, but the General Populace deserves to see it too.

In Canada we have 3 sections under Privacy Law. PIPEDA, The Privacy Act, plus there are the Federal Privacy Laws:
But in general:
Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.

The Privacy Act offers protections for personal information, which it defines as any recorded information “about an identifiable individual.”

Taking a look at Canadian Privacy Laws, ZOS must ensure there is Meaningful Consent to allow a third party site any access to any of our personal data.

This tracker allows for this Third Party site to have access to:
- What I do in game
- What date and time I do it
- Access to my character names and game username associated with those characters
- Access to each button press I do while playing in game.
- Do those logs also contain my IP address and Video Card ID? I won't know until someone gets a good look at them.
- This allows another player to post data about my character and playing habits.
- We have to claim our characters through the third party website if we realize at a later time, this option is set on because we were not properly notified about the change upon coming back to the game at a later date. This will require giving this third party company more private information to confirm the account and character are ours.

To have Meaningful Consent under Canadian Privacy laws:
ZOS and the Company must disclose the following to the consumer Must:

- Make privacy information readily available in complete form, while giving emphasis or bringing attention to four key elements: - What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to.
- With which parties personal information is being shared
- For what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to.
- Risks of harm and other consequences

- Provide information in manageable and easily-accessible ways.

- Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service.

- Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable.

- Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties.

- Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances.

- Allow individuals to withdraw consent (subject to legal or contractual restrictions).

ZOS must also provide us with Clear Option to agree or disagree with the sharing of our information.
Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service – they must be given a choice.
These choices must be explained clearly and made easily accessible. Whether each choice is most appropriately ‘opt-in’ or ‘opt-out’ will depend on factors discussed in the “Form of Consent” section of this document.

(This tool is NOT a necessary product or service. We've played 5yrs without it. And consoles are not getting it. Players who don't want it can live without it!)

Collections, uses or disclosures of personal information over which the individual cannot assert any control (other than to not use a product or service) are called conditions of service. For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Organizations should be transparent and prepared to explain why any given collection, use or disclosure is a condition of service, particularly if it is not obvious.

Otherwise, for all other collections, uses and disclosures, individuals must be given a choice (unless an exception to the general consent requirement applies).

(You are trying to force this program on everyone, and record every players logs whether they want them recorded or not. Anonymizing the character name is not enough. If a player doesn't want to participate in any way, they should not be forced to.)

ZOS must be accountable: Stand ready to demonstrate compliance
Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent.

In order for an organization to demonstrate that it has obtained valid consent, pointing to a line buried in a privacy policy will not suffice. Instead, organizations should be able to demonstrate – either in the case of a complaint from an individual or a proactive query from a privacy regulator – that they have a process in place to obtain consent from individuals, and that such process is compliant with the consent obligations set out in legislation. This is an integral part of not only the consent process, but of an effective accountability regime.

(Hiding permissions in the Terms of Service and then putting the option to ESO Logs by default automatically "ON" is not valid consent! We, the Player, MUST make the choice ourselves to turn it on.)

Reasonable expectations
In determining the appropriate form of consent, organizations should also consider the reasonable expectations of the individual in the circumstances. For example, if there is a use or disclosure a user would not reasonably expect to be occurring, such as certain sharing of information with a third party, the downloading of photos or contact lists, or the tracking of location, express consent would likely be required.

(I don't want a Third Party Company having any of my information without my permission, particularly if it is information that is non-essential to the general use of ESO. Example: ZOS needs my Credit card and Address and has to provide those to Third Party banks for processing, only because it is an essential business practice for them to get paid for the service they provide. ZOS needs my game logs on their end to track bugs and other issues within their algorithms to fix issues with the game. Having my game logs for a third party application for stats tracking is not essential to the game play of ESO. Therefore, you are not entitled to them, if I do not wish to give permission for you to use them.)

So, by Canadian Law, this Third Party Website and program are not essential to the every day operation and play of ESO. (The game has been without it for 5 years, and Consoles are not getting this). ZOS would be required to put a full opt-out option, allowing players to not have any of their data recorded without meaningful consent. (Turning it "ON" themselves).

Additionally, seeing the responses by Muh, I'm very concerned about third party site having access to any of my information, whether or not it is anonymized and what they are doing with it outside of the scope of this program. You are not entitled to my information!!!

There is no reason why this program should not exist for people who wish to use it. HOWEVER, ALL parties being recorded must consent, or no recording should be happening at all.

I think, until ZOS can implement it this way, it's within their best interest to keep it out of the game.

Jhalin · April 2019

I wouldn’t hold up EU as good online policy authorities after they decided to make every little thing a copyright infringement so Twitch, YouTube, basically any platform for content creators, is basically taboo in EU law

ESOLogs is less dangerous than your social media account. Your character name has no trace to your @ name as I understand it, and anything linked to an @ name requires that same person be signed up on the service

There’s no threat to privacy here at all. If you don’t run raids, you’ll see no different in your interactions with other players. If you run solo, you can use it for yourself and absolutely no one else is going to care who you are. Your pugs will forget you just like you forget them, and you are not able to retroactively record encounters so who the hell cares if a rando was bad.

You really think people want to load up their drives with pointless pug runs? You really think anyone cares enough to be a troll to bog down their own computer every single time they pug a dungeon or trial just to talk down to someone after they waste ten minutes processing and uploding the log?

Kittenhood · April 2019

Hello yes,
I registered for the forums to clear up a lot of misconceptions that seem to be 'spreading around', so to speak, in this thread and others.

@RANKK7
That 'cookies' message on ESOLogs has always been there in some form or fashion.
ESOLogs.com is not affiliated with Zenimax Online Studios nor is it a subsidiary or actively endorsed. It is a third-party website and as such almost half, maybe 3/4ths of your original post is a moot point.

Furthermore, please refer to two of the links mentioned in brief, both the ESOLogs website's FAQ and more importantly, that 'Cookies and You' website that tells you how to disable cookies.

The ESOLogs FAQ
https://www.esologs.com/help/start

https://cookies.insites.com/disable-cookies/
This shows you how to disable cookies on a browser-by-browser and Operating System basis - and is what you linked to in your OP yet didn't bother to read, apparently.

Furthermore, recording combat logs is entirely voluntary, and is not done automatically by the game. It is something that a user has to trigger on their own, per ESOLogs' FAQ.

Idinuse wrote: »

In fact it’s not cookies only. It’s about gathering data in general and or tracking an online user, not only on web sites, but any online service.

Although having your actions recorded and stored on your or someone else’s hard drive with or without consent might be considered a cookie.

This is entirely or partially incorrect and very messy.

https://eugdpr.org/
It's probably worth mentioning, everyone in this thread irrespective of what they think they know can at any time use a search engine such as Google, Bing, Yahoo, etc. to look up the terms of this legislation.

I had never heard of ESOLogs prior to seeing this messy post, but after not even 20 seconds of combing through their website, I found their FAQ, I searched my name (both @Kittenhood and Kittenhood) and found no record of myself.

I haven't used this third-party service (keyword: third party) but I have done enough trials (both veteran and non-veteran) to have come across multiple people using this service to measure their and their teams' output.

And on a final note, your non-essential information in regards to gameplay such as combat statistics in a videogame may not implicitly be covered or even protected by the GDPR, which focuses on data collection on platforms such as Facebook and Google-affiliated services such as GMail (used for personal habits and advertising purposes, which is scary) and even more importantly things such as medical records.

In my opinion this thread may need to be locked before it turns into a flame war - it also serves no purpose other than the spread of misinformation by the OP (Original Poster).

You don't need a law degree - you just need a smartphone.

Kittenhood · April 2019

And on a final note, the wording in the "video game" portions of the GDPR is extremely rudimentary at times and so incredibly vague it may never reach the point where it can be enforced or even recognized by courts in the EU.

And it will likely continue to be contested immensely, just as courts and entities are attempting to challenge certain more 'vague' parts of Article 13, which is just as sloppy.

Grakdrogru · April 2019

logging to 3rd party sites should be disable by default, anonymous or not.

i have no problem with dps logs but a 3rd party site thats use logs to monetize Data, i cant even opt out.

Mayrael · April 2019

anitajoneb17_ESO wrote: »

Mayrael wrote: »

What you miss mate is the identification part, to be considered as a personal data collection it has to contain reference to data allowing to identify you. Nick name on it's own is not a personal data because there may be 1000 people who used nick Mayrael, there is no way to connect this nick with my person. But when there would be at least my mail attached to this nickname situation is different. I have talked about it with our law team in our company mate.

I hope you realize that this argument is pretty much just as valid as "I discussed it with my grandmother".

EU laws consider pseudonym different from anonym, and a nickname is considered private data, whether you like it or not.

Besides, not everything has to be legal or illegal. Some things are just morally ok or not ok. If I'd, for instance, change my forum name into @slashlurk , it probably would not be illegal and it probably wouldn't mean anything to anyone not familiar with the ESO community. It wouldn't, still, be a very nice move, and a moderator would probably kindly require from me to change it, and rightfully so.

The fact is, ESO setting should defaut to "anonymous" when logging events, and the esologs site should make it much clearer what they do and don't do with the info they collect, and explicitly require educated consent. That's all there is to it and it wouldn't hurt anyone.

Your personal opinion has nothing to do with actual law. Just to make sure, I didn't talked with them about nicknames in game. We talked about real data. Like it or not, you character name on it's own is worth nothing. Our all characters, inventory and everything you have in game belongs to ZOS, you have no rights for it, thus it's not your data. Read terms of agreement. Untill there is no link to your personal data YOU OWN, ZOS can do whatever they want with characters nicks and players IDs, deal with it.

Ogou · April 2019

ENER-23 wrote: »

logging to 3rd party sites should be disable by default, anonymous or not.

i have no problem with dps logs but a 3rd party site thats use logs to monetize Data, i cant even opt out.

First, there seem to be a misconception here. The data is not automatically uploaded to a third party. Someone has to log it first and then upload it.

Second, where did you get the idea that the Encounter Log Data were being monetized?

zTrok · April 2019

Not sure what the fuss over this whole thing is. The logs are going to be super helpful as a raid lead, and I'm pretty sure the pugs in a fungal grotto 1 won't care that you can't do more than 10k dps, so what's the issue?

Grakdrogru · April 2019

Ogou wrote: »

ENER-23 wrote: »

logging to 3rd party sites should be disable by default, anonymous or not.

i have no problem with dps logs but a 3rd party site thats use logs to monetize Data, i cant even opt out.

First, there seem to be a misconception here. The data is not automatically uploaded to a third party. Someone has to log it first and then upload it.

Second, where did you get the idea that the Encounter Log Data were being monetized?

I cant opt out from the logging if someone use it.

the site have ads and patreon, they make money with user data shown in graphs.
i have no problem with it if i can opt out