GDPR is coming, and it affects you

The European General Data Protection Regulation will come into play on the 25th of May, 2018. It's the tightest set of privacy laws ever implemented, and if you do business in Second Life, it affects you. This is boring legal stuff, but it's really important, and the consequences for breaking the rules are severe - fines of up to €20,000,000 or 4% of your annual global turnover - whichever is greater.


  • I'm not storing personal data! The GDPR now considers electronic information such as IP addresses and even usernames (including avatar names) to be personal data.

  • I use a vendor system to store my data! The GDPR makes you liable if your upstream provider (such as Second Life, your vendor system, webhost, cloud storage provider, email provider) breaks the rules or misuses your data.

  • I'm not in Europe! The regulations apply based on the individual's location. If you do business in Second Life, you are certainly doing business with EU citizens.

  • I don't run a big company! The new regulations apply to every business, even if you're an unregistered sole trader who only makes a few transactions per year.

What do I need to do to comply?

Firstly, a disclaimer. I am not a lawyer. This does not constitute legal advice. If you are concerned about whether you comply or not, you must seek professional legal help from a qualified GDPR specialist. I'm also not going to cover everything, only the "major" points as I see them. You should read the full text to ensure you are compliant.

That being said, I'll attempt to break down the finer points here.

  • Everyone in your business is affected. - Personal data isn't just limited to your customers. It also applies to your suppliers, your business partners, your employees, any individual at all. Employees also benefit from some additional protections under GDPR.

  • The right to be forgotten. The new act stipulates a right to be forgotten. This means that an individual has the right to demand that any personal data that you hold on them be deleted. There are some exceptions for this rule - for example, if you must retain the data for legal purposes. Sales records meet this exception, due to the legal need for accountancy and tax reporting.

  • Data portability. An individual has the right to demand a copy of all the data you hold on them, in a "legible form". A CSV file meets this requirement.

  • Transparency. A privacy policy is a legal requirement. You must clearly describe what data you store, how you use it, and why. If you need to share data with other individuals or companies in order to supply the product or service that you offer, you must also clearly describe what data you share, how it's shared, and why you need to share it.

  • Protection. You must not collect and store data that you do not need. You must not share any data unless you absolutely need to, in order to supply the product or service that you offer. You must not retain data for longer than you need it.

  • Accountability You are liable if you share data with someone and they misuse it. This includes sharing data with individuals or companies.

  • OPT-IN If you wish to send marketing (non-transactional) information to anyone through use of their avatar name or e-mail address, you are legally required to explicitly obtain consent to do this. This means that "greeters" which automatically add avatars to a mailing list are now illegal. Consent must also be very clearly stated. You can't bury it in your terms of service. You cannot pre-fill the checkbox, or include it with some other agreement.

  • Transactional Communications You DO NOT need consent to send transactional information. For example, the CasperVend delivery messages are OK. However, if you combine such messages with marketing information, these too could compromise your compliance.

  • Marketing databases You can no longer hold marketing databases like "mailing lists" without EXPLICIT (opt-in) consent. This applies retroactively. If you have previously generated a mailing list without explicitly getting permission to do so from the individuals concerned, you must destroy this data (or obtain consent from each individual) before the 25th of May Deadline.

What you need to do

  • Ensure your suppliers are compliant. We can't stress this enough. If your upstream supplier misuses your data, you are potentially liable. You are therefore responsible for ensuring that your upstream suppliers (your vendor system, webhost, cloud storage provider, email provider) comply with GDPR.

  • Stop using automatic greeter subscribers. Any mailing list participation must now be obtained through explicit consent ("opt-in").

  • Ensure you are storing your data securely. If you are using your own servers, or are downloading data to view in excel on your PC, or otherwise are handling data, you must take every possible step to ensure that the data remains secure. Delete it when you no longer require it. Use encryption throughout. If you're not 100% confident in your ability to store data securely, don't. A wise man might say - "If you don't know your shit, you won't know you're shit".

  • Ensure your staff, managers, suppliers, and anyone who touches your data is properly trained. Remember, you're liable if they mistreat the data. Consider signing non-disclosure agreements with your staff.

  • Affiliates are now a legal grey area. Since your affiliates are able to collect some data on your customers and their purchase habits, they effectively have access to a part of your data. Review your affiliates, make sure they are aware of the rules.

  • Publish a privacy policy. You must tell individuals what data you're collecting about them, and why you need it.

  • Tell individuals that you're collecting data about them. If you use CasperTech services, we'll help with this, please see below.

  • Allow individuals to download data. If you use CasperTech services, we'll help you with this. Please see below.

  • Allow individuals to request deletion of their data. If you use CasperVend or CasperLet alone, there's nothing you need to do because financial transactional data is excluded. If you use CasperSafe, see below.

CasperTech's Compliance

We've had our internal data security policies independently audited to ensure that we are compliant with the regulations. There's more we need to do (and we'll describe this below), but here's what we have so far:

  • Our database servers are completely firewalled from the outside world. Zero ports open. Only internal access to our application servers via a separate isolated internal network.

  • We keep only minimal logs required for security purposes. Logs are regularly rotated and deleted.

  • We don't store any additional data beyond that required to operate our services.

  • We use SSL encryption on every website and external connection.

  • The few staff that we have who have access to our data have signed non disclosure agreements and are aware of the requirements of the GDPR.

  • We do not and will not discuss your account or share any of your data with any other individual or organisation without your explicit consent on a per-incident basis.

  • We do not collect any data for marketing purposes.

  • We have a comprehensive privacy policy, though we are updating this for GDPR compliance.

What action we are taking

Before the 25th of May deadline, we will issue updated packs for our affected products which will include appropriate signage, so that you can notify your customers about the data collection. The signs will be clickable, and will take users to a special page which will allow them to download the data we hold on them.

This also applies to you (as our customer). You will be able to use this tool to download all the data we store about you and your store, including full transactional information, products, store credit, etc.

CasperSafe is particularly affected by the regulation. The visitor tracking data we store is not exempted from the "right to be forgotten". For this reason, we'll add an additional tool to allow people to delete themselves from your visitor tracking data. We'll notify you when this happens.

We'll be removing store credit alerts from sales notifications, since these could be considered to be marketing notices.

We'll be removing the "send to all customers" option from the Updates system, since there's no way to use this in a compliant fashion.

Please note that data stored for security purposes (ban lists) are exempted, individuals will not be allowed to delete themselves from your ban lists.

We will also be updating our privacy policy to make our usage of data more transparent.

If you want more information on our data security policies and practices, please ask away - contact CasperHelp Resident inworld to file a ticket.

Extra tip

If you store data on a cloud storage provider such as DropBox, or an e-mail host, you may be violating the requirements of the GDPR.

Consider using an end-to-end encrypted solution such as Tresorit for cloud storage or ProtonMail for email.

Regarding things like group notices, visitor counters and internal scripts which don't communicate out of SL: It's unlikely that these violate GDPR, as long as the data never leaves SL. The reason is that the data involved (avatar names, etc) is part of the Second Life system, and the data never leaves that system.