Linden Lab highlights GDPR – coming into force on May 25th 2018

On May 25th, 2018 the European Union’s General Data Protection Regulation (GDPR) comes into force. While an EU regulation, the GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. As such, it not  only Linden Lab, who hold data on Second Life and Sansar users in the European Union, it can also impact those operating a business through Second Life and who collect data on customers which is stored outside of the servers operated by Linden Lab.

In preparation for the enforcement of the GDPR, on May 9th, 2018, Linden Lab issued a preliminary blog post on their compliance with the GDPR, which covers both Second Life or Sansar.

GDPR, in a nutshell.

Put simply, the GDPR puts in place new requirements for the collection, maintenance, and use of personal data for residents of the European Union (EU) and European Economic Area (EEA). It’s an important evolution in privacy practices, and one we’ve already started to account for: if you notice, our existing Privacy Policy already discloses the type of personal data we collect from you, how we use and limit any sharing of your data, and your rights to control our use of your personal data.

What you can expect.

In coming weeks, we’ll provide more information on how EU residents in Second Life can best exercise their rights under GDPR. In some cases, you may take actions through your account dashboard (to modify your personal data, for instance). In others, it may be necessary to file a support ticket and verify your identity (to better protect your privacy).

– Linden Lab May 9th blog post on the upcoming GDPR

The GDPR defines personal data as, “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This includes, but is not limited to: IP addresses, on-line identifiers (including avatar names), e-mail addresses, photographs, as well as the more usual name, address, bank details, medical data, etc.

In addition to defining requirements for how such data should be managed and protected by organisations gathering it, the GDPR also specifies a number of rights to Data Subjects who have their personal information stored by companies and other entities. These include, but are not limited to:

  • The right to be informed: Data Subjects have the right to know what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
  • The right to access: generally speaking, organisations are required, within one month of receipt of a formal request, to provide a copy of any personal data concerning the requesting Data Subject.
  • The right to rectification: a Data Subject can formally request that inaccurate or incomplete information relating to them is updated, and the update must be made within one month (exceptions can apply).
  • The right to be forgotten: a Data Subject can request the erasure of all personal data relating to them in certain circumstances (e.g. it is no longer necessary to hold it; if the data was unlawfully processed or it no longer meets the lawful ground for which it was collected). However, there are certain exceptions to this.

(In addition, the GDPR defines: The right to object (to data being gathered); The right to restrict processing; The right to data portability; and Rights related to automated decision making including profiling.)

For those running businesses through Second Life or Sansar which use services  – web sites, computers, etc.,  – outside of Second Life for the collection and storage of personal information on their EU Second Life  / Sansar customers, the GDPR might have significant import – and exposure to the risk of fines. For such businesses, the Lab’s advice is clear and straightforward:

If you collect or process personal data of EU residents on a website associated with Second Life or Sansar, or create or make use of programs that retain information about Second Life or Sansar users or their computers, you may also have obligations under the GDPR. You should consult with your legal counsel for advice regarding your site(s) or program(s).

– Linden Lab May 9th blog post on the upcoming GDPR

To help people get to grips with GDPR, if they haven’t been aware of its arrival, the Lab offer a series of links to articles and FAQs. To these I would add:

The following is a brief video outlining the GDPR in under a minute.

5 thoughts on “Linden Lab highlights GDPR – coming into force on May 25th 2018

  1. I will have to read that again to digest it but it sounds good on first reading. I like that our privacy (might) be more assured. One question….how will this apply to DJ’s who collect data from its listeners (like IP address) and will this be more encrypted so they cant trace it back to RL customer?


    1. Say what now ? DJs are doing WHAT ? Seems we really needed those laws more than we thought. Pretty sure under GDPR that sort of stuff would be illegal.


    2. As er the article, if the data is being extracted from Second Life and stored elsewhere (such as on a person’s home computer in a spreadsheet or database, or on a website or web page), then potentially the person “managing” that system of data storage could be liable under the GDPR.

      There are some areas of greyness around issues of enforcement, proof, etc., and even possible liability (hence that Lab’s advice to those who do store users data externally to SL to seek legal advice); but that’s the idea in principle.

      As such, there are a number of question marks around a number of activities currently common in SL and how they will be viewed. One example might be the continued use of scripted “visitor trackers” which automatically (and without seeking any form of direct consent) gather information on visitors to regions / parcels and pass that information outside of SL for storage will continue to be allowed (technically, the GDPR requires EU citizens must be accorded the the right to opt-in to any kind of personal data gathering) – but this kind of thing is perhaps better for the Lab to rule on going forward than for me to speculate about on the basis of an armchair understanding of the GDPR’s requirements.


  2. If a store owner or land lord uses the notes page of a profile to record their impressions , opinions , is that subject to a forced reveal? If that info is deleted by store owner or landlord , can Linden be forced to Time Machine it available again and release it?


Comments are closed.