Legislation always faces a problem of enforcement. That problem can take many shapes: lower courts or police may refuse to enforce the law, citizens may refuse to obey the law en masse, or crafty schemers may look for loopholes and technicalities so they effectively break the law without penalty. There are multiple laws, cases, opinions, and all other legal indications that children merit special and particular protection online and in digital interactions. However, there is no law specifically forbidding inflicting digital violence on a child’s avatar in a game until the child pays non-digital money— and I’m almost surprised it took so long for someone to find that opportunity. I think Penny Arcade misunderstands the problem. The problem is that all of those legal efforts to protect children could never cover every possible way that someone might try to exploit a child in a digital setting. When someone wants to exploit people for money, they only worry about the law in three ways: not getting caught, not getting tried, and not getting convicted.
This kind of example raises concerns not just in the video game industry, but across industries affected by the new General Data Protection Regulation. It would be unfairly cynical to even hypothesize that every company is nefarious, of course. A good many companies have a genuine desire to uphold the GDPR rights of their users, and their task is to work toward official compliance with the GDPR requirements– a few will even go beyond that minimum and take further measures for privacy and security. Notwithstanding, some controllers and processors still want to exploit their users, and their task is now to figure out how to sneak over, around, or through the GDPR.