Dr Steffen Wachenfeld is chief product officer at WeQ.

Now that the GDPR deadline has passed, what happens next for mobile app developers and publishers, and third-party SDK and service providers?

Will it be business as usual with GDPR as a minor speed bump, or will its ramifications become highly visible with hefty fines being imposed on a perpetual string of noncompliant companies?

GDPR means more than just privacy compliance and consumer data protection. The new mandate will affect the way apps are designed from the ground up, developed and intertwined with third-party SDKs and services in the near future and beyond.

The following are the key elements of GDPR that will have the longest lasting effect on the app gaming industry.

The new market landscape driven by privacy

From now on, mobile app developers and publishers must retrofit existing apps to gather and manage user consent, data and design proper privacy controls into new apps.

Under the GDPR mandate, this now extends to IDFA (for Apple devices’ ID for ads), GAID (for ads in Google devices) and IP addresses. Private user information is now as personal as a user’s name, address and nuanced details such as how many apps they have on their mobile device.

The crux of this stipulation is gathering personal identifiable information (PII) from users. App games developers (who are now GDPR compliant) have not only retrofitted old games to re-ask users permission for this data to store and use it under the new rules, but also has given them pause for what info they should be asking for and what now makes the most sense for their needs, as well as the users.

Given these requirements and the costs, some developers would rather pull low performing games off the market than take the time and monetary resources to retrofit for GDPR compliance.

This is compelling because it means that only the largest publishers and developers have the time, and ability to absorb the resources and cost to do this with their entire inventory in the App Store and Google Play, as opposed to indie developers who will have to pick and choose.

It also means that going forward, at least initially, GDPR will force the smaller and mid-sized companies to be choosier about which games they publish.

This is because retrofitting is more than just updating your privacy policy messaging. It entails a full assessment of your current information security procedures, how you collect data, where it’s stored and how your technology partners manage your data. Then you have to build out the structure needed to support required data management changes, as well as the ability for user privacy controls to request and manage their personal data.

Some companies are turning to third-party assessors to provide a gap analysis on company policies and procedures, while others are hiring in-house resources to focus on data privacy and compliance ongoing.

In either case, it’s most likely that at least a couple of people need to be dedicated for the first few months of a retrofitting project for GDPR.

In fact, the time for retrofitting a larger portfolio of titles could take the better part of a year, depending on the backend development required and data storage fees. The cost for these resources alone will force the shutdown of multiple games that are not top grossing, especially those of small and medium-sized developers.

This may likely cause an interesting effect of temporarily clearing the market of a lot of underperforming games, making it slightly easier to launch new privacy-friendly games into the void.

Without a doubt, GDPR will ultimately affect the quality, diversity and the types of games that become available to app gamers in the future.

In fact, we’re already starting to see indie games shut down due to compliance overhead, like Loadout, Super Monday Night Combat and Ragnarok Online.

Managing third-party data transparency

GDPR was also written to address the fact that most apps use services from third-parties, which of course impacts the privacy of users, i.e. ad networks.

The average number of SDKs per mobile app is 18.5. However, many of these SDKs operate like “black boxes” where how the code behaves with a publisher’s app is unknown.

Moreover, this includes third-party advertisers that track user activity and location, so if these third parties are not GDPR compliant, publishers and developers will be on the hook for them.

Part of this is the key requirement that every user has “the right to be forgotten,” meaning that they can request that app publishers delete all their data by third-party providers, as well as compliance issues for keeping data in the EU and what happens when moving user information to and from the US.

Many app developers are using multiple third-party services and SDKs for a variety of functions: ads, metrics, user acquisition and more.

Some developers are now only working with third parties that keep their data strictly in the EU or are working with the US providers that are covered under Privacy Shield or providing model clauses for backup.

This too is important, particularly for US third-parties because if they did not take the time and money to be compliant, it means that app developers will look at the competition that is compliant, even it means working with an ad network startup that is less proven in the market.

Ultimately, we find that GDPR has changed how we approach managing our app portfolio, app development, our relationships with third-party services and advertising.

It has already begun to alter the landscape of the industry at large and will continue to do so over time.

It’s key for app developers and publishers to integrate privacy concerns into every aspect of their business going forward for data safety and compliance, as well as to continue growing a sustainable business and app portfolio for years to come.