top of page

Ubisoft Fined €92 million For "Spying" Gamers Since Violation of Critical GDPR Article.

Updated: Apr 30



French video game company Ubisoft, the maker of popular franchise titles such as Assassin's Creed and Far Cry, finds itself at the center of a controversy following a complaint filed by European privacy group NOYB (None of Your Business). The publisher was accused of violating the General Data Protection Regulation (GDPR) by harvesting user information without consent while people played games on a single-player basis.


The issue was highlighted by a technically savvy gamer of "Far Cry Primal," who noticed that the game required the offline availability of the software and Ubisoft account registration even for solo gameplay. The further check revealed that during just 10 minutes of game usage, the game made calls towards the servers 150 times and made API calls towards third-parties such as Google, Amazon, and Datadog. Data communication was done even when the game was purchased on Steam and was already verified to be owned.


Ubisoft defended this on the basis of the necessity of the online link for the ownership of the game's verification and enhancing the user experience. NOYB contends that such collection of data finds no basis under the GDPR's Article 6(1) as this mandates the necessity of the data process as well as transparency. What Ubisoft did was tantamount to "secret collection of data" that intruded upon the privacy of the users.


The lawsuit also argues that while Ubisoft's End User License Agreement (EULA) as well as privacy policy do make a mention of the use of services of third-party analytics software for the collection of players' gaming conduct information, SPY explains the way that just putting this into formal legal documents doesn't necessarily translate into obtaining explicit informed consent of the players. According to GDPR legislation, Ubisoft would be liable for a maximum penalty of €92 million or 4% of its annual turnover if they are proven guilty. NOYB requests the Austrian Data Protection Authority to have Ubisoft immediately cease its illegal data gathering and delete any illegally obtained user information.


This instance illustrates the new problem of data privacy across the gaming industry, one involving the harvesting of consumer information without permission. As digital privacy becomes increasingly a top-of-mind issue, industry players such as Ubisoft will need to redesign the ways they handle consumer information according to strict regulations like the GDPR.


Key Citations:




Comments

bottom of page