Key Takeaways
A complaint filed under the EU’s General Data Protection Regulation (GDPR) on Thursday, April 24, alleges that Ubisoft illegally harvested gamers’ personal data without permission.
The complainant first identified Ubisoft’s data extraction when playing Far Cry Primal. Upon further inquiry, they discovered that the company was sharing potentially identifying information with Amazon, Google, Datadog and others.
In documents submitted to the Austrian data protection authority, noyb, a legal organization specialized in GDPR cases, describes how a client discovered that Ubisoft was collecting their game data.
Initially, the complainant downloaded Far Cry Primal from Steam, a marketplace for PC games.
However, once they had downloaded the game, they were surprised to discover that to play it, they needed to connect to the internet and log into an Ubisoft account.
Curious about what was going on, the complainant analyzed the data packages sent from their computer while playing the game.
During ten minutes of gameplay, 150 unique DNS packages were sent, as well as 56 requests to initiate a connection to external servers.
By analyzing network traffic, they inferred that a host of third parties, including Google, Amazon and Datadog, received data from the session.
The latest GDPR complaint alleges that Ubisoft processes gamers’ data without the necessary consent.
But whether the data protection authority agrees with that argument rests on the question of what counts as personal data.
The End User License Agreement (EULA) Ubisoft uses for Far Cry does not grant Ubisoft permission to process personal data. But it does state that the game may use “third-party analytics tools to collect information concerning your and other users’ gaming habits and use of the product.”
Contrary to what Ubisoft implies, however, noyb argues that “the data collected from the complainant is personal data.”
While information such as names and addresses can clearly be used to identify a data subject, European Courts have often been asked to weigh in on the nature of other types of data that don’t identify data subjects directly
The data collected by Ubisoft includes unique device identifiers, time spent playing, game scores and other in-game metrics, advertising conversion rates and purchase history.
To build their argument that such information should be subject to the GDPR’s consent requirements, noyb’s lawyers cited a landmark EU privacy case related to the “Transparency & Consent Framework” (TCF).
In that case, the Court of Justice of the EU found that a string of data used to identify anonymous user preferences was covered by GDPR rules.
A core aspect of GDPR is the data minimization principle, which states that data processors shouldn’t collect more information than necessary.
When asked by the complainant to justify collecting Far Cry data, Ubisoft said it needed the information to verify purchases.
However, noyb interrogated this notion on multiple grounds.
Ubisoft’s rationale doesn’t explain why it needs to send data to Google and Amazon. Moreover, the complaint points out that Steam already verifies game ownership.
Finally, it points to a “hidden offline option” to play Far Cry Primal without connecting to the internet. The existence of this option suggests Ubisoft doesn’t need to collect data at all, but makes it extremely difficult not to participate.