Meet the Top 101 in Crypto
Technology
4 min read

Ubisoft Accused of Illegally Harvesting Far Cry Gamer Data and Sending to Amazon, Google

Published 24 April 2025
James Morales
Authors

Key Takeaways

  • A complaint submitted to the Austrian data protection authority alleges that Ubisoft illegally harvested gamer data.
  • The complainant claims that while playing Far Cry Primal, Ubisoft continuously collected data and sent it to third parties.
  • Recipients of the data include Amazon, Google and Datadog.

A complaint filed under the EU’s General Data Protection Regulation (GDPR) on Thursday, April 24, alleges that Ubisoft illegally harvested gamers’ personal data without permission.

The complainant first identified Ubisoft’s data extraction when playing Far Cry Primal. Upon further inquiry, they discovered that the company was sharing potentially identifying information with Amazon, Google, Datadog and others.

Far Cry Gamer Alleges GDPR Violation

In documents submitted to the Austrian data protection authority, noyb, a legal organization specialized in GDPR cases, describes how a client discovered that Ubisoft was collecting their game data.

Initially, the complainant downloaded Far Cry Primal from Steam, a marketplace for PC games.

However, once they had downloaded the game, they were surprised to discover that to play it, they needed to connect to the internet and log into an Ubisoft account.

Curious about what was going on, the complainant analyzed the data packages sent from their computer while playing the game.

During ten minutes of gameplay, 150 unique DNS packages were sent, as well as 56 requests to initiate a connection to external servers.

By analyzing network traffic, they inferred that a host of third parties, including Google, Amazon and Datadog, received data from the session.

When Is Data Personal?

The latest GDPR complaint alleges that Ubisoft processes gamers’ data without the necessary consent.

But whether the data protection authority agrees with that argument rests on the question of what counts as personal data.

The End User License Agreement (EULA) Ubisoft uses for Far Cry does not grant Ubisoft permission to process personal data. But it does state that the game may use “third-party analytics tools to collect information concerning your and other users’ gaming habits and use of the product.”

Contrary to what Ubisoft implies, however, noyb argues that “the data collected from the complainant is personal data.”

Identifiability in EU Privacy Law

While information such as names and addresses can clearly be used to identify a data subject, European Courts have often been asked to weigh in on the nature of other types of data that don’t identify data subjects directly

The data collected by Ubisoft includes unique device identifiers, time spent playing, game scores and other in-game metrics, advertising conversion rates and purchase history.

To build their argument that such information should be subject to the GDPR’s consent requirements, noyb’s lawyers cited a landmark EU privacy case related to the “Transparency & Consent Framework” (TCF).

In that case, the Court of Justice of the EU found that a string of data used to identify anonymous user preferences was covered by GDPR rules.

The Data Minimization Principle

A core aspect of GDPR is the data minimization principle, which states that data processors shouldn’t collect more information than necessary.

When asked by the complainant to justify collecting Far Cry data, Ubisoft said it needed the information to verify purchases.

However, noyb interrogated this notion on multiple grounds.

Ubisoft’s rationale doesn’t explain why it needs to send data to Google and Amazon. Moreover, the complaint points out that Steam already verifies game ownership.

Finally, it points to a  “hidden offline option” to play Far Cry Primal without connecting to the internet. The existence of this option suggests Ubisoft doesn’t need to collect data at all, but makes it extremely difficult not to participate.

James Morales

James Morales is CCN’s blockchain and crypto policy reporter. He has been working in the news media since 2020, writing about topics such as payments, banking and financial technology. These days, he likes to explore the latest blockchain innovations and the evolving landscape of global crypto regulation.

With an educational background in social anthropology and media studies, James uses his platform as a journalist to explore how new technologies work, why they matter and how they might shape our future.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status