Today, noyb filed a complaint against the French video game developer and publisher Ubisoft (known for Assassins Creed, Far Cry, Prince of Persia). The company forces its customers to connect to the internet every time they launch a single player game. This is the case even if the game doesn’t have any online features. This allows Ubisoft to collect people’s gaming behaviour. Among other things, the company collects data about when you start a game, for how long you play it and when you close it. Even after the complainant explicitly asked why he is forced to be online, Ubisoft failed to disclose why this is going on. Under Article 6(1) GDPR, there seems to be no valid legal basis to randomly collect such user data.
Offline games – with obligation to be online. Most of the video games offered by French developer and publisher Ubisoft are designed around a single player experience. Among the most popular offerings in this category are the Assassins Creed, Far Cry and Prince of Persia franchise. Even though these games can be played without ever interacting with other players, Ubisoft forces PC players to connect to the internet and log in to a Ubisoft account before they can actually play a purchased game. This also happened to the complainant: After buying the Ubisoft game “Far Cry Primal” on the online marketplace Steam, he tried to launch it while being offline – only to notice that it wasn’t possible. Instead, he was forced to log into a Ubisoft account before being able to start playing.
Joakim Söderberg, data protection lawyer at noyb: “Imagine if the Monopoly man sat at your table and took notes every time you want to play a board game with your family or friends. Well, that’s the reality of video games. Often, it doesn’t even matter if the games are played online or offline. As long as you have an open internet connection when you play, your data is collected and analysed.”
Secret data collection. To find out more about Ubisoft’s data collection and tracking practices, the complainant filed an access request under Article 15 GDPR. Ubisoft replied with information such as a unique identifier for the complainant and information about when he launched the game, how long it was running and when he quit the game. Being a tech savvy individual, the complainant additionally examined what exact data was being sent to Ubisoft when playing. The complainant discovered that, over a period of just 10 minutes, the game established a connection to external servers 150 times. Among the recipients of the complainant’s data: Google, Amazon and US software company Datadog.
Game of cat and mouse to get more information. In an attempt to find out more, the complainant also contacted Ubisoft’s customer support. In its response, Ubisoft claimed that it just performs an ownership check on launch. For everything else, the complainant was referred to the company’s End User License Agreement (EULA) and privacy policy. There, Ubisoft confirms that it collects personal data “in order to provide You with a better game experience”, that it uses “third party analytics tools to collect information concerning your and other users’ gaming habits and use of the product” and that it collects “game data” as well as “login and browsing data”.
Not necessary – and therefore unlawful. The thing is: The complainant has never consented to this processing. According to Article 6(1) GDPR, this means that the processing operation is only legal if it is necessary – which isn’t the case for the complainant. Having bought the game on Steam, the ownership is already confirmed. Also, Ubisoft provides a (hidden) option to play the game offline, showing that the processing of all the personal data in the standard setup isn’t actually necessary. And even if it was, it wouldn’t explain the data collection while a game is played. If Ubisoft wants data to improve a game, it can just ask users for consent. The company can also ask players if they want to send individual bug reports to its servers. However, it does not appear to be legal for a user's PC to send constant reports by default.
Lisa Steinfeld, data protection lawyer at noyb: “Video games are expensive – but that doesn’t stop companies like Ubisoft from forcing their customers to play offline games online unnecessarily, just so they can make more money by tracking their behaviour. Ubisoft's actions are clearly unlawful and must be stopped."
Complaint filed in Austria. noyb has therefore filed a GDPR complaint with the Austrian data protection authority (DSB). We request the DSB to declare that Ubisoft infringed Article 6(1) GDPR with its processing of personal data without a valid legal basis. In addition, we request that Ubisoft deletes all personal information by the complainant that has been processed without a valid legal basis – and that the company ceases further unlawful processing. Last but not least, we suggest that the data protection authority impose an administrative fine. Based on Ubisoft’s turnover of more than € 2 billion, the data protection authority could issue a fine of up to € 92 million.
