The European privacy advocacy group noyb (None of Your Business) has filed a formal complaint against French video game publisher Ubisoft, alleging violations of the General Data Protection Regulation (GDPR) through the collection of user data in single-player games.
According to noyb, Ubisoft requires players to maintain an internet connection and log into a Ubisoft account even when launching games designed for offline play, such as titles from the Assassin’s Creed, Far Cry, and Prince of Persia franchises. This practice enables Ubisoft to collect data on players’ gaming behavior, including when they start and stop playing.
The complaint centers on the experience of a user who purchased “Far Cry Primal” via Steam. Upon attempting to play offline, the user discovered that the game would not launch without an internet connection and Ubisoft account login. Subsequent investigation revealed that within a 10-minute gameplay session, the game connected to external servers 150 times, transmitting data to third parties such as Google, Amazon, and Datadog.
In response to a data access request under Article 15 of the GDPR, Ubisoft provided information including a unique identifier for the user and timestamps of game launches and closures. However, Ubisoft did not offer a clear explanation for the necessity of this data collection. When contacted, Ubisoft’s customer support stated that the online requirement serves as an ownership check and referred the user to the company’s End User License Agreement and privacy policy, which mention data collection for enhancing user experience and employing third-party analytics tools.
Noyb argues that such data processing lacks a valid legal basis under Article 6(1) of the GDPR, as the user did not consent to the data collection, and the processing is not necessary for the performance of the contract. The organization contends that ownership verification is already handled by platforms like Steam and that Ubisoft’s practices constitute unnecessary and unlawful data processing.
The complaint seeks to prompt regulatory scrutiny of Ubisoft’s data handling practices and to enforce compliance with European data protection laws. As of now, Ubisoft has not publicly responded to the allegations.
