Ubisoft Accused of Unlawfully Collecting Player Data in Single-Player Games

Publisher and game developer studio Ubisoft, known for series such as Assassin's Creed and Far Cry, now faces allegations of unlawful data collection from the privacy advocacy group noyb (None of Your Business).

A formal complaint has been filed with the Austrian Data Protection Authority, and Ubisoft was directly accused of violating the General Data Protection Regulation (GDPR) in Europe by collecting player data during single-player game sessions, even if there's no such need.

An old game is the focus point

The complaint revolves around Ubisoft's game Far Cry Primal, which can be purchased and played via the Steam platform, as well as other places.

Although the game is entirely single-player and has no multiplayer or online components, the complainant says that launching the game requires an internet connection and logging into a Ubisoft account.

While this is not out of the ordinary, the complainant's investigation found that online data traffic happens during gameplay sessions involving third-party companies, including Google, Amazon, and Datadog.

According to the complaint, "150 unique DNS packages were sent within a ten-minute gameplay session, including 56 connection initiation requests to external servers."

This policy could violate GDPR

noyb is representing the complainant. The organization argues that Ubisoft's data collection policies lack a valid legal basis:

"Despite Ubisoft's claim that data collection is necessary for verification of game ownership, this cannot be the case since ownership verification is already managed by Steam. Furthermore, the option to play offline exists, contradicting Ubisoft's stated necessity for continuous online connectivity," says noyb in the complaint.

"Collecting data from users during private gaming sessions disproportionately infringes upon privacy and is tantamount to unauthorized surveillance," the complaint also claims.

Ubisoft's response

Ubisoft has already responded to initial inquiries and said internet connectivity is primarily required during the initial launch of a game.

The company also says that the collected data mostly serves to improve game performance and enhance user experience. The game publisher says that its End User License Agreement (EULA) and Privacy Policy state that data collection aims at security, analytics, and third-party advertising.

Potential consequences

noyb's legal action urges the Austrian Data Protection Authority to investigate Ubisoft's data processing activities. The advocacy organization wants the following steps to be taken:

• The Austrian Data Protection Authority must issue a decision that Ubisoft has violated GDPR.
• Immediate deletion of unlawfully collected data.
• A ban on Ubisoft's unauthorized tracking practices.

Additionally, noyb has also suggested that imposing a substantial administrative fine is in order, potentially amounting to tens of millions of euros.

noyb is extremely fierce when it comes to GDPR

Between 2018 and 2023, European data protection authorities issued a total of €4.29 billion in fines for GDPR violations. Out of this sum, €1.69 billion (40 percent out of the total) - resulted directly from litigation initiated by noyb.

You can read the complete complaint filed by noyb here.