Gaming GDPR Risks Are Rising and These 2025 Cases Prove It

In April 2025, a European privacy advocacy group NOYB (None of Your Business) filed a formal GDPR complaint with the Austrian authorities against the French game developer Ubisoft. This clash has become one of the highest-profile examples of potential gaming GDPR violations in 2025.

Their complaint alleges unlawful data collection, as the company forces users to be online and connect to Ubisoft's servers to play even single-player games with no multiplayer or online functionality, such as the Assassin's Creed, Far Cry, and Prince of Persia franchises.

This allows Ubisoft to collect people’s gaming behavior - the company collects data about when users start a game, for how long they play it, and when it's closed. It has been demonstrated that over a period of only 10 minutes, the game connected to external servers 150 times, including Google, Amazon, and a US software company, Datadog.

NOYB argues Ubisoft is in breach of Article 6(1) of the GDPR as Ubisoft didn’t ask for consent and their processing wasn’t strictly necessary, especially since a hidden offline mode exists.

Based on the complaint raised by NOYB and Ubisoft’s turnover of over €2 billion, the data protection authority could issue a fine of up to €92 million.

Ubisoft’s approach is an example of a growing trend in gaming - turning gameplay into a data pipeline, regardless of necessity.

May 2025 brought another privacy concern in the gaming world - Nintendo's recently launched Switch 2 handheld gaming console may record users' audio and video.

The console includes GameChat - a feature that lets players share their screens and chat with their friends in-game. To "help maintain a safe and secure environment", Nintendo may also record the shared video and audio. This was confirmed in Nintendo's recently updated privacy policy.

Nintendo has stated that GameChat recordings are triggered manually and are capped at three minutes, but this still raises significant concerns around gaming GDPR compliance. Audio and video data are both considered personal data under the GDPR. Collecting or storing such data, even for safety purposes, must follow strict legal requirements.

Nintendo’s privacy notice also mentions that GameChat requires Nintendo Online membership and a verified phone number. Parental consent is needed for users under 16, indicating some GDPR considerations were made. However, it’s unclear whether users can fully opt out of recordings or how much control they have over how their data is stored, processed, or shared.

Under the GDPR, companies collecting personal data must have a clear legal basis for doing so, most commonly consent or legitimate interest. In the case of GameChat, relying on "safety" alone may not justify recording gameplay conversations unless users are explicitly informed and have a meaningful way to opt in or out.

Moreover, GDPR emphasizes data minimization (only collecting what is strictly necessary), purpose limitation (only using it for clearly stated reasons), and transparency. Nintendo must ensure players know when they’re being recorded, for what reason, for how long, and who has access to those recordings.

Nintendo’s approach illustrates a wider issue in the gaming industry: players are often subject to data collection practices that lack meaningful transparency or control. While safety and moderation are legitimate concerns, they must be balanced with users’ fundamental privacy rights under the GDPR. Without clear opt-in mechanisms, specific user consent, and full transparency, features like GameChat risk crossing the line from protective to invasive and may set a troubling precedent for how far gaming companies can go in monitoring their players.

In May 2025, another gaming privacy storm erupted, this time involving 2K Games - the publisher of the Borderlands franchise.

Players discovered that a newly updated End User License Agreement (EULA) for Borderlands 3, 2, and The Pre-Sequel appeared to grant the publisher root-level access to players’ machines and included permissions to collect a broad range of data, including hardware details, browsing activity, and other personal information.

The backlash was swift - players accused 2K and Gearbox, the game's developer, of slipping in spyware under the guise of anti-cheat software, and the titles were heavily review-bombed in protest. Some users claimed the EULA allowed the game to collect passwords, account information, and telephone numbers, a claim that, even if exaggerated, underscores just how opaque and intrusive gaming privacy policies have become.

While publishers often justify these permissions as necessary for anti-cheat or performance analytics, the GDPR sets clear boundaries. Collecting deeply invasive data may breach core GDPR principles, including data minimization, purpose limitation, and informed consent. If players are unaware of or cannot meaningfully refuse this type of data access without losing access to the game, the “consent” claimed in the EULA is not legally valid under the GDPR.

The Borderlands case demonstrates a recurring pattern in modern gaming, where surveillance capabilities are increasingly baked into default installations, and EULAs are being used to legitimize it, regardless of necessity, transparency, or user control.

The Ubisoft, Nintendo, and 2K examples may seem distinct on the surface, ranging from voice chat recording to forced online play and aggressive EULAs, but together, they point to a systemic issue in the gaming industry: data collection has become the norm, even when it’s not technically necessary.

What’s more concerning is how these practices are often hidden behind vague legal language, buried in privacy policies, or bundled into broad terms of service agreements that users must accept to play. Whether it’s continuous server pings during offline play, audio and video monitoring framed as “safety,” or EULAs granting root access under the guise of anti-cheat enforcement, the result is the same - players are being subjected to surveillance by design.

This is where the GDPR draws a clear line. The regulation requires data collection to be necessary for the function being provided, transparent to the user, limited in scope and duration, backed by a clear legal basis, such as informed consent or demonstrable legitimate interest

In practice, however, gaming companies often treat consent as a one-time checkbox and rely on “legitimate interest” without providing a lawful balancing test or opt-out mechanism. They also tend to collect far more data than is strictly needed for gameplay, undermining data minimization and purpose limitation, two cornerstones of the GDPR.

Taken together, these patterns show that gaming has a privacy problem. One that cannot be solved by simply updating a privacy policy. It requires a fundamental rethink of how data is handled, how user consent is obtained, and how compliance is embedded into game design from the start.

As public scrutiny around gaming privacy intensifies, regulators won’t be far behind.

For studios and publishers, the message is clear: it’s time to move away from data-by-default design and toward privacy-first gameplay experiences.

Privacy compliance isn’t just a legal checkbox, but rather a trust signal. If you’re unsure whether your game’s data practices align with GDPR, now is the time to get ahead of the risk.

Learn more about our All-in-One Compliance solution here.

Is it legal for games to track me while I play offline?

Not always. Under the GDPR, companies must follow the principle of data minimization, meaning they can only collect personal data that is necessary for the core function. If a game tracks your behavior while offline without clear consent or justification, it could violate GDPR.

Can games record my voice or video without my permission?

No, not under GDPR. Voice and video recordings are considered personal data, and companies must get your freely given, informed, and specific consent before collecting or storing it. Silent consent buried in Terms of Service is not enough.

Can I refuse to accept a game’s privacy policy and still play?

Unfortunately, most games make acceptance mandatory, but this bundled consent approach is problematic under GDPR. You have the right to refuse processing of non-essential data, especially for features like analytics, ads, or anti-cheat.

What should game developers do to comply with GDPR?

They should follow privacy by design, offer clear opt-ins, limit data collection to what’s strictly needed, and ensure full transparency about what data is collected, why, and for how long.

Is anti-cheat software allowed to access everything on my computer?

No. Anti-cheat tools that require kernel-level access or collect device-wide information can raise serious GDPR concerns. The data collected must be limited to what's necessary to prevent cheating and must be clearly explained in the privacy policy or during installation.

Does GDPR apply to non-EU game developers?

Yes. GDPR applies to any game or platform that offers services to users in the EU, regardless of where the developer is based. If you sell your game in Europe or process EU players’ data, you're required to comply.

Are EULAs enough to justify data collection under GDPR?

Not by themselves. Consent must be freely given, specific, informed, and unambiguous. Burying consent in a long EULA or requiring agreement to unnecessary data processing just to play a game does not meet GDPR standards.

Can game publishers deny access to players who refuse data tracking?

Only for strictly necessary data. If the tracking isn’t essential for the game to function (e.g. telemetry for ad targeting), denying access may violate the GDPR principle of freely given consent. Players must have a real choice.