The privacy advocacy group noyb has filed a formal complaint against Ubisoft, alleging that the video game publisher unlawfully collects personal data from players of its single-player games, including titles like Far Cry Primal, Assassin’s Creed, and Prince of Persia.
The complaint, lodged with the Austrian Data Protection Authority, accuses Ubisoft of violating the EU’s General Data Protection Regulation (GDPR) by forcing users to connect to the internet and log into a Ubisoft account to play games that offer no online features.
The issue came to light when a user attempted to play Far Cry Primal — a purely offline game — without an internet connection and was blocked from launching it. Upon further investigation, the complainant discovered that the game transmits significant volumes of data during gameplay sessions. Over just ten minutes of play, 150 DNS queries were initiated, and data was transmitted to third parties including Google, Amazon, and Datadog.
Noyb, which is representing the complainant under Article 80(1) GDPR, argues that Ubisoft’s practices are both unnecessary and opaque. Despite user inquiries, the company failed to explain why an online connection is required for offline play, or what specific data is being collected. Ubisoft’s response pointed users to its End User License Agreement and privacy policy, which vaguely claim the data is used to “provide a better game experience” and for analytics and ad-serving purposes. These justifications, noyb argues, fall short of meeting GDPR’s legal standards.
Ubisoft is a major player in the European gaming industry, reporting over €2 billion in annual revenue. The firm’s portfolio includes some of the most recognized single-player game franchises, yet it reportedly employs tracking mechanisms even in games devoid of any networked features. The complaint asserts that this data collection lacks a valid legal basis under Article 6(1) of the GDPR and violates the principles of data minimization and transparency.
According to the technical analysis included in the complaint, data packets sent during gameplay were encrypted with TLS, obscuring their contents. However, network traffic logs revealed frequent communications with third-party analytics providers, raising further concerns about the potential sharing of personal data without proper consent. Ubisoft's privacy policy mentions that data may be collected for product improvement and security purposes, but the complainant notes that these reasons are too vague and fail to justify constant behavioral monitoring.
The complaint also emphasizes the misleading nature of Ubisoft’s data practices. Although the company claims ownership checks justify mandatory logins, the complainant highlights that games purchased through Steam already undergo license verification. Moreover, Ubisoft admitted to providing a hidden offline mode — contradicting its assertion that online access is required for ownership validation. This undermines any argument that persistent tracking is technically or contractually necessary.
Noyb is requesting that regulators declare Ubisoft’s data processing illegal, compel the deletion of unlawfully collected data, and impose a ban on future unauthorized tracking. The group also suggests an administrative fine based on Ubisoft’s revenue — potentially reaching up to €92 million under GDPR penalty guidelines.
Leave a Reply