A European privacy firm has filed a legal complaint against Assassin’s Creed maker Ubisoft, citing concerns over the company’s data collection practices and the requirement of an online connection for single-player games.
Based in Austria, the non-profit NOYB – European Center for Digital Rights has taken on the case of a Far Cry fan who contacted Ubisoft to find out what data it had collected. The firm alleges that Ubisoft has flouted GDPR rules, and now risks a potential fine of up to €92m (£78m) – four percent of Ubisoft’s €2.3bn turnover last year. Eurogamer has contacted Ubisoft for comment.
NOYB (which stands for None Of Your Business) was set up by privacy activist Max Schrems, who previously helped surface allegations of personal data being passed from Europe to the USA for use in the NSA’s PRISM mass surveillance programme.
While playing prehistoric adventure Far Cry Primal, Ubisoft told the user it had obtained the kind of data you’d expect – information on when the game was launched, how long it was played for, and when it was shut down.
Still, examination of the data Ubisoft had obtained showed a connection to external servers 150 times in 10 minutes, NOYB claims, referring to this as a “secret data collection”.
As for the need to connect online, Ubisoft told the user this was required to verify ownership of the game upon its launch. NOYB argues that because the user’s copy of Far Cry Primal was bought through Steam, the game could be verified through that without additionally logging into a Ubisoft account.
GDPR laws state that data collection should only take place if “necessary”, otherwise it is “unlawful”, NOYB’s complaint continues. An option that Ubisoft advertises to play PC games via Ubisoft Connect while offline still requires an initial connection, meanwhile.
Discussing the situation with the user, Ubisoft customer support flagged that agreement of the game’s End User License Agreement (EULA) meant acknowledging Ubisoft’s user of “third party analytics tools to collect information concerning your and other users’ gaming habits and use of the product”. Agreement of the game’s Privacy Policy, meanwhile, meant acknowledging that Ubisoft collects “game data, to improve your experience and the security of our services” and “login and browsing data, to enable the operation and security of our Services”.
NOYB’s argument seems to hinge on whether the user has accepted the game’s EULA simply by playing the game (the complaint says this should not be the case), whether the information was personal data (the complaint says it was) and whether this was then processed lawfully (the complaint says not).
The privacy firm is thus recommending Ubisoft be made to change its practices to conform to GDPR, and be slapped with a fine “given that millions of users are affected”.
