CRW

Home Wiki

Ubisoft in-game data collection GDPR complaint (2025)

View on consumerrights.wiki ↗

Contents5
  1. Background
  2. Network traffic analysis
  3. NOYB complaint
  4. Ubisoft's response
  5. References

In September 2024, a player who purchased Far Cry Primal on Steam discovered that the game would not launch without logging into a Ubisoft account, despite the game having no online features. The player monitored network traffic during a ten-minute session and found 150 DNS queries and responses exchanged with external servers including Google, Amazon, and Datadog.[1] On 24 April 2025, NOYB filed a GDPR complaint with the Austrian Data Protection Authority on the player's behalf, alleging that Ubisoft collects personal data without a valid legal basis.[2]

Background

Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and digital rights management (DRM) client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game requires installation of Ubisoft Connect and an account login before it will start.[2] This applies even to titles with no multiplayer or online features.

Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play Assassin's Creed II and Silent Hunter 5 on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers.[3] Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check.[4] In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview.[5]

A notable exception to this change in policy was The Crew (2014), which required a constant connection even for its single-player campaign. When Ubisoft shut down The Crew servers on 31 March 2024, the game became permanently unplayable.[6] The shutdown prompted the "Stop Killing Games" European Citizens' Initiative, which demanded the implementation of laws that require publishers to leave games in a playable state.[7]

Network traffic analysis

NOYB's lawsuit with the 13 and 14 article. Relevant information are highlighted.
NOYB's complaint filing, with relevant GDPR articles highlighted.

On 13 September 2024, an Austrian user played Far Cry Primal, a single-player game with no multiplayer features, purchased through Steam. The game refused to launch without an internet connection and a login to Ubisoft Connect.[1]

The user captured network traffic during a ten-minute gameplay session. The packet capture revealed 150 unique DNS packages (queries and responses) and 56 requests to initiate connections between the user's computer and external servers.[1] Recipients of the data included Google, Amazon, and Datadog, a US-based cloud analytics firm. Some data transfers were labeled "metrics" in the traffic headers. All transmissions were encrypted with TLS, so the exact contents were not visible to the user.[1]

The user then exercised their GDPR Article 15 right of access, forcing Ubisoft to disclose what data it held on them. The returned file (uplay_traffic_data.csv) confirmed that Ubisoft records the user's unique ID, the exact time they launched the game, the exact time they quit, and the total session duration.[1][2]

Ubisoft's own EULA goes further. It states that collected data "may contain the following, without limitation: mobile device unique identity or other device identifiers and settings, carrier, operating system, localization information, date and time spent on the Product, game scores, game metrics and statistics, feature usage, advertising conversion rates, monetization rate, purchase history and other similar information".[1]

On 27 September 2024, the user contacted Ubisoft customer support. Ubisoft replied that the data sent at game launch is "an ownership check on our servers to validate that the player's account owns the game they're trying to launch" and linked to a help page about playing games offline.[1][8] Ubisoft did not explain why data was being sent to Google, Amazon, or Datadog, and did not address the ongoing data collection during gameplay.[1]

NOYB complaint

On 24 April 2025, NOYB filed a complaint (Case C-098) with the Austrian Data Protection Authority (Datenschutzbehorde, DSB) on the user's behalf under GDPR Article 80(1).[1] The complaint targets Ubisoft Entertainment SA, headquartered at 28 Rue Armand Carrel, 93100 Montreuil, France.[1]

NOYB alleges that Ubisoft violated GDPR Article 6(1) by processing personal data without a valid legal basis. The complaint makes three arguments against Ubisoft's "ownership verification" defense:[2]

  • Steam already verifies game ownership at purchase and at first launch, making a second verification by Ubisoft redundant.[1][9]
  • Ubisoft itself offers a hidden offline mode for some games. If the game can run offline, the online check can't be "necessary".[1]
  • Even if verification at launch were justified, it doesn't explain why data is collected continuously during gameplay and sent to third parties like Google and Datadog.[1]

The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested.[1] Since Far Cry Primal has no online features, the data collection does not meet this threshold.

NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized data processing, and impose an administrative fine. Based on Ubisoft's annual revenue of over €2 billion, the maximum fine under GDPR Article 83 would be approximately €92 million.[2][10]

No public decision from the DSB had been reported as of early 2026.

Ubisoft's response

Ubisoft responded publicly on 29 April 2025:

We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch.[11]

NOYB noted that the advertised offline mode did not work for the complainant, and that the network traffic analysis showed data collection over longer periods, not only at launch.[10]

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 NOYB (24 Apr 2025). "Complaint against Ubisoft: Article 6 GDPR (Case C-098)" (PDF). noyb.eu. Archived (PDF) from the original on 24 Apr 2025. Retrieved 27 Mar 2026.
  2. 2.0 2.1 2.2 2.3 2.4 NOYB (24 Apr 2025). "Like to play alone? Ubisoft is still watching you!". noyb.eu. Archived from the original on 24 Apr 2025. Retrieved 27 Mar 2026.
  3. Johnson, Bobbie (9 Mar 2010). "Ubisoft apologises after attackers block games". The Guardian. Archived from the original on 10 May 2015. Retrieved 28 Mar 2026.
  4. Parkin, Simon (3 Jan 2011). "Ubisoft Removes Constant Online Authentication DRM For PC Games". Game Developer. Archived from the original on 29 Mar 2026. Retrieved 28 Mar 2026.
  5. Soulskill (5 Sep 2012). "Ubisoft Ditches Always-Online DRM Requirement From PC Games". Slashdot. Archived from the original on 11 Sep 2012. Retrieved 28 Mar 2026.
  6. Middler, Jordan (10 Apr 2025). "Ubisoft says players suing over The Crew shutdown shouldn't have expected to own the game forever". VGC. Archived from the original on 10 Apr 2025. Retrieved 28 Mar 2026.
  7. Randall, Harvey (4 Jun 2025). "Stop Killing Games' EU initiative hits 1.4 million signatures". PC Gamer. Archived from the original on 21 Jul 2025. Retrieved 28 Mar 2026.
  8. Lauren, Alexandre (25 Apr 2025). "Connexion obligatoire pour jeux solo : Ubisoft poursuivi pour non-respect du RGPD" [Mandatory connection for single-player games: Ubisoft sued for non-compliance with the GDPR]. Next.ink (in français). Archived from the original on 25 Apr 2025. Retrieved 28 Mar 2026.
  9. Stahie, Silviu (28 Apr 2025). "Ubisoft Accused of Unlawfully Collecting Player Data in Single-Player Games". Bitdefender. Archived from the original on 30 Apr 2025. Retrieved 28 Mar 2026.
  10. 10.0 10.1 Vigliarolo, Brandon (24 Apr 2025). "Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online". The Register. Archived from the original on 24 Apr 2025. Retrieved 28 Mar 2026.
  11. Phillips, Tom (24 Apr 2025). "Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games". Eurogamer. Archived from the original on 1 May 2025. Retrieved 28 Mar 2026.
Filed under