Jump to content

Ubisoft in-game data collection GDPR complaint (2025): Difference between revisions

From Consumer Rights Wiki
← Older edit
VisualWikitext
complete rewrite, was a stub with 3 citations and broken chronology. sourced everything from the noyb complaint pdf, added background on ubisoft's drm history, the crew shutdown, network traffic analysis details, and ubisoft's response. killed the slop.
m Ref clean-up; pass on style.
 
(3 intermediate revisions by one other user not shown)
Line 11: Line 11:
|ArticleType=Product
|ArticleType=Product
|Type=Privacy
|Type=Privacy
|Description=Ubisoft forces single-player games online to collect player data; NOYB filed GDPR complaint after user found 150 DNS packages sent in 10 minutes
|Description=Ubisoft forces single-player games online to collect player data; NOYB filed GDPR complaint after user found 150 DNS packages sent in 10 minutes during a single player game.
}}
}}
'''Ubisoft forces players in single-player games to be connected to the internet to collect data.''' In September 2024, a player who purchased ''Far Cry Primal'' on Steam discovered that the game would not launch without logging into a [[Ubisoft]] account, despite the game having no online features. The player monitored network traffic during a 10-minute session and found 150 DNS queries and responses exchanged with external servers including Google, Amazon, and Datadog<ref name="noyb-complaint">{{Cite web |url=https://noyb.eu/sites/default/files/2025-04/Ubisoft_complaint_EN_redacted.pdf |title=Complaint against Ubisoft: Article 6 GDPR (Case C-098) |author=NOYB |date=2025-04-24 |access-date=2026-03-27 |website=noyb.eu |url-status=live |archive-url=https://web.archive.org/web/20250424083407/https://noyb.eu/sites/default/files/2025-04/Ubisoft_complaint_EN_redacted.pdf |archive-date=2025-04-24}}</ref>. On 24 April 2025, [[NOYB]] filed a [[GDPR]] complaint with the Austrian Data Protection Authority on the player's behalf, alleging that Ubisoft collects personal data without a valid legal basis<ref name="noyb-press">{{Cite web |url=https://noyb.eu/en/play-alone-ubisoft-still-watching-you |title=Like to play alone? Ubisoft is still watching you! |author=NOYB |date=2025-04-24 |access-date=2026-03-27 |website=noyb.eu |url-status=live |archive-url=https://web.archive.org/web/20250424092126/https://noyb.eu/en/play-alone-ubisoft-still-watching-you |archive-date=2025-04-24}}</ref>.


== Background ==
In September 2024, a player who purchased ''Far Cry Primal'' on [[Steam]] discovered that the game would not launch without logging into a [[Ubisoft]] account, despite the game having no online features. The player monitored network traffic during a ten-minute session and found 150 DNS queries and responses exchanged with external servers including [[Google]], [[Amazon]], and [[Datadog]].<ref name="noyb-complaint">{{Cite web |author=NOYB |title=Complaint against Ubisoft: Article 6 GDPR (Case C-098) |url=https://noyb.eu/sites/default/files/2025-04/Ubisoft_complaint_EN_redacted.pdf |website=noyb.eu |date=24 Apr 2025 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250424083407/https://noyb.eu/sites/default/files/2025-04/Ubisoft_complaint_EN_redacted.pdf |archive-date=24 Apr 2025}}</ref> On 24 April 2025, [[NOYB]] filed a [[GDPR]] complaint with the Austrian Data Protection Authority on the player's behalf, alleging that Ubisoft collects personal data without a valid legal basis.<ref name="noyb-press">{{Cite web |author=NOYB |title=Like to play alone? Ubisoft is still watching you! |url=https://noyb.eu/en/play-alone-ubisoft-still-watching-you |website=noyb.eu |date=24 Apr 2025 |access-date=27 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250424092126/https://noyb.eu/en/play-alone-ubisoft-still-watching-you |archive-date=24 Apr 2025}}</ref>


Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and digital rights management client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game forces installation of Ubisoft Connect and requires an account login before it will start<ref name="noyb-press" />. This applies to titles with no multiplayer or online features.
==Background==
Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and [[digital rights management]] (DRM) client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game requires installation of Ubisoft Connect and an account login before it will start.<ref name="noyb-press" /> This applies even to titles with no multiplayer or online features.


Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play ''Assassin's Creed II'' and ''Silent Hunter 5'' on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers<ref name="guardian-2010">{{Cite web |date=2010-03-09 |title=Ubisoft apologises after attackers block games |url=https://www.theguardian.com/technology/2010/mar/09/ubisoft-drm |access-date=2026-03-27 |website=The Guardian}}</ref>. Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check<ref name="gamedeveloper">{{Cite web |last=Parkin |first=Simon |date=2011-01-04 |title=Ubisoft Removes Constant Online Authentication DRM For PC Games |url=https://www.gamedeveloper.com/game-platforms/ubisoft-removes-constant-online-authentication-drm-for-pc-games |access-date=2026-03-27 |website=Game Developer}}</ref>. In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview<ref name="slashdot-2012">{{Cite web |date=2012-09-05 |title=Ubisoft Ditches Always-Online DRM Requirement From PC Games |url=https://games.slashdot.org/story/12/09/05/1716230/ubisoft-ditches-always-online-drm-requirement-from-pc-games |access-date=2026-03-27 |website=Slashdot}}</ref>.
Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play ''Assassin's Creed II'' and ''Silent Hunter 5'' on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers.<ref name="guardian-2010">{{Cite web |last=Johnson |first=Bobbie |title=Ubisoft apologises after attackers block games |url=https://www.theguardian.com/technology/2010/mar/09/ubisoft-drm |website=The Guardian |date=9 Mar 2010 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20150510142156/https://www.theguardian.com/technology/2010/mar/09/ubisoft-drm |archive-date=10 May 2015}}</ref> Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check.<ref name="gamedeveloper">{{Cite web |last=Parkin |first=Simon |title=Ubisoft Removes Constant Online Authentication DRM For PC Games |url=https://www.gamedeveloper.com/game-platforms/ubisoft-removes-constant-online-authentication-drm-for-pc-games |website=Game Developer |date=3 Jan 2011 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20260329011324/https://www.gamedeveloper.com/game-platforms/ubisoft-removes-constant-online-authentication-drm-for-pc-games |archive-date=29 Mar 2026}}</ref> In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview.<ref name="slashdot-2012">{{Cite web |author=Soulskill |title=Ubisoft Ditches Always-Online DRM Requirement From PC Games |url=https://games.slashdot.org/story/12/09/05/1716230/ubisoft-ditches-always-online-drm-requirement-from-pc-games |website=Slashdot |date=5 Sep 2012 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20120911235034/https://games.slashdot.org/story/12/09/05/1716230/ubisoft-ditches-always-online-drm-requirement-from-pc-games |archive-date=11 Sep 2012}}</ref>


The company reversed that commitment with ''The Crew'' in 2014, which required a constant connection even for its single-player campaign. When Ubisoft shut down ''The Crew'' servers on 31 March 2024, the game became permanently unplayable<ref name="vgc-crew">{{Cite web |date=2024-08-20 |title=Ubisoft says players suing over The Crew shutdown shouldn't have expected to own the game forever |url=https://www.videogameschronicle.com/news/ubisoft-says-players-suing-over-the-crew-shutdown-shouldnt-have-expected-to-own-the-game-forever/ |access-date=2026-03-27 |website=VGC}}</ref>. The shutdown prompted the "Stop Killing Games" European Citizens' Initiative, which collected over 1.29 million verified signatures demanding laws that require publishers to leave games in a playable state<ref name="pcgamer-skg">{{Cite web |date=2025-06-04 |title=Stop Killing Games' EU initiative hits 1.4 million signatures |url=https://www.pcgamer.com/gaming-industry/game-development/stop-killing-games-eu-initiative-hits-1-4-million-signatures-and-if-at-least-1-million-are-valid-its-off-to-the-european-commission/ |access-date=2026-03-27 |website=PC Gamer}}</ref>.
A notable exception to this change in policy was ''The Crew'' (2014), which required a constant connection even for its single-player campaign. When Ubisoft shut down ''The Crew'' servers on 31 March 2024, [[Ubisoft#The_Crew_shutdown|the game became permanently unplayable]].<ref name="vgc-crew">{{Cite web |last=Middler |first=Jordan |title=Ubisoft says players suing over The Crew shutdown shouldn't have expected to own the game forever |url=https://www.videogameschronicle.com/news/ubisoft-says-players-suing-over-the-crew-shutdown-shouldnt-have-expected-to-own-the-game-forever/ |website=VGC |date=10 Apr 2025 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250410094236/https://www.videogameschronicle.com/news/ubisoft-says-players-suing-over-the-crew-shutdown-shouldnt-have-expected-to-own-the-game-forever/ |archive-date=10 Apr 2025}}</ref> The shutdown prompted the "[[Stop Killing Games]]" European Citizens' Initiative, which demanded the implementation of laws that require publishers to leave games in a playable state.<ref name="pcgamer-skg">{{Cite web |last=Randall |first=Harvey |title=Stop Killing Games' EU initiative hits 1.4 million signatures |url=https://www.pcgamer.com/gaming-industry/game-development/stop-killing-games-eu-initiative-hits-1-4-million-signatures-and-if-at-least-1-million-are-valid-its-off-to-the-european-commission/ |website=PC Gamer |date=4 Jun 2025 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250721164352/https://www.pcgamer.com/gaming-industry/game-development/stop-killing-games-eu-initiative-hits-1-4-million-signatures-and-if-at-least-1-million-are-valid-its-off-to-the-european-commission/ |archive-date=21 Jul 2025}}</ref>


== Network traffic analysis ==
==Network traffic analysis==
[[File:NOYB lawsuit.png|alt=NOYB's lawsuit with the 13 and 14 article. Relevant information are highlighted.|thumb|NOYB's complaint filing, with relevant GDPR articles highlighted.]]
[[File:NOYB lawsuit against Ubisoft.png|thumb|alt=NOYB's lawsuit with the 13 and 14 article. Relevant information are highlighted.|NOYB's complaint filing, with relevant GDPR articles highlighted.]]


On 13 September 2024, an Austrian user played ''Far Cry Primal'', a single-player game with no multiplayer features, purchased through Steam. The game refused to launch without an internet connection and a login to Ubisoft Connect<ref name="noyb-complaint" />.
On 13 September 2024, an Austrian user played ''Far Cry Primal'', a single-player game with no multiplayer features, purchased through [[Steam]]. The game refused to launch without an internet connection and a login to Ubisoft Connect.<ref name="noyb-complaint" />


The user captured network traffic during a 10-minute gameplay session. The packet capture revealed 150 unique DNS packages (queries and responses) and 56 requests to initiate connections between the user's computer and external servers<ref name="noyb-complaint" />. Recipients of the data included Google, Amazon, and Datadog, a US-based cloud analytics firm. Some data transfers were labeled "metrics" in the traffic headers. All transmissions were encrypted with TLS, so the exact contents were not visible to the user<ref name="noyb-complaint" />.
The user captured network traffic during a ten-minute gameplay session. The packet capture revealed 150 unique DNS packages (queries and responses) and 56 requests to initiate connections between the user's computer and external servers.<ref name="noyb-complaint" /> Recipients of the data included [[Google]], [[Amazon]], and [[Datadog]], a US-based cloud analytics firm. Some data transfers were labeled "metrics" in the traffic headers. All transmissions were encrypted with {{Wplink|Transport Layer Security|TLS}}, so the exact contents were not visible to the user.<ref name="noyb-complaint" />


The user then exercised their GDPR Article 15 right of access, forcing Ubisoft to disclose what data it held on them. The returned file (<code>uplay_traffic_data.csv</code>) confirmed that Ubisoft records the user's unique ID, the exact time they launched the game, the exact time they quit, and the total session duration<ref name="noyb-complaint" /><ref name="noyb-press" />.
The user then exercised their GDPR Article 15 right of access, forcing Ubisoft to disclose what data it held on them. The returned file (<code>uplay_traffic_data.csv</code>) confirmed that Ubisoft records the user's unique ID, the exact time they launched the game, the exact time they quit, and the total session duration.<ref name="noyb-complaint" /><ref name="noyb-press" />


Ubisoft's own EULA goes further. It states that collected data "may contain the following, without limitation: mobile device unique identity or other device identifiers and settings, carrier, operating system, localization information, date and time spent on the Product, game scores, game metrics and statistics, feature usage, advertising conversion rates, monetization rate, purchase history and other similar information"<ref name="noyb-complaint" />.
Ubisoft's own [[EULA]] goes further. It states that collected data "may contain the following, without limitation: mobile device unique identity or other device identifiers and settings, carrier, operating system, localization information, date and time spent on the Product, game scores, game metrics and statistics, feature usage, advertising conversion rates, monetization rate, purchase history and other similar information".<ref name="noyb-complaint" />


On 27 September 2024, the user contacted Ubisoft customer support. Ubisoft replied that the data sent at game launch is "an ownership check on our servers to validate that the player's account owns the game they're trying to launch" and linked to a help page about playing games offline<ref name="noyb-complaint" /><ref name="next-ink">{{Cite web |last=Laurent |first=Alexandre |date=2025-04-25 |title=Mandatory connection for single-player games: Ubisoft sued for non-compliance with the GDPR |url=https://next.ink/182331/connexion-obligatoire-pour-jeux-solo-ubisoft-poursuivi-pour-non-respect-du-rgpd/ |website=Next.ink |url-status=live |archive-url=https://web.archive.org/web/20250425100115/https://next.ink/182331/connexion-obligatoire-pour-jeux-solo-ubisoft-poursuivi-pour-non-respect-du-rgpd/ |archive-date=2025-04-25}}</ref>. Ubisoft did not explain why data was being sent to Google, Amazon, or Datadog, and did not address the ongoing data collection during gameplay<ref name="noyb-complaint" />.
On 27 September 2024, the user contacted Ubisoft customer support. Ubisoft replied that the data sent at game launch is "an ownership check on our servers to validate that the player's account owns the game they're trying to launch" and linked to a help page about playing games offline.<ref name="noyb-complaint" /><ref name="next-ink">{{Cite web |last=Lauren |first=Alexandre |title=Connexion obligatoire pour jeux solo : Ubisoft poursuivi pour non-respect du RGPD |trans-title=Mandatory connection for single-player games: Ubisoft sued for non-compliance with the GDPR |url=https://next.ink/182331/connexion-obligatoire-pour-jeux-solo-ubisoft-poursuivi-pour-non-respect-du-rgpd/ |website=Next.ink |date=25 Apr 2025 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250425100115/https://next.ink/182331/connexion-obligatoire-pour-jeux-solo-ubisoft-poursuivi-pour-non-respect-du-rgpd/ |archive-date=25 Apr 2025 |lang=fr}}</ref> Ubisoft did not explain why data was being sent to Google, Amazon, or Datadog, and did not address the ongoing data collection during gameplay.<ref name="noyb-complaint" />


== NOYB complaint ==
==NOYB complaint==
On 24 April 2025, NOYB filed a complaint (Case C-098) with the Austrian Data Protection Authority (Datenschutzbehorde, DSB) on the user's behalf under GDPR Article 80(1).<ref name="noyb-complaint" /> The complaint targets Ubisoft Entertainment SA, headquartered at 28 Rue Armand Carrel, 93100 Montreuil, France.<ref name="noyb-complaint" />


On 24 April 2025, NOYB filed a complaint (Case C-098) with the Austrian Data Protection Authority (Datenschutzbehorde, DSB) on the user's behalf under GDPR Article 80(1)<ref name="noyb-complaint" />. The complaint targets Ubisoft Entertainment SA, headquartered at 28 Rue Armand Carrel, 93100 Montreuil, France<ref name="noyb-complaint" />.
NOYB alleges that Ubisoft violated GDPR Article 6(1) by processing personal data without a valid legal basis. The complaint makes three arguments against Ubisoft's "ownership verification" defense:<ref name="noyb-press" />


NOYB alleges that Ubisoft violated GDPR Article 6(1) by processing personal data without a valid legal basis. The complaint makes three arguments against Ubisoft's "ownership verification" defense<ref name="noyb-press" />:
* Steam already verifies game ownership at purchase and at first launch, making a second verification by Ubisoft redundant.<ref name="noyb-complaint" /><ref name="bitdefender">{{Cite web |last=Stahie |first=Silviu |title=Ubisoft Accused of Unlawfully Collecting Player Data in Single-Player Games |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/ubisoft-unlawfully-collecting-data-far-cry |website=Bitdefender |date=28 Apr 2025 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250430103430/https://www.bitdefender.com/en-us/blog/hotforsecurity/ubisoft-unlawfully-collecting-data-far-cry |archive-date=30 Apr 2025}}</ref>
* Ubisoft itself offers a hidden offline mode for some games. If the game can run offline, the online check can't be "necessary".<ref name="noyb-complaint" />
* Even if verification at launch were justified, it doesn't explain why data is collected continuously during gameplay and sent to third parties like Google and Datadog.<ref name="noyb-complaint" />


* Steam already verifies game ownership at purchase and at first launch, making a second verification by Ubisoft redundant<ref name="noyb-complaint" /><ref name="bitdefender">{{Cite web |date=2025-04-28 |title=Ubisoft Accused of Unlawfully Collecting Player Data in Single-Player Games |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/ubisoft-unlawfully-collecting-data-far-cry |access-date=2026-03-27 |website=Bitdefender}}</ref>.
The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested.<ref name="noyb-complaint" /> Since ''Far Cry Primal'' has no online features, the data collection does not meet this threshold.
* Ubisoft itself offers a hidden offline mode for some games. If the game can run offline, the online check can't be "necessary"<ref name="noyb-complaint" />.
* Even if verification at launch were justified, it doesn't explain why data is collected continuously during gameplay and sent to third parties like Google and Datadog<ref name="noyb-complaint" />.


The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested<ref name="noyb-complaint" />. Since ''Far Cry Primal'' has no online features, the data collection doesn't meet this threshold.
NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized data processing, and impose an administrative fine. Based on Ubisoft's annual revenue of over €2 billion, the maximum fine under GDPR Article 83 would be approximately €92 million.<ref name="noyb-press" /><ref name="register">{{Cite web |last=Vigliarolo |first=Brandon |title=Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online |url=https://www.theregister.com/2025/04/24/ubisoft_noyb_complaint/ |website=The Register |date=24 Apr 2025 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250424163205/https://www.theregister.com/2025/04/24/ubisoft_noyb_complaint/ |archive-date=24 Apr 2025}}</ref>
 
NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized tracking, and impose an administrative fine. Based on Ubisoft's annual revenue of over €2 billion, the maximum fine under GDPR Article 83 would be approximately €92 million<ref name="noyb-press" /><ref name="register">{{Cite web |last=Vigliarolo |first=Brandon |date=2025-04-24 |title=Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online |url=https://www.theregister.com/2025/04/24/ubisoft_noyb_complaint/ |access-date=2026-03-27 |website=The Register}}</ref>.


No public decision from the DSB had been reported as of early 2026.
No public decision from the DSB had been reported as of early 2026.


=== Ubisoft's response ===
===Ubisoft's response===
 
Ubisoft responded publicly on 29 April 2025:
Ubisoft responded publicly on 29 April 2025: "We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch."<ref name="eurogamer">{{Cite web |last=Phillips |first=Tom |date=2025-04-29 |title=Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games |url=https://www.eurogamer.net/privacy-firm-files-ubisoft-legal-complaint-over-data-collection-forced-online-in-single-player-games |access-date=2026-03-27 |website=Eurogamer}}</ref>
<blockquote>We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch.<ref name="eurogamer">{{Cite web |last=Phillips |first=Tom |title=Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games |url=https://www.eurogamer.net/privacy-firm-files-ubisoft-legal-complaint-over-data-collection-forced-online-in-single-player-games |website=Eurogamer |date=24 Apr 2025 |access-date=28 Mar 2026 |url-status=live |archive-url=https://web.archive.org/web/20250501145727/https://www.eurogamer.net/privacy-firm-files-ubisoft-legal-complaint-over-data-collection-forced-online-in-single-player-games |archive-date=1 May 2025}}</ref></blockquote>


NOYB's response noted that the advertised offline mode did not work for the complainant, and that the network traffic analysis showed data collection during gameplay, not only at launch<ref name="register" />.
NOYB noted that the advertised offline mode did not work for the complainant, and that the network traffic analysis showed data collection over longer periods, not only at launch.<ref name="register" />


== References ==
==References==
{{Reflist}}


{{reflist}}
[[Category:Data collection]]
[[Category:Data collection]]
[[Category:Ubisoft]]
[[Category:Ubisoft]]
[[Category:Privacy]]
[[Category:Privacy]]

Latest revision as of 01:47, 29 March 2026

In September 2024, a player who purchased Far Cry Primal on Steam discovered that the game would not launch without logging into a Ubisoft account, despite the game having no online features. The player monitored network traffic during a ten-minute session and found 150 DNS queries and responses exchanged with external servers including Google, Amazon, and Datadog.[1] On 24 April 2025, NOYB filed a GDPR complaint with the Austrian Data Protection Authority on the player's behalf, alleging that Ubisoft collects personal data without a valid legal basis.[2]

Background

[edit | edit source]

Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and digital rights management (DRM) client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game requires installation of Ubisoft Connect and an account login before it will start.[2] This applies even to titles with no multiplayer or online features.

Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play Assassin's Creed II and Silent Hunter 5 on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers.[3] Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check.[4] In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview.[5]

A notable exception to this change in policy was The Crew (2014), which required a constant connection even for its single-player campaign. When Ubisoft shut down The Crew servers on 31 March 2024, the game became permanently unplayable.[6] The shutdown prompted the "Stop Killing Games" European Citizens' Initiative, which demanded the implementation of laws that require publishers to leave games in a playable state.[7]

Network traffic analysis

[edit | edit source]
NOYB's lawsuit with the 13 and 14 article. Relevant information are highlighted.
NOYB's complaint filing, with relevant GDPR articles highlighted.

On 13 September 2024, an Austrian user played Far Cry Primal, a single-player game with no multiplayer features, purchased through Steam. The game refused to launch without an internet connection and a login to Ubisoft Connect.[1]

The user captured network traffic during a ten-minute gameplay session. The packet capture revealed 150 unique DNS packages (queries and responses) and 56 requests to initiate connections between the user's computer and external servers.[1] Recipients of the data included Google, Amazon, and Datadog, a US-based cloud analytics firm. Some data transfers were labeled "metrics" in the traffic headers. All transmissions were encrypted with TLS, so the exact contents were not visible to the user.[1]

The user then exercised their GDPR Article 15 right of access, forcing Ubisoft to disclose what data it held on them. The returned file (uplay_traffic_data.csv) confirmed that Ubisoft records the user's unique ID, the exact time they launched the game, the exact time they quit, and the total session duration.[1][2]

Ubisoft's own EULA goes further. It states that collected data "may contain the following, without limitation: mobile device unique identity or other device identifiers and settings, carrier, operating system, localization information, date and time spent on the Product, game scores, game metrics and statistics, feature usage, advertising conversion rates, monetization rate, purchase history and other similar information".[1]

On 27 September 2024, the user contacted Ubisoft customer support. Ubisoft replied that the data sent at game launch is "an ownership check on our servers to validate that the player's account owns the game they're trying to launch" and linked to a help page about playing games offline.[1][8] Ubisoft did not explain why data was being sent to Google, Amazon, or Datadog, and did not address the ongoing data collection during gameplay.[1]

NOYB complaint

[edit | edit source]

On 24 April 2025, NOYB filed a complaint (Case C-098) with the Austrian Data Protection Authority (Datenschutzbehorde, DSB) on the user's behalf under GDPR Article 80(1).[1] The complaint targets Ubisoft Entertainment SA, headquartered at 28 Rue Armand Carrel, 93100 Montreuil, France.[1]

NOYB alleges that Ubisoft violated GDPR Article 6(1) by processing personal data without a valid legal basis. The complaint makes three arguments against Ubisoft's "ownership verification" defense:[2]

  • Steam already verifies game ownership at purchase and at first launch, making a second verification by Ubisoft redundant.[1][9]
  • Ubisoft itself offers a hidden offline mode for some games. If the game can run offline, the online check can't be "necessary".[1]
  • Even if verification at launch were justified, it doesn't explain why data is collected continuously during gameplay and sent to third parties like Google and Datadog.[1]

The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested.[1] Since Far Cry Primal has no online features, the data collection does not meet this threshold.

NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized data processing, and impose an administrative fine. Based on Ubisoft's annual revenue of over €2 billion, the maximum fine under GDPR Article 83 would be approximately €92 million.[2][10]

No public decision from the DSB had been reported as of early 2026.

Ubisoft's response

[edit | edit source]

Ubisoft responded publicly on 29 April 2025:

We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch.[11]

NOYB noted that the advertised offline mode did not work for the complainant, and that the network traffic analysis showed data collection over longer periods, not only at launch.[10]

References

[edit | edit source]
  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 NOYB (24 Apr 2025). "Complaint against Ubisoft: Article 6 GDPR (Case C-098)" (PDF). noyb.eu. Archived (PDF) from the original on 24 Apr 2025. Retrieved 27 Mar 2026.
  2. 2.0 2.1 2.2 2.3 2.4 NOYB (24 Apr 2025). "Like to play alone? Ubisoft is still watching you!". noyb.eu. Archived from the original on 24 Apr 2025. Retrieved 27 Mar 2026.
  3. Johnson, Bobbie (9 Mar 2010). "Ubisoft apologises after attackers block games". The Guardian. Archived from the original on 10 May 2015. Retrieved 28 Mar 2026.
  4. Parkin, Simon (3 Jan 2011). "Ubisoft Removes Constant Online Authentication DRM For PC Games". Game Developer. Archived from the original on 29 Mar 2026. Retrieved 28 Mar 2026.
  5. Soulskill (5 Sep 2012). "Ubisoft Ditches Always-Online DRM Requirement From PC Games". Slashdot. Archived from the original on 11 Sep 2012. Retrieved 28 Mar 2026.
  6. Middler, Jordan (10 Apr 2025). "Ubisoft says players suing over The Crew shutdown shouldn't have expected to own the game forever". VGC. Archived from the original on 10 Apr 2025. Retrieved 28 Mar 2026.
  7. Randall, Harvey (4 Jun 2025). "Stop Killing Games' EU initiative hits 1.4 million signatures". PC Gamer. Archived from the original on 21 Jul 2025. Retrieved 28 Mar 2026.
  8. Lauren, Alexandre (25 Apr 2025). "Connexion obligatoire pour jeux solo : Ubisoft poursuivi pour non-respect du RGPD" [Mandatory connection for single-player games: Ubisoft sued for non-compliance with the GDPR]. Next.ink (in français). Archived from the original on 25 Apr 2025. Retrieved 28 Mar 2026.
  9. Stahie, Silviu (28 Apr 2025). "Ubisoft Accused of Unlawfully Collecting Player Data in Single-Player Games". Bitdefender. Archived from the original on 30 Apr 2025. Retrieved 28 Mar 2026.
  10. 10.0 10.1 Vigliarolo, Brandon (24 Apr 2025). "Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online". The Register. Archived from the original on 24 Apr 2025. Retrieved 28 Mar 2026.
  11. Phillips, Tom (24 Apr 2025). "Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games". Eurogamer. Archived from the original on 1 May 2025. Retrieved 28 Mar 2026.
Retrieved from "https://consumerrights.wiki/index.php?title=Ubisoft_in-game_data_collection_GDPR_complaint_(2025)&oldid=48197"