The Spanish and Belgian DPAs promote good data protection practices for the video game sector

• The collaboration between the Spanish and Belgian data protection authorities stems from the need to address the needs of a sector with over 3 billion users worldwide and which uses disruptive technologies
• The document analyses the most common personal data processing activities in video games, identifies the threats and risks involved, and offers recommendations and best practices
• The information collected in these gaming environments could be used to identify individual players, enabling specific actions or interactions and differentiated treatment, as well as processing personal data to analyse or predict behaviour

The recommendations are specifically aimed at professionals and organisations involved in this ecosystem (developers, studios, publishers, etc.), at the companies that provide services to them (cloud providers, analytics tools, anti-cheat systems, AI providers, etc.) and at the legal teams working in the sector.

The collaboration between the Spanish authority (AEPD) and the Belgian Authority stems from the need to address the needs of a sector with over 3000 million users worldwide, which utilises disruptive technologies such as cloud gaming and Artificial Intelligence. At the same time, 95% of games sales take place online, which drives the growth of platforms and services and fosters the development of new business models, such as those based on subscriptions or digital marketing.

In these online environments, stakeholders in the video games industry may process massive amounts of personal data that go beyond names or email addresses, such as telemetry and behavioural inferences. In fact, the types of information collected make it possible to single out an individual player from others within the context of the game, enabling specific actions or interactions and differentiated treatment.

Furthermore, automated decision-making and profiling involve processing personal data to analyse or predict behaviour and act automatically without human intervention.

The document is based on evidence gathered through static analyses (of privacy policies, terms and conditions of service, contracts and SLAs) and dynamic analyses (of real-world execution in online gaming environments, SDKs, launchers, etc.) of current video games. It stands out for its in-depth examination of specific technical and operational aspects of this sector. It analyses the most common personal data processing activities in video games, identifies the threats and risks they entail, and offers recommendations and best practices for each phase of the video game lifecycle and for each stakeholder in the ecosystem (in this case, through checklists in the annexes to the document).

These recommendations serve as a practical tool that adapts the GDPR to the sector's technical language, avoiding generic interpretations. It finds the balance between compliance and competitiveness, as it enables all stakeholders in this ecosystem to innovate without jeopardising the rights and freedoms of users.