Game on for privacy: Spanish and Belgian DPAs set best practices for the video game industry

Framing video games for the purposes of the Guidelines and beyond

The Guidelines start by defining video games (a task that appears simple but has become increasingly complex over the years) as an interactive digital experience in which one or more players engage with virtual environments through a system of game rules, objectives and feedback, primarily used for entertainment, even where they are also used in educational or training contexts.

They further describe different types of video games (online/offline, cloud, VR/AR, free-to-play, freemium, and others), noting that free-to-play models encompass microtransactions, in-game advertising and other monetisation methods. A key takeaway is: “the more a game is, for example, online, cloud-based, personalised, or monetised through ads and microtransactions, the higher the risk for data protection”.

Data processed within the video game environment & main risks

The categories of data processed in the context of video games are very broad. The Guidelines highlight the importance of continuous linkability of the information and reliance on pseudo-identifiers (including cross-game tracking through unique nicknames or individuals’ unique characteristics). Three broad categories of data (subdivided and developed therein) are identified: (i) account creation and management data; (ii) gameplay monitoring (telemetry – of which players are frequently unaware), and (iii) behavioural inference.

The Guidelines identify the principal risks and threats arising in the video game context. Notably:

• Linkability: associating different data items or data subjects’ actions to learn more about the data subject or their group.
• Identificationand doxing: one of the actors of the video game ecosystem learning the identity of a data subject directly or indirectly. Doxing is essentially the public release of private information about a person, which is typically intended to be kept confidential.
• Inaccuracy: this risk appears to be particularly relevant for age verification and anti-cheat systems, where inaccurate data collected via telemetry or behavioural inferences can lead to unfair outcomes.
• Non-repudiation:  continuous and persistent tracking, logging and retention of users’ data may create an irrefutable evidential trail.
• Deception: reliance on deceptive design and dark patterns to trick players into decisions they would otherwise avoid¹.
• Threats to children and other vulnerable players: these risks become even clearer in F2P models and microtransactions. Moreover, concerns around monetisation include risk of addictive behaviours and overspending. Children, especially young ones, are vulnerable in this regard. Deceptive design can exploit these vulnerabilities, for example by creating the impression that players who do not make in-game purchases will lose access to exclusive content or gameplay advantages.

Key recommendations: A lifecycle approach

The Guidelines are structured around the three phases of a game's life, ensuring that compliance is not treated as a last-minute add-on but embedded from concept to end-of-life.

The Guidelines favour local-first processing, keeping telemetry device-bound and transmitting only aggregated results to servers. The authorities also flag the “Russian dolls” problem (i.e. nested SDK chains that create opaque processor layers) and recommend integrating privacy into narrative and social design. Mods also receive specific attention.

Central to this phase is the analysis of deceptive and addictive design patterns. The authorities are clear that privacy by design extends beyond backend architecture and consent banners. It reaches into the game mechanics themselves. The Guidelines expressly flag manipulative consent flows, loot boxes triggered by player frustration, nudges that exploit spending vulnerabilities, and monetisation strategies built on behavioural inferences like churn risk or “whale propensity”. When addressing minors, the Guidelines establish that, unless a game is clearly and demonstrably aimed exclusively at adults, industry actors should assume children may be present and games should be designed accordingly.

Across all roles and lifecycle phases, the Guidelines return to a set of cross-cutting themes: allocating data protection responsibilities, embedding privacy by design from the earliest stages, guarding against purpose creep, ensuring meaningful transparency, and exercising particular caution around high-risk activities – notably monetisation-driven profiling, and protection of minors’ data (quite a hot topic nowadays).

Conclusion & looking ahead

Although these Guidelines are not legally binding, their joint publication by two supervisory authorities shows an appetite for sector-specific enforcement. Companies operating across the EU may treat this document as a de facto compliance benchmark, especially considering the AEPD's track record in issuing substantial fines and the Belgian authority's active role in cross-border enforcement.

The message appears clear: the era of treating video games as a regulatory afterthought is over. Privacy is now (and should have always been) a core design parameter and the clock is ticking for every player in the ecosystem. Nobody wants to face a privacy “game over”.

Authored by Joanna Rozanska, Santiago de Ampuero, and Hélène Boland.