Do Son 
The European data protection advocacy group noyb has filed a formal complaint against Ubisoft in Austria—not over a bug or an in-game purchase, but over the company’s requirement for a constant internet connection to launch single-player games. The trigger for this legal action was an investigation into Far Cry Primal, a game devoid of any online functionality, yet still mandating internet access to start.
The complaint was submitted under Article 6(1) of the GDPR, which mandates that companies collect only data necessary for the service, and only with the user’s informed consent. According to noyb’s legal counsel, Ubisoft violates this principle by forcing players to connect to the internet even when launching entirely offline titles.
One user, cited in the complaint, discovered that Far Cry Primal initiated 150 unique DNS requests within just ten minutes of startup. An analysis of the network traffic revealed that the data was transmitted not only to Ubisoft’s own servers, but also to those operated by Amazon, Google, and the U.S.-based analytics firm Datadog. The contents of the data could not be decrypted—all transmissions were encrypted. Crucially, the player had never consented to this form of monitoring, rendering the data collection legally dubious. This practice appears to be widespread across Ubisoft’s single-player titles, including well-known franchises such as Assassin’s Creed and Prince of Persia.
Ubisoft has claimed that an offline mode exists, but the instructions provided to users were virtually useless. According to noyb, even the experienced IT professional who filed the complaint was unable to launch the game without an internet connection. This, the group argues, indicates either a non-functional offline mode or an unreasonably complex activation process.
Ubisoft maintains that the internet requirement is solely for verifying game ownership. However, the company also acknowledges in its user agreement and privacy policy that it employs third-party analytics services to monitor player behavior, collect gameplay and network data, and transmit that information to its servers.
From noyb’s perspective, such data processing cannot be deemed essential and thus violates Article 6(1) of the GDPR. Ownership is already verified through the purchase on Steam, and the existence of a hidden offline mode demonstrates that an internet connection is not a technical necessity. If Ubisoft were genuinely committed to improving the gaming experience, it could instead request user consent directly or offer players the option to submit voluntary bug reports.
Should the violation be upheld, Ubisoft could face a fine of up to €92 million—equivalent to 4% of its annual revenue, which exceeds €2 billion. Noyb also notes that this may be only the first of many complaints targeting game publishers, as GDPR regulations require each case to be filed on behalf of an individual user whose rights have been infringed. Thus, legal action must proceed case by case.
