Few sectors are as financially and technologically dynamic as the video games industry. Recently, however, similar dynamism has unfolded in the legal regulation that affects the development, the distribution, and – particularly in the case of live service games – the continuous operation of video games and gaming hardware. Skilfully navigating the legal framework is thus becoming increasingly important for the commercial success and sometimes even the critical acclaim of a game.
In this article, we provide an overview of important legal trends facing the video games industry.
„Hey! Listen!“ – Video games and data protection
It is almost impossible to play video games anonymously. Players are easily identifiable by their account with an online game store, with a console manufacturer or with the game publisher, which triggers the applicability of the General Data Protection Regulation (GDPR) if they are in the EU.
With online games in particular, the gaming experience requires the processing of large amounts of the player’s personal data and the sharing of this data with other players – possibly all over the world. However, personal data such as name, (IP) address, contact data, payment data and, of course, data on the use of the game are processed not only to provide the game, but often also serves as the basis for taking measures against cheating and other misuse, improving the game (experience), and/or for advertising (more on advertising in section 2). This often involves several entities working together, from publishers and their service providers to advertising networks, and can require the conclusion of complex data protection contracts.
Gaming experiences are also becoming increasingly individualised and social, meaning that the data collected about players is becoming more and more sensitive – from individual ‘skin’ combinations and communication data that players exchange with each other in game to virtual avatars. Providing transparent information about this in a way that is appropriate for the target group – as data protection law requires – is a challenge, especially with an international player base of different ages. The fact that the gaming experience is increasingly shared publicly via social media or streaming platforms means that players often become personally identifiable even when using pseudonyms (e.g. tags or handles), making data protection law increasingly applicable.
Compliance with data protection requirements is therefore affecting more and more entities in the game industry, from developers to successful Let’s Players. And as data protection supervisory authorities’ expertise increases (and presumably, more digital natives enter staff positions there), the risk of supervisory measures is also increasing. For example, in December 2023, the Spanish data protection supervisory authority imposed a fine of EUR 90,000 on a Chinese company for violating the principles of data minimisation and data security in connection with volunteer moderation of an online video game forum.
„This is my favourite store on the Citadel.“ – Marketing and commercialisation
Free-to-play games can often only be made profitable through microtransactions or, like other free online offerings, through advertising. Personalised advertising is generally much more profitable than non-personalised advertising, with tracking and retargeting technologies playing a major role. Their use typically requires special care under data protection law, in particular when it comes to obtaining consent. Video game providers pursuing such a business strategy should pay special attention to the currently ongoing debate of the “pay or okay model”, which EU supervisory authorities are arguing does not comply with data protection law. According to the European Data Protection Board, if users only have the choice of paying for a game or consenting to the processing of their data, then in most cases, there is no effective consent due to a lack of real choice. However, whether this is the case must always be assessed on a case-by-case basis.
„Nothing is true, everything is permitted.“ – Video games as intermediary services under the Digital Services Act
The Digital Services Act (“DSA”), which came into force on 17 February 2024, is intended to ban hate speech and other illegal content from online platforms and other intermediary services and to this end obliges the providers of such services to take extensive transparency and moderation measures under threat of significant fines and claims for damages. The German supervisory authority competent for enforcing the DSA started its work in May 2024.
Unfortunately, it is not uncommon to encounter hate and hate speech in online chats and lobbies in video games. Providers of online games should therefore carefully examine the extent to which their games fall within the scope of the DSA because they offer their users a place for the (public) exchange of information. Content moderation is not new to many of these providers, but the legal compliance framework of the DSA will in many cases require adjustments to moderation systems and general terms and conditions.
Especially if a game that is categorised as an intermediary service under the DSA is aimed at minors, providers must implement specific measures to protect them. The European Commission is currently conducting a consultation process on the details. In any case, manipulative designs in the user interface (so-called ‘dark patterns’) must be avoided and certain advertising restrictions must be adhered to.
„Wanting something does not give you the right to have it." – The use of AI in video game development
Developers can use generative AI to create artificial images and graphics, write dialogue and develop software code. It is also possible to use live-generated content to create a customised gaming experience for each player. However, developers should be aware of the legal risks associated with the use of generative AI.
- AI-generated content is generally not protected by copyright due to a lack of personal intellectual creation (section 2(2) German Copyright Act (Urheberrechtsgesetz – “UrhG”)) and can possibly therefore be used by third parties without a licence. However, developers can obtain copyrights to the AI-generated content through sufficient editing and alteration if, in doing so, they render their own creative work. Furthermore, content can be protected by copyright if developers use generative AI as a mere tool with which to create content and the AI has hardly any room for manoeuvre of its own. Developers should therefore only use unedited AI-generated content for secondary game content and particularly ensure that important characters and settings have copyright protection.
- Furthermore, AI-generated content may infringe third-party copyrights, representing a considerable liability risk for developers. For example, Valve temporarily refused to distribute games with AI-generated content via Steam due to incalculable liability risks. Valve has since relaxed this policy, but requires developers to disclose whether they use AI-generated content and what protective measures they have taken against copyright infringements, among other things. Developers should therefore carefully document whether and how AI-generated content is used. They should also check whether protective measures to prevent copyright infringements, such as output control, have been implemented by the respective AI system provider. It can also be helpful to use your own plagiarism detection software to check the generated content.
- Confidential content, such as story or plot details, may constitute trade secrets (section 2, no. 1 German Trade Secrets Act – Geschäftsgeheimnisgesetz). If developers feed such information into AI systems before the release of a new game, they risk content being displayed to other users – for example when using similar prompts – if the AI system learns from the respective inputs. The leaked information may then no longer qualify as a trade secret. Developers should therefore ensure that trade secrets are adequately protected. Internal compliance guidelines that specify which information may be fed into external AI systems can help here. In addition, many AI providers now offer not to use input data, including confidential information, for AI training purposes (known as zero retention).
„Everything not saved will be lost.“ – Is the Verwertungsgesellschaft für Games (VHG) set to become a GEMA for games?
When video games are streamed live or on demand to the online community, this is usually done without a licence. Most publishers tolerate the streaming of their games due to the positive advertising effect. However, players also record their own Let’s Plays and take screenshots of games for private purposes. These reproductions, which are not made with the intention of generating income, are generally permitted under copyright law as a copy for private use in accordance with section 53 UrhG. To date, in these cases, no claims for appropriate remuneration under section 54 UrhG have been asserted against manufacturers of devices or storage media used to make such reproductions. However, in order to effectively enforce such remuneration claims, the German Games Industry Association founded the Verwertungsgesellschaft für die Hersteller von Games (VHG) in May 2023. Developers and publishers of video games will be able to grant the VHG the right to enforce such claims on their behalf through a licence agreement. However, it remains to be seen whether the German Patent and Trade Mark Office (Deutsche Patent- und Markenamt) will grant the necessary authorisation. Those affected should follow the further development of the VHG closely.
„It’s dangerous to go alone! Take this.“ – Future regulation under the Data Act, Cyber Resilience Act, and AI Act
- The Data Act, which will apply from September 2025, is particularly relevant for manufacturers, sellers and providers of connected devices and related services. In the video games industry, this may amongother things include gaming consoles, VR goggles and other gaming hardware that generates data (which does not have to be personal data) when used. Under the Data Act, the user is entitled to access (and grant access to third parties) and use the resulting data, while the data holder may only use non-personal data under a licence that they must obtain from the user. While that may pose a threat to manufacturers’ data sovereignty, it also represents an opportunity for aftermarket providers to develop accessories and complementary or even competing services. Furthermore, the Data Act provides for new information obligations and regulations for the content of data contracts (see our detailed Q&A). Here, too, infringements could result in fines and claims for damages in the future.
- The Cyber Resilience Act, which was passed at the beginning of 2024, aims to establish a uniform Europe-wide cybersecurity standard for ‘products with digital elements’ for the first time. No later than three years after the regulation comes into force, all data processing products must bear a CE mark to indicate that they comply with the new standard. Manufacturers of such products, which include both software and hardware products (in the video games industry, this means both games themselves and end devices such as consoles, VR goggles and controllers), are subject to various obligations in terms of design, development and maintenance. The scope of these obligations essentially depends on a risk assessment that the manufacturer must carry out and document. The obligation to keep the risk assessment up to date and the cybersecurity measures appropriate (vulnerability management) throughout the entire life cycle of the product or for at least five years can be particularly burdensome for developers and manufacturers. The reporting obligations for cybersecurity incidents, which stipulate very short deadlines of 24 hours for initial reports, also harbour compliance risks. Similar obligations apply to the ‘importers’ of digital products, i.e. importers who place products with digital elements from non-European companies on the EU market. They must also ensure that the products they import comply with the security standards of the Cyber Resilience Act.
- Beyond the use cases for generative AI in video games outlined above (under section 4), other AI-supported applications are already commonplace in many video games, particularly in anti-cheating mechanisms. The AI Act, which came into force on 1 August 2024, contains regulations concerning the development and use of AI systems, which now become applicable at staggered intervals of several months. Its focus is particularly on the transparent and non-discriminatory use of AI systems. However, it also covers the correct handling of risks that arise specifically from AI applications and a ban on AI practices that harbour unacceptable risks. As with the other EU regulations described above, the recurring theme here is that violations could result in severe fines.
- These forthcoming regulations underline the need for all companies in the video games industry to keep abreast of the latest legal developments and to adapt to the legal environment early and strategically to both exploit opportunities and minimise risks.
Comment on quotes: The quotes given in the article are taken from the following sources:
Headline: Tav in Baldur’s Gate 3 von Larian Studios, https://www.zleague.gg/theportal/unveiling-baldurs-gate-3-easter-eggs-a-closer-look/;
Subheadline 1: Navi in Ocarania of Time von Nintendo, https://www.gamesradar.com/hey-listen-shigeru-miyamoto-didnt-like-navi-from-ocarina-of-time-either/;
Subheadline 2: Commander Shepard in Mass Effect 2 von Bioware, https://knowyourmeme.com/memes/im-commander-shepard;
Subheadline 3: Aus dem Credo der Assassinen in Assassin’s Creed von Ubisoft, https://assassinscreed.fandom.com/wiki/The_Creed;
Subheadline 4: Ezio Auditore in Assassin‘s Creed 2, https://screenrant.com/assassins-creed-ezio-best-quotes/;
Subheadline 5: Nintendo „Quit screen“-Nachricht, https://www.eurogamer.net/everything-not-saved-will-be-lost;
Subheadline 6: Dialog aus The Legend of Zelda, https://en.wikipedia.org/wiki/It%27s_dangerous_to_go_alone
Forward