Bethesda Circumventing GDPR by Sharing Betheda Account Info by Default to Push Zenimax Ads

[Delicieuxz]

 

Bethesda Circumventing Data Protection to Push Zenimax Ads

 

Quote

Bethesda may well have breached General Data Protection Regulation with the way they've been pushing ads for Zenimax products (who Bethesda operates under) through the use of the Bethesda Account creation process.

 

As you surely know by now, modern Bethesda games such as Fallout 76 and, potentially, Rage 2, do not use Steam, but Bethesda.net, and this means the creation of new user accounts for buyers. Turns out, Bethesda has been pushing ads for other Zenimax products in a particularly underhanded way.

 

According to a recent Reddit post, a user has noticed that upon the creation of a brand new Bethesda.net account, users automatically opt into seeing Zenimax-related ads on other websites, which is a major no-no according to GDPR, and is moderately worrying even without it.

 

 

...

 

In accordance with GDPR (which is only valid in the areas of the European Union) such aggressive advertising techniques ought to be opt-in, with them disabled by default. For a concrete example of companies acting according to GDPR, look no further than Steam, where all newly-created user accounts are set to private. It is only afterwards that users have the option to deliberately make their data public.

 

Here's the reddit discussion that the picture originates from.

 

 

If companies see each other ignoring the rules of Europe's GDPR and suffering no consequences for it, then they'll all get into the habit of doing it and the GDPR rules will be worthless. And being so early into GDPR it's important to make sure the set standard is being adhered to. California's Consumer Privacy Act, which is set to take effect on January 1st 2020, will also require opting-in for any data to be both collected and shared. If companies don't follow the rules of GDPR, what will happen with incoming and future consumer privacy and data rights legislation?

 

Also, while the Bethesda data-sharing setting only mentions sharing the account email address I guess with advertising companies, it doesn't mention which other data is associated with the email address that I expect must also be shared in order for targeted advertising on other websites to work. From what I understand, GDPR requires that companies inform users of the specific types of data of theirs that they wish to share with third parties.

 

I'm not using the Bethesda launcher and I'm not in Europe, so I don't know if this has been fixed since the story was reported. Can anyone in Europe confirm whether data-sharing is still enabled by default in the Bethesda user settings?

 

This is another thing that might add to Bethesda's long list of questionable practices.

 

 

 

If you want to report a GDPR violation, the way to do that is by contacting your country's Data Protection Authority.

 

What should I do if I think that my personal data protection rights haven’t been respected?

 

List of EU Data Protection Authorities

[corrado33]

Man it's almost like Bethesda is TRYING to beat out EA or something for "worst gaming company of the year." 

[givingtnt]

Seriously can someone fucking slap bethesda in the face ?
like. hard enough to maybe spin the earth the wrong way and bring us to a time that wasn't this ?

[ARikozuM]

16 minutes ago, corrado33 said:

Man it's almost like Bethesda is TRYING to beat out EA or something for "worst gaming company of the year." 

There's still 12 more days...

 

Can they make it? 

 

Stay tuned for more T-pose. 

 

T

[Delicieuxz]

43 minutes ago, corrado33 said:

Man it's almost like Bethesda is TRYING to beat out EA or something for "worst gaming company of the year." 

There's actually a video about that.
 

 

[WereCatf]

I just watched a few minutes ago a video ( https://www.youtube.com/watch?v=uxV1iGAB48w ) on the Fallout 76 in-game store and how Bethesda is possibly running afoul of deceptive marketing-laws. At this point, none of this stuff is really surprising anymore; Bethesda decided that using a shovel at the bottom of the pit ain't enough anymore and they went with a full-blown tunnel-borer.

 

[corrado33]

9 minutes ago, WereCatf said:

I just watched a few minutes ago a video ( https://www.youtube.com/watch?v=uxV1iGAB48w ) on the Fallout 76 in-game store and how Bethesda is possibly running afoul of deceptive marketing-laws. At this point, none of this stuff is really surprising anymore; Bethesda decided that using a shovel at the bottom of the pit ain't enough anymore and they went with a full-blown tunnel-borer.

 

I really do wonder if they're going to release "loot boxes" (aka "Lunch boxes"). Geeze if they do.... they must be stupid and have absolutely no online presence at all. 

 

Honestly I don't see a lot of good coming from bethesda in the future. Their gaming engine was outdated for skyrim, and they've continued to use it for 2 fallout games, and AT LEAST 2 more games (including the next TES game.) Like are they just expecting it to be ok for that? People are ALREADY complaining of the engine flaws for fallout 4... freaking 3 years ago. How is that going to go down in freaking 2021 when TES VI actually gets released? 

[WereCatf]

2 minutes ago, James Evens said:

guess they have this title already for this year. Just a few days ago they announced lunchboxes loot boxes for fallout.

They did? I thought that was just a rumour.

[RejZoR]

Last time I checked for GDPR, it doesn't matter where company is, it matters where USER is from. You can create billion accounts and if you're from EU, they have to respect the GDPR privacy laws. I have no clue how creating a Bethesda account magically circumvents GDPR then for EU users...

[Fnige]

35 minutes ago, James Evens said:

Evil within 3

That's bethesda right there

[mr moose]

I thought if you are informed in the terms you agree to then it isn't against GDPR.

 

It seems like a bet they are willing to take they will make more $$ out of this than the cost to reputation through internet campaigns or lawsuits. 

 

My take at the moment is that there are so many people bitching and whinging about everything on the net that most campaigns are little more than an itch to these companies, EA has been the butt of many large viral anti consumer campaigns for the better part of 5-6 years now and people still buy their games, still sign up to the accounts, still hand over pre order money, EA are still a big player.   

 

 

[Trixanity]

1 hour ago, mr moose said:

I thought if you are informed in the terms you agree to then it isn't against GDPR.

 

It seems like a bet they are willing to take they will make more $$ out of this than the cost to reputation through internet campaigns or lawsuits. 

 

My take at the moment is that there are so many people bitching and whinging about everything on the net that most campaigns are little more than an itch to these companies, EA has been the butt of many large viral anti consumer campaigns for the better part of 5-6 years now and people still buy their games, still sign up to the accounts, still hand over pre order money, EA are still a big player.   

 

 

I think one of the main problems is long difficult-to-read license agreements. You can argue it's fair game but they're made that way for two reasons: to be bullet proof legally and to deter users from knowing what they agree too.

 

There's an easy fix: give two versions. One version being the full document with all the legalese and another in an easy and accessible format and language. Companies don't have any interest in doing the latter because they risk people being informed and passing on their product.

 

I'll admit that many would probably agree anyway. For example I'm positive that people would still buy iPhones even if Apple had an egregious policy because it's an iPhone. 

[AlTech]

4 hours ago, RejZoR said:

Last time I checked for GDPR, it doesn't matter where company is, it matters where USER is from. You can create billion accounts and if you're from EU, they have to respect the GDPR privacy laws. I have no clue how creating a Bethesda account magically circumvents GDPR then for EU users...

It doesn't. They're in violation of the law.

 

@Delicieuxz Perhaps link to where EU users of Bethesda's launcher should go to complain about this breach of GDPR.

 

For the UK it's here: https://ico.org.uk/make-a-complaint/

 

but idk about the rest of the EU or other countries.

[Mihle]

2 hours ago, mr moose said:

I thought if you are informed in the terms you agree to then it isn't against GDPR.

 

It seems like a bet they are willing to take they will make more $$ out of this than the cost to reputation through internet campaigns or lawsuits. 

 

My take at the moment is that there are so many people bitching and whinging about everything on the net that most campaigns are little more than an itch to these companies, EA has been the butt of many large viral anti consumer campaigns for the better part of 5-6 years now and people still buy their games, still sign up to the accounts, still hand over pre order money, EA are still a big player.   

 

 

It is if it's hard to understand the terms. GDPR require you to be informed in a relatively easy to understand way if I remember right.

[AlTech]

2 hours ago, mr moose said:

I thought if you are informed in the terms you agree to then it isn't against GDPR.

 

It seems like a bet they are willing to take they will make more $$ out of this than the cost to reputation through internet campaigns or lawsuits. 

The problem here is that consent cannot be opt out. It needs to be opt in.

 

By having the checkboxes already checked by default they are in violation.

[AlTech]

I just had a quick read of part of Bethesda's privacy policy and the way they put it, it sounds like it should be opt in and definitely not opt out. And it also sounds nothing like described in the OP.

 

Quote

E. Subscribing to Emails, and Participating in Sweepstakes, Contests, Surveys and Similar Activities. Users can sign up online or in-person (e.g., at tradeshows, conferences and the like) to receive direct marketing communications from us, including emails about game launches, developments, and upcoming releases. If you agree to receive direct marketing communications from us, we collect your email address, and we may also collect your name, preferences, and, if relevant, information about your account and the Services and other games you use. We may also run contests, sweepstakes or other events or activities (collectively, "events") on our websites and social media channels. Information collected for these events may include your name, age, email address, and other information.

 

Quote

J. Information from Third Party Sites. We also may use third party tools to help us manage and analyze our social media presence, and report on comments, mentions and other content that is posted about us on social media sites and other public channels and forums. These third parties' activities, and their information collection and sharing practices, are subject to the terms of the relevant social media site, channel or forum. We will use this information in accordance with this Policy.

 

[Delicieuxz]

11 hours ago, AluminiumTech said:

It doesn't. They're in violation of the law.

 

@Delicieuxz Perhaps link to where EU users of Bethesda's launcher should go to complain about this breach of GDPR.

 

For the UK it's here: https://ico.org.uk/make-a-complaint/

 

but idk about the rest of the EU or other countries.

Good idea. I've added links to the OP.

 

 

11 hours ago, AluminiumTech said:

I just had a quick read of part of Bethesda's privacy policy and the way they put it, it sounds like it should be opt in and definitely not opt out. And it also sounds nothing like described in the OP.

Like I mentioned in the OP, I'm not in Europe and I don't use the Bethesda launcher, but I checked what my Bethesda website account preferences are set to, and it has a different screen entirely than what is shown in the article, was set by default like this:

 

 

 

The OP article shows the default Bethesda account settings page to be like this:

 

 

 

Here's the reddit discussion where the picture originates from: https://removeddit.com/r/Games/comments/a613su/bethesda_account_creation_i_would_like_to_see/

[LAwLz]

4 hours ago, mr moose said:

I thought if you are informed in the terms you agree to then it isn't against GDPR. 

Disclaimer: I am not a lawyer.

 

The way I understand it, GDPR requires services to:

1) Inform the users in a clear manner what is being collected and for what purposes. Hiding something in an overly long and difficult to read document does not count.

2) Require users to opt-in to having their data collected. It should not be opt-out. Pre-selected preferences do not count as giving consent.

3) Users of the service must have a way to not have their data collected if they do not desire (assuming the data is not absolutely critical to the main functionality of the service, for example GPS location for a map service).

 

You can no longer present a user with a several hundreds of pages long legal document and go "click here if you agree" and then do whatever you want with their data because "they agreed to our terms".

 

 

Source:

Quote

Consent checkboxes (or yes/no options) – “I accept the terms and conditions” would no longer be sufficient to claim that the user has given their consent for processing their data. So, for each particular processing activity there should be a separate checkbox on the registration (or user profile) screen; or clear yes/no buttons. You should keep these consent checkboxes/buttons in separate columns in the database, and let the users withdraw their consent (by unchecking these checkboxes from their profile page – see the previous point). Ideally, these checkboxes should come directly from the register of processing activities (if you keep one). Note that the checkboxes should not be preselected, as this does not count as “consent”. Another important thing here is machine learning/AI. If you are going to use the user’s data to train your ML models, you should get consent for that as well (unless it’s for scientific purposes, which have special treatment in the regulation). Note here the so called “legitimate interest”. It is for the legal team to decide what a legitimate interest is, but direct marketing is included in that category, as well as any common sense processing relating to the business activity – e.g. if you collect addresses for shipping, it’s obviously a legitimate interest. So not all processing activities need consent checkboxes.

 

[DeScruff]

Man all the bad news about Bethesda in the past... month? feels like Im watching somebody falling down the up escalator..

[mr moose]

10 hours ago, LAwLz said:

Disclaimer: I am not a lawyer.

 

The way I understand it, GDPR requires services to:

1) Inform the users in a clear manner what is being collected and for what purposes. Hiding something in an overly long and difficult to read document does not count.

It does that in the website screenshot they linked. It specifically says sharing your email to provide ads.

10 hours ago, LAwLz said:

2) Require users to opt-in to having their data collected. It should not be opt-out. Pre-selected preferences do not count as giving consent.

That sounds fair enough,

 

10 hours ago, LAwLz said:

3) Users of the service must have a way to not have their data collected if they do not desire (assuming the data is not absolutely critical to the main functionality of the service, for example GPS location for a map service).

Not too sure about that, because not using the service is also an option.  The GDPR doesn't seem to claim that you must provide a service without data collecting conditions attached here:

https://eugdpr.org/the-regulation/

 

10 hours ago, LAwLz said:

You can no longer present a user with a several hundreds of pages long legal document and go "click here if you agree" and then do whatever you want with their data because "they agreed to our terms".

 

I read that in the GDPR, but the screenshot doesn't require you to read any terms beyond the one sentence.  It seems to meet the criteria for a short easy to understand condition, the only issue is whether it is opt in or out. 

 

[Syntaxvgm]

I saw a shitpost somewhere that was lik e
"only 6 more bethesda scandals until Christmas!" 

[Delicieuxz]

5 hours ago, mr moose said:

It does that in the website screenshot they linked. It specifically says sharing your email to provide ads.

It looks to me as though are three issues with it that violate GDPR rules:

 

1. It is not declared to the account holder, and is only discoverable for the account holder by them looking through the settings.

 

2. It is configurable only after the account creation.

 

3. It is auto-checked.

 

Quote

I read that in the GDPR, but the screenshot doesn't require you to read any terms beyond the one sentence.  It seems to meet the criteria for a short easy to understand condition, the only issue is whether it is opt in or out. 

I believe that GDPR requires that the information on the collection of data has to be presented before the fact. The Bethesda account settings page does it only after the fact, and doesn't put it where a person will unavoidably see it.

[ZacoAttaco]

I don't know what Bethesda are doing right now, they've lost more goodwill in one year than I can remember. They were so beloved by the PC community...

[Trixanity]

2 hours ago, ZacoAttaco said:

I don't know what Bethesda are doing right now, they've lost more goodwill in one year than I can remember. They were so beloved by the PC community...

That's what happens when suits and spreadsheets run a company.