It is no secret that video game companies collect the personal data of gamers. Financial information is collected for payments and location data may be collected for marketing or as part of the game (e.g., geolocation-based games such as Pokemon Go). Other data such as user contact information, search history, browsing data and contacts may also be collected.
Because of growing privacy risks in the video game industry, the data protection spotlight has started to turn towards this space. In this article, we highlight some recent developments in data protection relevant to the video game industry.
Safeguards are being implemented globally for the protection of children’s personal data, in recognition of potential harms online, which is especially pertinent to the video games industry.
In Singapore, there is no legislation specific to children’s personal data, which is generally protected under the Personal Data Protection Act 2012 (PDPA). However, the PDPC published the Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment (Children’s Data Guidelines) on 28 March 2024, clarifying how the PDPA applies to children’s data. Some key features of the Children’s Data Guidelines are as follows:
For more information on protecting children’s personal data, please see our article on the Children’s Data Guidelines.
In any case, the sensitivity of children’s personal data has been recognised even before the Children’s Data Guidelines were released. In Singapore Taekwondo Federation [2018] SGPDPC 17, there was unauthorised disclosure of minors’ NRIC numbers on the organisation’s website. The Commissioner noted that there is generally greater sensitivity surrounding the treatment of minors’ personal data, which may require additional safeguards, and took this into account as an aggravating factor.
The Singapore position differs from that in the EU, as under the General Data Protection Regulations, parental consent is generally required if a child below 16 wishes to use information society services, which are mostly online services.
In the United States, children’s personal data are protected under the Children’s Online Privacy Protection Act (COPPA), which imposes requirements on operators of websites or online services (Operators) that are either directed to children under the age of 13, and Operators who have actual knowledge that they are collecting information from such children. Generally, these requirements include obtaining verifiable parental consent prior to any collection, use or disclosure of personal information from children and making reasonable efforts to notify parents of such collection, use or disclosure.
Lately, COPPA enforcement is on the rise against social media platforms and video game companies. In 2022, Fortnite developer Epic Games was fined USD 520 million in total by the Federal Trade Commission (FTC), which includes USD 275 million in relation to violations of COPPA. The two main allegations by the FTC were that Epic failed to notify parents of children under 13 who played Fortnite and obtain these parents’ consent before collecting the personal data of their children; and that Epic turned on text and voice communications by default, which exposed children to online harms and bullying from strangers.
In 2025, Genshin Impact developer HoYoverse agreed to pay USD 20 million to settle claims that it violated children’s privacy and deceived players on the cost of winning prizes in loot boxes. The company also stated that it would delete personal information from children below 13 obtained without parental consent, comply with COPPA and increase its in-game disclosures around virtual currency and rewards for players in the US.
Beyond the use of personal data, enforcement has also been based on “dark patterns” in games, which the FTC alleges have been used to trick millions of players into making unwanted purchases.
Video game companies are increasingly targeted by malicious actors, underscoring the importance of having robust cyber security measures in place. A New Zealand developer of a popular online action role-playing game suffered a data breach in January 2025, resulting in certain users losing their account data. In addition, a developer of a well-loved anime-based game suffered a major data breach in August 2024, resulting in the exfiltration of employee records and confidential business information from the game’s publisher Nintendo.
Given the growth of developments in privacy and data protection in the video game industry, video game industry players should align with best privacy and cybersecurity practices, in order to minimise risks to their players, who include vulnerable children.
OrionW regularly advises clients on data protection and cybersecurity matters, including from the video game sector. For more information about compliance with Singapore data protection and cybersecurity laws and regulations, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.