Lawful Neutral: Assessing the privacy policies governing World of Warcraft and Final Fantasy XIV

da fuq did I just read

It never fails to surprise me just what some people will say in general chat in an MMO. They’ll say things they would never say in real life but have no problems spouting off in a game where they feel anonymous. I say “feel anonymous” because when we play MMOs, we aren’t really anonymous. The MMO company is collecting mountains of data about players behind the scenes, from the basics it needs to run the business to things like gameplay metrics and in-game communications. 

But as in many other industries, not every company is equal when it comes to privacy policies or even to implementing the same sets of rules. In pondering this recently, I wondered which MMO company is most respectful of players’ privacy, so I decided to find out. In my day job, I deal with privacy considerations all the time, and I’m certified in both US and EU privacy law (though not as an attorney; I’m a technologist, not a lawyer). So I thought, why not apply that skill and know-how here? 

So this week in Lawful Neutral, let’s take a look at the bare essentials of privacy and then dive into two top MMOs – World of Warcraft and Final Fantasy XIV – to evaluate their privacy policies. 

This was not excitement.

Privacy is a huge topic, even in MMOs, and there’s way more than what I can hope to cover in a single article or even series. So this is just a fair warning: I’m going to skip over far more than I cover. 

What is ‘personal information’?

I’m going to use the General Data Protection Regulation (GDPR) definition of personal information because it’s the generally accepted definition across many different pieces of regulation the world over. 

“any information relating to an identified or identifiable natural person”

There are two pieces of this definition I want to note. “Identified” or “identifiable” means personal information doesn’t need to be “Jane Doe at 123 Drury Ln”; it can also be things like InternetWarlord1337 as a character name if it can be combined with other data to identify a specific person. It’s deliberately very broad and encompasses many things we wouldn’t necessarily think of as personally identifiable information. 

The second piece to note here is the “natural person” verbiage, and it’s important because personal information applies only to actual people, not “legal” people — actual humans, not entities like corporations that are granted personhood. 

Who gets what?

One of the major points of confusion around privacy is simply who gets what protections. Most of the time, your data privacy protection comes from whatever regulations exist where you live. So if you live in the EU, you are covered by General Data Protection Regulation (GDPR), and then further by whatever privacy regulations member nations might have in addition to GDPR. 

In the UK, you get the UK version of GDPR. Folks who live in the US are covered by sector-specific regulations at the federal level, such as Telemarketing Rule, CAN-SPAM, or FCRA. Also in the US, the Federal Trade Commission (FTC) governs a lot of privacy-related work under Section 5 of the FTC Act, the prohibition against unfair and deceptive business practices. Then, if there are additional state privacy laws, those would grant additional protections, such as the California Consumer Protection Act (CCPA).

Needless to say, this gets confusing fast. For a global business, like an MMO company, trying to individually meet all of these requirements for these different jurisdictions is a nightmare. So what the studios do most often is create a privacy program that meets the most restrictive jurisdiction that they work in. In practice, that means that most companies focus on meeting GDPR requirements.

The positive for you is that even if you live somewhere in the world that’s not the EU, you still get some benefits of the GDPR because it’s cost-prohibitive for companies to develop multiple siloed processes to account for each jurisdiction. The legislation in one jurisdiction is “raising the floor” for all jurisdictions. 

What to look for

You should always read the entire privacy policy for every game you run. Seriously. I know it’s boring, long, and confusing, but it’s worth it so that you know exactly what you are giving up to use a service. But knowing that most folks aren’t going to read the whole policy, I’ll give you four basic things to look for: 

  • What data are they collecting about me? In most cases, you’ll be surprised at the breadth. Ideally, the less, the better.
  • How are they using my data and why? Not all data can be used for the same things, so you should know why a company is collecting (purpose) and what it is using it for. Ideally, the company is delivering transparency on how it uses data and is doing so ethically. 
  • Whom are they sharing the data with? Once your data are sold or shared with someone else, your ability to control what happens to them is limited. Ideally, the company is sharing your data with as few third parties as possible – especially not with advertisers or data brokers. 
  • Can I do anything about how the company uses my data? Sometimes, companies will offer you a choice (or the illusion of a choice) on whether it collects or share your data and how they’re used. Keep an eye out for “fake choices,” though. 

These four topics are usually headings in the privacy policy, making it easy to scan to find them. And when I’m evaluating which MMO companies have the best privacy, I’m looking at these four things too.

There’s one more thing I want to make sure you know before we dig in here: Both Blizzard and Square-Enix are licensees of the ESRB Privacy Certification, meaning that they’ve paid the ESRB to be certified “to meet established online information collection, use, and disclosure practices.” While this is a good move, I want you to pay attention to how different the each studio’s implementation of the privacy policy actually is even as both are still technically “following established practices.” You can make your own judgment about the worth of the ESRB Privacy Certification from there. 

Are you for real, guy.

Blizzard’s World of Warcraft

I’m starting with the 800-lb malnourished gorilla in the room. Blizzard collects all the standard, expected information that it needs to run its business, keep with legal obligations, and do some advertising.

Overall, the Blizzard privacy policy is more difficult to read than it needs to be. The structure is convoluted with bits of information about collection, usage, and sharing scattered throughout the policy. Some important information is buried in paragraphs, while other key parts are presented in bulleted lists. Based on the structure alone, we would not be out of line to suspect that the policy was designed to obfuscate Blizzard’s privacy practices, not elucidate them. 

Blizzard says that you should have no expectation of privacy in using any communication in-game, whether chat or voice transcription. When we think of general chat, this makes sense. But this also covers tells and direct messages, guild chats, and party chats; no communication you have in World of Warcraft is private by any definition. Because you have no expectation of privacy, Blizzard could Tweet out screenshots of direct messages of your (ahem) sauciest private chat in Goldshire – and you couldn’t do anything about it. 

Blizzard doesn’t give users any meaningful opt-outs of information. It’s the equivalent of saying if you don’t agree give up that juicy data, go away. It does provide advertising opt-outs, as required by CAN-SPAM in the US, however.

The most concerning part of Blizzard’s privacy policy is information sharing. It retains the right to share your personal information with affiliated businesses – that is, every other company in Activision’s portfolio. Worse, each of those studios and games maintains its own privacy policy; Call of Duty and Candy Crush, for example, have their own privacy policies. Blizzard isn’t responsible for your data once they ship them over to King, and King’s privacy policy is a lot less robust overall. You should expect that any info you share on World of Warcraft will be collected and transferred en masse to other companies, including a mobile game company. 


Square-Enix’s Final Fantasy XIV

Compared with Blizzard, Square-Enix’s policy for FFXIV and its other titles is a breath of fresh air. The structure is straightforward to read, with clear lists of data collected, the purpose of the data, and opt-out options. Where Blizzard opted for a “spaghetti approach” to its privacy policy, Square uses a layered privacy policy, with a “General Policy” that applies to everyone and then a US policy and Japan privacy policy. 

Honestly, there’s not much to be concerned about here. It is important to remember that this is Square-Enix’s privacy policy, not Final Fantasy XIV alone, so it does apply to every game in its portfolio, meaning the company can legally share your data between games. However, all of the company’s games are governed by the same policy. This contrasts with Blizzard’s “We are going to share your info with these other yahoos; good luck figuring out what they are going to do with it!” approach. 

Square-Enix also says it will collect in-game chats, but it doesn’t include the claim that you have no expectation of privacy when it comes to your communications. That’s concerning because of the ambiguity: You might or might have an expectation of privacy, but the policy doesn’t explicitly say one way or another. 

Finally, Square-Enix claims the right to collect health information in line with some of its other games, which is always a concern. While SE doesn’t sell these data, you should be aware that if you play a game that collects health information, it is also storing it. 

The comparison

The winner here is obviously Square-Enix, and it’s not even close. Data collection between the two companies is similar, but Square-Enix’s policy is much easier for the typical user to read and understand. While both studios share information with other games, Square-Enix’s policy is the same across every game in its portfolio, whereas Blizzard at least claims the right to yeet your data to affiliates without any responsibility for what happens next. That’s not to say Square-Enix is without concern; the fact that it collects health information should be a red flag. And while it collects in-game communications the same way Blizzard does, Square doesn’t clarify whether those communications merit any expectation of privacy. Blizzard expressly says they do not.

So next time you see that wild barrens chat or get a racy tell as you’re wandering through Goldshire, maybe take a second to think about whether you really want someone else – or even the rest of the world – to someday read what you are writing.  

Every other week, Andy McAdams braves the swarms of buzzwords and esoteric legalese of the genre to bring you Massively OP’s Lawful Neutral column, an in-depth analysis of the legal and business issues facing MMOs. Have a topic you want to see covered? Shoot him an email!
Previous articleElite Dangerous Update 16 adds a mystery feature, squashes multiple bugs, and pays tribute to a former dev
Next articleHere’s what to expect in Diablo IV’s August 8 update

No posts to display

1 Comment
oldest most liked
Inline Feedback
View all comments