The EA Origins EULA is a non-story

UPDATE 2/11/11: this issue really isn’t going away – there are now stories of gamer rage in Germany about alleged anti-privacy stance in EA Origins and Battlefield 3 (not quite sure how that works together – I imagine it means that the release of Battlefield 3 has raised the concerns about Origins again).

There has been a lot of debate over the last week about the terms of EA’s End User Licence Agreement (EULA) for its Origins download service.  This is a post to explain why that is a non-story and unfortunately says more about gamers’ misunderstanding of EULAs and data protection than it does about EA (though in fairness EA could have done a better job to explain itself).

The story broke originally via The Escapist forums and then other sites including RPS.  This is what the EA EULA actually said:

You agree that EA may collect, use, store and transmit technical and related information that identifies your computer (including the Internet Protocol Address), operating system, Application usage (including but not limited to successful installation and/or removal), software, software usage and peripheral hardware, that may be gathered periodically to facilitate the provision of software updates, dynamically served content, product support and other services to you, including online services. EA may also use this information combined with personal information for marketing purposes and to improve our products and services. We may also share that data with our third party service providers in a form that does not personally identify you. IF YOU DO NOT WANT EA TO COLLECT, USE, STORE, TRANSMIT OR DISPLAY THE DATA DESCRIBED IN THIS SECTION, PLEASE DO NOT INSTALL OR USE THE APPLICATION. This and all other data provided to EA and/or collected by EA in connection with your installation and use of this Application is collected, used, stored and transmitted in accordance with EA’s Privacy Policy located at www.ea.com. To the extent that anything in this section conflicts with the terms of EA’s Privacy Policy, the terms of the Privacy Policy shall control.”

(Note: the EA EULA has since been updated with some generic wording about EA’s commitment to data protection, but that doesn’t really change the above wording so I won’t comment on it further).

Here’s some reasons why this clause is not really the kind of huge issue that some have made it out to be:

1) You need to read the EA Privacy Policy together with the EULA

Pointing to the EULA alone when discussing EA’s data protection obligations isn’t right – we also need to look at its Privacy Policy (as the clause itself explicitly recognises), where EA sets out in detail what it will and won’t do with your data.  That’s a pretty standard approach: the EULA sets out the powers of the software provider in its relationship with you; and the Privacy Policy sets out how it will treat the data which it collects using those powers.

I won’t go into detail about EA’s Privacy Policy, but it’s worth reading in full here.

(2) EA is bound by data protection law in any event

EA is bound by data protection laws in each country which will govern what it can and cannot do with any data which it collects irrespective of what it says in its EULA or Privacy Policy.  In Europe for example, it is bound by EU data protection legislation (you can read my summary of that here), which among other things includes the requirement on EA to: process the data fairly and lawfully; to only use it for specific lawful purposes; and not to keep it for longer than is necessary.

In other words: no software provider has a free hand when it comes to collecting your data (especially with the heightened awareness about data protection following the Sony PSN attacks earlier this year).

(3) This wording is fairly standard

Tech lawyers quite regularly see the kind of wording in the EULA, which enables the software provider to both gather technical data about their users as well as reserve the right to use that data, e.g. for marketing purposes.  Here’s a few examples off the top of my head which are similar to the kind of activity proposed by EA:

The Windows 7 EULA: it includes both the right for Microsoft to carry out (relatively invasive) validation checks as well as for its security features to gather “appropriate systems computer information, such as your Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the computer where you installed the software“.

The Impulse EULA: explains that interactions via their website can include them (via cookies) gathering data about:  

your Internet (IP) address; login and password information; e-mail address; web browser type and version; operating system and computer platform; purchase history, which we may aggregate with similar information from other customers; the full Uniform Resource Locator (URL) clickstream to, through, and from our website, including date and time; cookie number; products you viewed or searched for; areas of our website you visited; and the phone number you used to call our toll-free number. We also may log the length of time of your visit and the number of times you visit and purchase from us.”

Another section explains that they may share that information with third parties, contractors and in connection with promotional offers.

Blizzard’s Privacy Policy and World of Warcraft EULA: these documents set out what Blizzard can do regarding collecting data from you.  For example, its Privacy Policy permits Blizzard to collect geographical and IP address information from you, as well as usage details.  Moreover, either neither the Privacy Policy nor EULA specifically mention, we are all used to having Blizzard’s Warden software installed on our systems, the purpose of which is to scan our PCs for any hacks/malware etc which could affect how we access/play Blizzard games.

Obviously, this isn’t a killer argument in itself – the fact that a number of software companies approach things in a particular way doesn’t make it right.  You could even argue that in some respects what EA proposes go beyond the examples I’ve given.  But the point I wanted to make is that there is nothing radically new in what EA is proposing to do.

(4) Software businesses need to collect data about you to provide a better service

I don’t think EA or other software providers collect data about users’ technical data/purchasing history etc etc just for the fun of it – they do it because they want to improve their service to you.  What would be the point, for example, in them offering you a game you already own, or a game you couldn’t possibly run, or just simply have no interest in? It’s a waste of time for them and an irritation for you.  The solution of course is targeted marketing – for which they need data about you.

That said, I recognise that this is pretty hard to achieve in practice and there are also diverging opinions about it among consumers: some would quite like it, whereas others (probably those who were angry at EA here) don’t want the collection of data that comes with targeted marketing.  But anyway, the point is this: businesses like EA often have legitimate reasons for wanting to collect this kind of data.

That said, there is still an issue here

I think the real relevance of this story is that games businesses need to take extra care to explain to gamers exactly what they mean in EULAs, Privacy Policies and other documentation.  It’s not enough to set these documents out in legalese and just leave it at that – that may be sufficient as a matter of law (although I have my doubts about some of the particularly legalistic approaches), but it certainly won’t cut it with consumers, as this story has evidenced.


Ideally, they also need to think about how to take care of the segment of their user base who wants to use their service but doesn’t want all the data collection that comes with it.  There’s an easy solution: allow people to opt out of the data collection.  A clause along the lines of “if you don’t like it, leave” doesn’t help consumers and may be invalid under the data protection laws of some countries.  On this front certainly, I think EA could have done a better job (although I appreciate it can mean some quite complicated administrative/tech arrangements to actually make it work).

Moral of the story: 

  • Games businesses need to have clear, plainly worded and explained legal documentation and ideally give gamers the ability to opt out of the data collection service
  • Gamers need to get less hot under the collar sometimes 🙂
Image credit: EA

5 comments

  1. I disagree. While others may have similar EULAs, that doesn't make Origins' EULA any more palatable. I feel that the biggest issue is the ambiguity – it's written in such broad strokes that the scope could arguably include all users' data / media / and internet activity. It's unnecessary to be written so broadly if they have no need for all of that and many other companies write EULAs that are far more narrow in scope.

    My take on it: http://www.technolawguy.com/2011/08/ea-if-you-dont-like-our-privacy-policy.html

  2. Not only is this an alarming trend that people are getting use to in their daily lives. But the fact that inept God botherers like the the author of this article, are actively defending the private interests that are seeking an unwarranted access to peoples privacy!

    The EA EULA sets a precedent when it comes to the online gaming store platforms. Whether it's Battlenet, Steam, D2D, NCsoftLauncher etc. None of them have ever dared to justify the need to passively monitor hardware/software/peripheral usage/installation/removal and subsequent sharing of this information.

    What steam/battlenet etc do is monitor all information within the software and service they provide, with Anti-cheat software monitoring for suspicious software activity. However, yes, steam does perform hardware/software surveys but these are OPTIONAL.

    Its also important to note, that none of the great games in our history have been made with aid of this kind of information, or on the scale that it is now being collected, nor does it have to be this way.

    If you live in the USA, you may also like to hear that by signing the EA TOS you wave your right to take EA to court, either personally or in a class action suit. This was copied from the precedent set by Sony and their TOS changes after they lost peoples data to hackers.

    Had this guy actually read, and understood both EA EULA and Privacy policy/TOS, then applied it in the broader sense he probably wouldn't have made such an arse of himself.

    So moral of the story:
    1.) This sets a nasty precedent others are sure to follow AND BUILD ON.

    2.) If you do have an objection, but like many LOVE DICE and the Battlefield series, be aware of what you are legitimising (the holding to ransom of games for privacy). Stay with platforms that don't invade your computer's privacy (i.e. steam), and uninstall Origin as soon as you are done playing the title.

    3.) Thanks to idiots like the chap who wrote this article, instead of gamers taking action and voicing their concerns to watch their fellow gamers backs, now every year we're being forced to give up more and more rights/privacy in order to play our favorite games.

    So Jas Purewal, i suggest you take a reality check, and rather than expending energy to tell people they are wrong in having concerns, or to be outraged at this. You should make a conscious effort to become more aware of the history surrounding the steady erosion of privacy/rights when it comes to games.

    Because as is, you're not helping anyone.

  3. Jas Purewal works for Olswang LLC which, among other things, do Intellectual Property and Digital Rights and one of their clients happen to be the Walt Disney Company.

    The Walt Disney Company runs a gaming division which has a similar setup to EA, complete with obfuscated Privacy Policy and EULAs, draconian DRM, and emphasis on social gaming ('social' as in 'data mining').

    In fact EA and Walt Disney Gaming keep swapping staff back and forth. A while ago there was even talk about Walt Disney Company buying EA, which would fit in nicely with their group of companies.

    BUT of course Jas is purely writing this on his own spare time, from his own and uninfluenced perspective, and it has nothing to do with the business he is in or that of his employer(s). He is a Gamer, just like you!

    Thanks for at least mentioning that there should be opt-out, albeit after you labelled all of this as a non-story (which it clearly is not, I mean you wrote a story about it too).

Comments are closed.