Need Game Art? Edit Game Trailers Launch Your Dev Site Sell Your Merch
Need Game Art? Sell Your Merch

Do Web Games Need GDPR Compliance?

Updated July 2026
Yes, if your web game collects, stores, or processes personal data from players in the European Union, you must comply with GDPR. This includes cloud saves tied to email addresses or OAuth accounts, leaderboard entries with player names, analytics that track individual behavior, and any advertising that uses cookies or device identifiers. Local-only saves stored in the player's browser without any server-side collection generally do not trigger GDPR requirements.

What Counts as Personal Data

Under GDPR, personal data is any information that can identify a person directly or indirectly. For web games, this includes: email addresses (from account registration), display names (if they contain real names), IP addresses (logged by your server), OAuth identifiers (Google ID, Discord ID), device fingerprints (browser version + screen resolution + installed fonts), location data (if your game or analytics collects it), and any unique identifier that can be linked back to a specific person.

Data that is genuinely anonymous does not trigger GDPR. A random UUID stored only in the player's browser with no server-side record is not personal data. A leaderboard entry with a randomly generated name ("Player_7829") and no linked email or account is borderline, depending on whether the random ID could be combined with other data to identify the person. A high score submitted with a real name, email, and IP address logged by the server is clearly personal data.

The distinction matters for game save systems. A game that saves exclusively to LocalStorage or IndexedDB with no server communication collects no personal data on your servers and has minimal GDPR obligations. A game that saves to a cloud database tied to a Google OAuth account collects personal data (the Google ID, display name, and potentially email) and must comply fully.

The Detailed Answer

GDPR applies to your web game if you process personal data of individuals in the EU, regardless of where your servers are located. A game developer in the United States serving EU players must comply with GDPR for those players. GDPR does not distinguish between commercial and non-commercial projects: a free game with 50 users has the same legal obligations as a commercial game with 5 million users. Enforcement priority is proportional to scale, but the legal requirements are identical.

CCPA (California Consumer Privacy Act) applies if your game collects personal information from California residents and meets one of three thresholds: annual gross revenue over $25 million, buying or selling personal data of 100,000+ consumers, or deriving 50% or more of revenue from selling personal data. Most indie web games do not meet these thresholds, but if you serve ads with tracking cookies to California users, the ad network may trigger compliance requirements on your behalf.

Other privacy regulations include PIPEDA (Canada), LGPD (Brazil), POPIA (South Africa), and APPI (Japan). The practical reality is that GDPR sets the highest standard, and complying with GDPR generally satisfies the requirements of other regulations. If your game is accessible globally (which most web games are), treating GDPR as your baseline standard is the most efficient approach.

Do I need a cookie consent banner for my web game?
You need a cookie consent banner if your game sets non-essential cookies, which typically means advertising cookies or third-party analytics cookies. If your game uses only essential cookies (like a session cookie for authentication), you do not need consent for those specific cookies, but you should still disclose them in your privacy policy. If you use Google Analytics with default settings, it sets tracking cookies that require consent. Privacy-focused analytics tools like Plausible, Fathom, and Simple Analytics do not use cookies and do not require consent banners. LocalStorage and IndexedDB are not cookies and are not covered by the ePrivacy Directive's cookie rules, but they are covered by GDPR's broader data processing rules if the stored data is personal.
What does a web game's privacy policy need to include?
A GDPR-compliant privacy policy must state: what personal data you collect (list every type), why you collect it (the legal basis, typically "legitimate interest" for game functionality or "consent" for marketing), how long you keep it (your retention period), who you share it with (analytics providers, ad networks, cloud hosting services), how players can access, correct, or delete their data (provide an email address or in-game mechanism), and your identity and contact information. The policy must be written in clear, plain language that a non-lawyer can understand. Template generators like Termly, iubenda, and TermsFeed produce legally adequate privacy policies for web games for $10-50 per year.
What if my game is for children?
Games targeting children under 13 (in the US) must comply with COPPA (Children's Online Privacy Protection Act), which requires verifiable parental consent before collecting any personal information. Under GDPR, children under 16 (or as low as 13, depending on the EU member state) require parental consent for data processing. If your web game is likely to attract children, avoid collecting personal data entirely: use local-only saves, anonymous leaderboards, and no advertising with tracking. If you must collect data from children, consult a lawyer who specializes in children's privacy law, because the penalties for COPPA and GDPR violations involving children are severe.
How do I handle data deletion requests?
Under GDPR, players have the "right to erasure": they can request that you delete all their personal data, and you must comply within 30 days. For a web game, this means deleting the player's cloud save, leaderboard entries, account record, and any analytics data tied to their identifier. Build a deletion endpoint in your API that removes all data for a given player ID. Provide a way for players to trigger this, either through an in-game settings menu ("Delete my account and all data") or by emailing you. Document the deletion process in your privacy policy. If you use third-party services (Firebase, Google Analytics), you must also delete data from those services, which may require using their admin APIs or data management tools.

Practical Steps for Indie Game Developers

Step 1: Inventory your data collection. List every piece of data your game collects, stores, or transmits. Include server logs (which record IP addresses by default), analytics events, authentication tokens, cloud save data, leaderboard submissions, crash reports, and any third-party SDK data. If you use Google Analytics, AdSense, or social login, each of those services collects data on your behalf.

Step 2: Minimize data collection. The easiest way to reduce privacy compliance burden is to collect less data. Do you actually need Google Analytics, or would server-side page view counts suffice? Do your leaderboards need real names, or would randomly generated names work? Do you need to store email addresses, or can you use OAuth IDs without requesting the email scope? Every piece of personal data you do not collect is a piece you do not need to protect, disclose, or delete on request.

Step 3: Write a privacy policy. Use a template generator or write one from scratch. Host it at a permanent URL on your game's domain (typically /privacy). Link to it from your game's footer, settings menu, and any sign-up or consent flow. Update it whenever your data practices change.

Step 4: Implement consent where required. If you use advertising cookies or non-essential tracking cookies, implement a consent banner that loads those cookies only after the player clicks "Accept." If you use server-side analytics without cookies, you likely do not need a consent banner, but disclose the analytics in your privacy policy. If your game collects personal data for cloud saves, the legal basis is typically "legitimate interest" (you need the data to provide the service the player requested), which does not require explicit consent but does require disclosure.

Step 5: Build data access and deletion. Create an API endpoint or admin tool that retrieves all data associated with a player ID and another that deletes it. Even if no player ever requests deletion, having the capability built and ready means you can respond within the 30-day GDPR window. For small games, handling requests via email is acceptable: the player emails you, you look up their data, and you delete it manually. For larger games, automate the process with a self-service button in the account settings.

Step 6: Secure the data you store. GDPR requires "appropriate technical and organizational measures" to protect personal data. For web games, this means: use HTTPS everywhere, hash passwords (if you use email/password auth instead of OAuth), encrypt sensitive data at rest (most managed databases do this automatically), restrict database access to authorized services, and keep dependencies updated to patch security vulnerabilities. A data breach involving personal data must be reported to the relevant supervisory authority within 72 hours under GDPR.

The Low-Risk Approach

The simplest way to minimize privacy risk for a web game is to keep everything local. Use LocalStorage or IndexedDB for saves. Use anonymous leaderboard entries with generated names. Use privacy-focused analytics (Plausible, Fathom) that do not set cookies or collect personal data. Do not implement accounts or cloud saves. This approach eliminates GDPR data processing obligations almost entirely, because you never collect personal data on your servers.

When you need cloud saves and accounts, the next-lowest-risk approach is to use a managed service (Firebase, Supabase) that handles data security, encryption, and access control. You still need a privacy policy and must handle deletion requests, but the managed service reduces the technical security burden. Use OAuth-only authentication (no email/password) to avoid storing sensitive credentials. Request only the minimum OAuth scopes (unique ID and display name, not email or profile photo).

Key Takeaway

Web games that collect personal data (cloud saves, accounts, tracking analytics) must comply with GDPR for EU players. Minimize data collection, write a privacy policy, build data deletion capability, and secure stored data. Games with local-only saves and no server-side data collection have minimal privacy obligations.