Bethesda's had a rough few months, and things are getting a little more interesting with a Redditor's recent discovery.

First reported on GameWatcher.com, they found a popular Reddit thread discovered users are being opted-in to see ZeniMax ads automatically upon account creation. GameWatcher.com says that this is a "major no-no according to GDPR" and Reddit users on the now-removed thread also called the General Data Protection Regulation (GDPR) into question.

GDPR might sound unfamiliar to those outside of the European Union. GDPR's official website says:

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.

This is a major law in the European Union, and so I reached out to both Strebeck Law and Morrison Rothman LLP , both firms practicing in areas such as video game law.

Zachary Strebeck of Strebeck law first corrected something from the GameWatcher article:

GDPR applies to EU citizens both located in the EU and those who are abroad. That's why companies generally want to just have these policies apply everywhere. IP Address isn't enough to differentiate.

Besides that, he also outlined several points to be compliant with GDPR at a basic level. "That includes: a lawful basis for collecting and sharing the personal information," as well as "disclosure of what you're collecting and sharing, as well as who you're sharing it with and what the lawful basis for collection is."

He continued: "Information regarding targeted advertising is generally going to be considered "personal information" under the GDPR and most other privacy laws." Strebeck outlined three lawful bases so that a company can collect said information: consent (the opt-in in this case), fulfilling contractual obligations, and legitimate interest.

Still, while Bethesda users technically do opt in, Strebeck cites the UK Independent Privacy Authority (ICO). The ICO says that consent would require a "positive opt-in" and there should be no pre-ticked boxes. This is not the case with Bethesda accounts, since users have to manually opt-out.

Morrison Rothman LLP's opinion on the matter was equally interesting. I talked to Shaq Katikala, a privacy attorney for the firm. Katikala said that users being "automatically opted in" is not necessarily a GDPR violation:

That is false and in fact, is quite common - as you surf online, numerous ad companies collect data about you without your consent. Consent is only required in some cases - much of the adtech industry currently operates under the theory that targeted ads are a "legitimate interest" under GDPR, which doesn't require consent. According to their privacy policy, ZeniMax operates under that theory.

But here, it's unclear how, why, or if they are linking that email to the ad profile. Without knowing that, we can't know for sure whether it would require consent or could classify as a "legitimate interest." They do offer an opt-out from targeted ads altogether in their privacy policy - presumably, that includes any use of the email that's linked to that data.

For example, if they are only preemptively asking for this permission as a "just-in-case" but are not actually even doing any ad targeting with your email address, then they would not likely be violating GDPR.

While ESRB Privacy Certified

He does say that it could be at risk for a violation but it is not in itself a clear violation of GDPR. However, he notes that one part seems to exceed industry norms - the fact that ZeniMax shares your email address for ad targeting purposes is interesting. Katikala says most targeted ads do not use your email address or personal information, but rather they rely on cookies or an advertising ID.He says it could possibly be a GDPR violation since this is not fully explained to the user. Katikala says that on his cursory look at ZeniMax's privacy policy, there was vague language throughout, and that it is hard to say without knowing ZeniMax's business model better.Katikala also suggested I reached out to ESRB. ESRB certifies privacy practices of companies, so Bethesda and ZeniMax would have done so. When I got a response from an ESRB spokesperson, they said:You can disable this opt-in, but it's needlessly complicated. If you go to the Bethesda launcher, you have to click account management which will bring up a new page. You have to scroll down to opt out. I tried to do it on Bethesda's main website but wasn't able to unless I googled "Bethesda account" and went to its URL. The communication preferences there appear to let you alter it which is a different page then you'd get to if you went through the Bethesda Launcher, which takes you to an account management page... which is different then the account management page they link to in other places on their website making the experience far more painful than needed.

Is Bethesda and ZeniMax breaching GDPR? It really is hard to say - the attorneys seem to have different opinions on the matter. Meanwhile, there's not enough case law or general precedence to see what might happen with this situation. It's also hard to tell if this situation devolves into something greater.

Strebeck left me with one last nugget that would be useful in this situation. If you would like to make a complaint about a possible GDPR violation, EU citizens can file it to their local Data Protection Agency. Bethesda's privacy policy can be found here.

What do you think of this practice? Do you think that it violates GDPR? let us know in the comments below!