Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
Steam's Privacy Policy establishes the categories of personal data Valve collects from platform users, including account identifiers, payment information, gameplay statistics, device data, and communication records. The policy authorizes Valve to share collected data with Valve group companies, third-party game developers, payment processors, and service partners for purposes including game delivery, platform operation, and marketing personalization. Users may configure cookie preferences at store.steampowered.com/account/cookiepreferences/ and adjust Steam Client interface settings to control content recommendations.
This document governs Valve Corporation's collection, processing, storage, and sharing of personal data across the Steam platform and associated services, asserting legal bases including contractual necessity, legal obligation, legitimate interests, and user consent consistent with GDPR Article 6 framing. The policy states that Valve collects a broad range of data categories including account credentials, payment information, device identifiers, game statistics, playtime, browser and behavioral tracking data, chat communications, and voice data from Steam's communication features, and the terms authorize sharing this data with Valve group companies, third-party game developers, payment processors, and other service partners. Notably, the policy discloses collection of hardware survey data and voice data from Steam communication features, asserts the right to process anonymized aggregated data and share it with third parties without restriction, and permits behavioral tracking across Steam websites and applications for marketing and analytics purposes, though several of these asserted rights may be constrained by GDPR, UK GDPR, or CCPA requirements depending on the legal basis applied. The policy expressly engages GDPR, UK GDPR, CCPA, and the EU-U.S. Data Privacy Framework, and Valve certifies adherence to the DPF Principles, which govern in case of conflict with this policy; EU and UK users hold specific rights including access, rectification, erasure, and objection, while California residents are entitled to CCPA disclosure and opt-out rights. Material compliance considerations include ensuring adequate legal bases for each processing activity, verifying that third-party data sharing arrangements meet applicable transfer mechanism requirements, and confirming that consent mechanisms for optional cookies and marketing communications meet applicable standards.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial3 important changes detected
3 versions captured · Last updated: June 2026
Steam updated a URL in its Privacy Policy on April 18, 2026, changing the form link users can use to request data access or deletion. The previous link directed to …
View change record →This addition explicitly clarifies data sharing practices with game developers and publishers, specifying the purposes and scope of third-party data transfers.
This addition emphasizes user rights related to data access, correction, deletion, and objection, strengthening transparency around individual data control mechanisms.
This addition establishes explicit consent and opt-out requirements for marketing communications, demonstrating improved compliance with consent-based marketing regulations.
This addition provides specific data retention guidelines and criteria, demonstrating commitment to data minimization and compliance with retention limits mandated by privacy regulations.
The removal of explicit legal bases for data processing reduces transparency about GDPR-compliant justifications for personal data collection and may indicate reduced emphasis on lawful basis documentation.
The removal of this provision eliminates explicit disclosure of behavioral profiling and personalization practices, reducing visibility into algorithmic targeting used for content recommendations.
The removal of this framework provision reduces the structured overview of how data processing policies interconnect with user rights and control mechanisms.
The removal of provisions addressing minors' data protection and age restrictions eliminates specific safeguards for children's data, which is a high-severity omission under privacy regulations like COPPA and GDPR.
The removal of this general third-party sharing provision is replaced by more specific provisions, indicating a reorganization toward clearer disclosure of data sharing practices.
Severity downgraded from medium to low, indicating reduced priority classification for DPF compliance disclosure.
Provision renamed from "Tracking Data, Cookies, and Behavioral Data Collection" to "Cookie and Behavioral Tracking" with severity reduced from high to medium.
Provision renamed from "Game Statistics and Content-Related Data Collection" to "Game Statistics and Device Data Collection" with no severity change.
Provision renamed from "Transaction and Payment Data Collection" to "Transaction and Payment Data Processing" with no severity change.
Provision renamed from "Anonymous Data Sharing Without Retention Limit" to "Anonymous and Aggregated Data Sharing Without Restriction" with no content or severity change.
Monitoring
Steam has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Legal Bases for Personal Data Processing and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.