9 Total
0 High severity
6 Medium severity
3 Low severity
Summary

Steam's Privacy Policy establishes the categories of personal data Valve collects from platform users, including account identifiers, payment information, gameplay statistics, device data, and communication records. The policy authorizes Valve to share collected data with Valve group companies, third-party game developers, payment processors, and service partners for purposes including game delivery, platform operation, and marketing personalization. Users may configure cookie preferences at store.steampowered.com/account/cookiepreferences/ and adjust Steam Client interface settings to control content recommendations.

Technical / Legal Breakdown

This document governs Valve Corporation's collection, processing, storage, and sharing of personal data across the Steam platform and associated services, asserting legal bases including contractual necessity, legal obligation, legitimate interests, and user consent consistent with GDPR Article 6 framing. The policy states that Valve collects a broad range of data categories including account credentials, payment information, device identifiers, game statistics, playtime, browser and behavioral tracking data, chat communications, and voice data from Steam's communication features, and the terms authorize sharing this data with Valve group companies, third-party game developers, payment processors, and other service partners. Notably, the policy discloses collection of hardware survey data and voice data from Steam communication features, asserts the right to process anonymized aggregated data and share it with third parties without restriction, and permits behavioral tracking across Steam websites and applications for marketing and analytics purposes, though several of these asserted rights may be constrained by GDPR, UK GDPR, or CCPA requirements depending on the legal basis applied. The policy expressly engages GDPR, UK GDPR, CCPA, and the EU-U.S. Data Privacy Framework, and Valve certifies adherence to the DPF Principles, which govern in case of conflict with this policy; EU and UK users hold specific rights including access, rectification, erasure, and objection, while California residents are entitled to CCPA disclosure and opt-out rights. Material compliance considerations include ensuring adequate legal bases for each processing activity, verifying that third-party data sharing arrangements meet applicable transfer mechanism requirements, and confirming that consent mechanisms for optional cookies and marketing communications meet applicable standards.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

3 important changes detected

3 versions captured · Last updated: June 2026

What changed Steam's privacy policy was updated on June 3, 2026 to add Malay language support (marked as BETA) to the policy's language selector. The policy's substantive privacy commitments and compliance statements remain unchanged. This is a formatting and localization adjustment with no operational impact on data governance, privacy rights, or user obligations.
Why this matters This change does not materially affect the terms consumers operate under. Steam's privacy policy substantive commitments regarding data protection, compliance with CCPA, GDPR, and UK GDPR remain unchanged. The update adds Malay language support to the policy interface, enabling broader accessibility to the existing policy text.
View full change record →
What changed Steam modified a single URL in its Privacy Policy on April 22, 2026. The change removes '/en' from the help link users can use to request access to or deletion of their personal data. The updated link now points directly to the wizard form without the language prefix. This is a technical correction with no material impact on users' data rights or privacy protections.
Why this matters This change has no material impact on your privacy rights or data protections. Steam modified a technical support URL to simplify access to the form users can submit to request access to or deletion of their personal data. The underlying right to request and delete your data remains unchanged; only the link address was updated.
View full change record →

April 18, 2026 low

Steam updated a URL in its Privacy Policy on April 18, 2026, changing the form link users can use to request data access or deletion. The previous link directed to …

View change record →

Recent Provision Changes Jun 3, 2026

Added (4)
Third-Party Data Sharing with Game Developers and Partners Medium

This addition explicitly clarifies data sharing practices with game developers and publishers, specifying the purposes and scope of third-party data transfers.

User Rights: Access, Rectification, Erasure, and Objection Medium

This addition emphasizes user rights related to data access, correction, deletion, and objection, strengthening transparency around individual data control mechanisms.

Marketing Communications and Opt-Out Low

This addition establishes explicit consent and opt-out requirements for marketing communications, demonstrating improved compliance with consent-based marketing regulations.

Data Retention Low

This addition provides specific data retention guidelines and criteria, demonstrating commitment to data minimization and compliance with retention limits mandated by privacy regulations.

Removed (5)
Legal Bases for Personal Data Processing

The removal of explicit legal bases for data processing reduces transparency about GDPR-compliant justifications for personal data collection and may indicate reduced emphasis on lawful basis documentation.

Content Recommendations and Behavioral Profiling

The removal of this provision eliminates explicit disclosure of behavioral profiling and personalization practices, reducing visibility into algorithmic targeting used for content recommendations.

User Rights and Data Deletion

The removal of this framework provision reduces the structured overview of how data processing policies interconnect with user rights and control mechanisms.

Minors' Data and Age Restrictions

The removal of provisions addressing minors' data protection and age restrictions eliminates specific safeguards for children's data, which is a high-severity omission under privacy regulations like COPPA and GDPR.

Third-Party Data Sharing with Partners and Service Providers

The removal of this general third-party sharing provision is replaced by more specific provisions, indicating a reorganization toward clearer disclosure of data sharing practices.

Modified (5)
EU-U.S. Data Privacy Framework Certification

Severity downgraded from medium to low, indicating reduced priority classification for DPF compliance disclosure.

Cookie and Behavioral Tracking

Provision renamed from "Tracking Data, Cookies, and Behavioral Data Collection" to "Cookie and Behavioral Tracking" with severity reduced from high to medium.

Game Statistics and Device Data Collection

Provision renamed from "Game Statistics and Content-Related Data Collection" to "Game Statistics and Device Data Collection" with no severity change.

Transaction and Payment Data Processing

Provision renamed from "Transaction and Payment Data Collection" to "Transaction and Payment Data Processing" with no severity change.

Anonymous and Aggregated Data Sharing Without Restriction

Provision renamed from "Anonymous Data Sharing Without Retention Limit" to "Anonymous and Aggregated Data Sharing Without Restriction" with no content or severity change.

View full change record →
Medium — 6 provisions
Low — 3 provisions

Monitoring

Steam has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Legal Bases for Personal Data Processing and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
COPPA
United States Federal
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
VPPA
United States Federal
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 3, 2026 00:26 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000182
Version ID CA-V-003371
SHA-256 c4ffc8f97953997c6c13f445cbd9e1d3e0812f79defcf339670682f770e4fa86
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans