Valve collects and analyzes data about how users behave on Steam, and may share this anonymized data with other companies without restriction.
This analysis describes what Steam's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy asserts a broad right to share anonymized behavioral data with any third party, and the standard of what qualifies as sufficiently anonymized is not defined in the document, which may create re-identification risks depending on the data types involved.
Interpretive note: Whether Valve's anonymization practices meet the standard of GDPR recital 26 or CPRA de-identification requirements cannot be assessed from the policy text alone, as no methodology is described.
Provision renamed from "Anonymous Data Sharing Without Retention Limit" to "Anonymous and Aggregated Data Sharing Without Restriction" with no content or severity change.
View full change record →Behavioral patterns, usage habits, and demographic information derived from your Steam activity may be shared with third parties in anonymized form. Whether that anonymization meets regulatory standards such as GDPR recital 26 is not specified in the policy.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Loyalty and partner program companies. We share information with our loyalty and partner program companies, like Ulta Beauty and Marriott.
Monitoring
Steam has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Valve also processes anonymous data, aggregated or not, to analyze and produce statistics related to the habits, usage patterns, and demographics of customers as a group or as individuals. Such anonymous data does not allow the identification of the customers to which it relates. Valve may share anonymous data, aggregated or not, with third parties.— Excerpt from Steam's Steam Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR recital 26 establishes that data is only truly anonymous if it cannot be re-identified by any means reasonably likely to be used. The policy's assertion that anonymous data does not allow identification is a self-referential claim that may not satisfy this standard without documented anonymization methodology. The UK ICO and EU supervisory authorities have published guidance on anonymization standards. The FTC also addresses de-identification practices in its commercial data frameworks. (2) GOVERNANCE EXPOSURE: Medium. The unrestricted third-party sharing of anonymized data is a broad reservation. If any shared data is later found to be insufficiently anonymized under GDPR or CCPA standards, it would be treated as personal data subject to all applicable obligations, creating retroactive compliance exposure. (3) JURISDICTION FLAGS: EU and UK jurisdictions apply the most stringent anonymization standards. California's CPRA introduced additional requirements around de-identified data, including contractual obligations on recipients. Teams assessing this provision should apply the stricter of applicable standards. (4) CONTRACT AND VENDOR IMPLICATIONS: Agreements with third-party recipients of this anonymized data should include contractual prohibitions on re-identification attempts, as required under CPRA for de-identified data. The policy does not confirm such contractual safeguards are in place. (5) COMPLIANCE CONSIDERATIONS: Legal teams should request documentation of Valve's anonymization methodology to assess whether it meets GDPR and CPRA standards. If the methodology does not satisfy applicable standards, this sharing activity may require a legal basis and data subject disclosures.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy asserts a broad right to share anonymized behavioral data with any third party, and the standard of what qualifies as sufficiently anonymized is not defined in the document, which may create re-identification risks depending on the data types involved.
Behavioral patterns, usage habits, and demographic information derived from your Steam activity may be shared with third parties in anonymized form. Whether that anonymization meets regulatory standards such as GDPR recital 26 is not specified in the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Steam.