What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@valvesoftware.com', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': 'To object to legitimate-interests processing, email privacy@valvesoftware.com stating your objection and the specific processing activities you wish to restrict. EU/UK users have a right to object under GDPR Art. 21.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority over unfair or deceptive data practices under FTC Act Section 5, including overly broad legitimate interests claims used to justify data sharing.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Legal Bases for Personal Data Processing clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Legal Bases for Personal Data Processing — Steam

Share 𝕏 Share in Share 🔒 PDF

What it is

Steam processes your personal data based on four legal justifications: because it needs to in order to run the service, because the law requires it, because it or a third party has a legitimate business interest, or because you consented. The 'legitimate interests' basis is the broadest and can be invoked without your explicit consent.

Consumer impact (what this means for users)

Valve can share and process your personal data under 'legitimate interests' without obtaining your explicit consent, meaning behavioral tracking, content recommendations, and third-party sharing can occur by default unless you actively object.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

To object to legitimate-interests processing, email privacy@valvesoftware.com stating your objection and the specific processing activities you wish to restrict. EU/UK users have a right to object under GDPR Art. 21.

Cross-platform context

See how other platforms handle Legal Bases for Personal Data Processing and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The 'legitimate interests' basis (option c) allows Valve to process your data without your consent for a wide range of purposes — including sharing with third parties — as long as Valve determines its interests aren't overridden by yours, which gives the company significant discretion over your data.

View original clause language

Valve collects and processes Personal Data for the following reasons: a) where it is necessary for the performance of our agreement with you to provide a full-featured gaming service and deliver associated Content and Services; b) where it is necessary for compliance with legal obligations that we are subject to (e.g. our obligations to keep certain information under tax laws); c) where it is necessary for the purposes of the legitimate and legal interests of Valve or a third party (e.g. the interests of our other customers), except where such interests are overridden by your prevailing legitimate interests and rights; or d) where you have given consent to it.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision directly engages GDPR Art. 6(1)(a) (consent), Art. 6(1)(b) (contractual necessity), Art. 6(1)(c) (legal obligation), and Art. 6(1)(f) (legitimate interests). For legitimate interests, GDPR Art. 6(1)(f) requires a three-part balancing test (purpose, necessity, balancing) documented in a Legitimate Interests Assessment (LIA). Recital 47 GDPR provides guidance. UK GDPR mirrors these requirements. Enforcement authority: EU DPAs and UK ICO.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has authority over unfair or deceptive data practices under FTC Act Section 5, including overly broad legitimate interests claims used to justify data sharing.
File a complaint →

Provision details

Document information

Document

Steam Privacy Policy

Entity

Steam

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-002928

Document ID

CA-D-00182

Evidence Provenance

Source URL

https://store.steampowered.com/privacy_agreement/

Wayback Machine

View archived versions →

SHA-256

63210b28892392d9dae07097221e6ab8458f850d4edd68ce4be0bc540f120bb5

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Steam | Document: Steam Privacy Policy | Record: CA-P-002928
Captured: 2026-04-18 10:57:26 UTC | SHA-256: 63210b28892392d9…
URL: https://conductatlas.com/platform/steam/steam-privacy-policy/legal-bases-for-personal-data-processing/
Accessed: May 2, 2026

Classification

Severity

High

Legal Bases for Personal Data Processing