Steam processes your personal data based on four legal justifications: because it needs to in order to run the service, because the law requires it, because it or a third party has a legitimate business interest, or because you consented. The 'legitimate interests' basis is the broadest and can be invoked without your explicit consent.
This analysis describes what Steam's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision operationally defines the lawful grounds for data processing activities, establishing that Valve's collection practices span contractual necessity, regulatory compliance, institutional interests, and affirmative user authorization. This framework structures how personal data handling is justified under applicable data protection law.
The removal of explicit legal bases for data processing reduces transparency about GDPR-compliant justifications for personal data collection and may indicate reduced emphasis on lawful basis documentation.
View full change record →Valve can share and process your personal data under 'legitimate interests' without obtaining your explicit consent, meaning behavioral tracking, content recommendations, and third-party sharing can occur by default unless you actively object.
How other platforms handle this
Runway is considered the "data controller" of the "personal data" (as defined under the General Data Protection Regulation) we handle under this Privacy Policy. In other words, Runway is responsible for deciding how to collect, use, and disclose personal data, subject to applicable law. The laws of ...
Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contac...
We use your information to send you marketing communications about Square products and services that may be of interest to you, including based on your transaction history, usage patterns, and preferences. You may opt out of receiving marketing communications from us.
Monitoring
Steam has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Valve collects and processes Personal Data for the following reasons: a) where it is necessary for the performance of our agreement with you to provide a full-featured gaming service and deliver associated Content and Services; b) where it is necessary for compliance with legal obligations that we are subject to (e.g. our obligations to keep certain information under tax laws); c) where it is necessary for the purposes of the legitimate and legal interests of Valve or a third party (e.g. the interests of our other customers), except where such interests are overridden by your prevailing legitimate interests and rights; or d) where you have given consent to it.— Excerpt from Steam's Steam Privacy Policy
REGULATORY FRAMEWORK: This provision directly engages GDPR Art. 6(1)(a) (consent), Art. 6(1)(b) (contractual necessity), Art. 6(1)(c) (legal obligation), and Art. 6(1)(f) (legitimate interests). For legitimate interests, GDPR Art. 6(1)(f) requires a three-part balancing test (purpose, necessity, balancing) documented in a Legitimate Interests Assessment (LIA). Recital 47 GDPR provides guidance. UK GDPR mirrors these requirements. Enforcement authority: EU DPAs and UK ICO.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision operationally defines the lawful grounds for data processing activities, establishing that Valve's collection practices span contractual necessity, regulatory compliance, institutional interests, and affirmative user authorization. This framework structures how personal data handling is justified under applicable data protection law.
Valve can share and process your personal data under 'legitimate interests' without obtaining your explicit consent, meaning behavioral tracking, content recommendations, and third-party sharing can occur by default unless you actively object.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Steam.