Requesting a higher ethical privacy standard from Zenimax
nightstrike
✭✭✭✭✭
With the recent update that came out, a new privacy policy requires acceptance. I want to take this opportunity to talk about privacy policies and how ZOS could make a bold statement to the broader community.
(For reference, you can read the new policy at https://account.elderscrollsonline.com/en-us/privacy-policy)
The ESO privacy policy that you must agree to contains the usual smattering of inane provisions whereby all of your personal data could be sold by Zenimax unless you opt out of said sale.
I don't think there is a single person on the planet that would willingly opt *IN* to this sale. Microsoft is literally the largest company in the world by market cap (ok, they're currently trading blows with nVidia). Why on earth would anyone agree to this? If a MS employee approached you and offered to sell your personal information without paying you the money from that sale, simply because you already bought a product from that employee, would you actually say yes?
Zos has some sketchy defense in this policy to try to make the situation seem A-OK. It's not OK. See if you can spot the snake oil in this word salad that is directly in the policy that we are forced to agree to after buying the game (and that they can change at any time with another forced agreement and no refund!):
....We don't make "sales", we just "sell".....
There's a nice subtlelty in the tail end of that last sentence after a lot of hand waving that comes before it. See if you can spot it. The takeaway is that if you are over 16, your data will be sold, despite the denials at the start of the paragraph. I am aware that it's contrasting California law with the CCPA. I also don't care, because I'd rather you just not do anything at all.
And that leads to my primary issue (now that we're halfway through the post.... I guess I ramble...) --> Just flat out don't do it. Do you realize how powerful the effect of advertising THAT is? Make it into a whole campaign. People care about this stuff. And imagine how simple your policy would become! I am aware that a lot of the policy relates to things like payment processing, storage of data, and fallout of breaches, but let's be honest here. The reason why governments around the world are forcing you to write this wall of text in the first place is to protect consumers when you otherwise would screw them over. Why not try not screwing anyone at all, and then you don't need to be forced into the minimum possible level of compliance? I'd like to believe that ESO can survive as a product line without selling personal information on the side.
The policy further clarifies that depending on where you live, you might not get treated as badly. This makes no sense. Again, hold yourself to a higher ethical standard than the bare minimum that the law requires, and just treat people right because it's the right thing to do, and not because they live in a state that will take you to court if you don't. I understand that most businesses operate this way, but it's a terrible way to operate, and * ZOS * CAN * DO * BETTER *. Seriously. Look at what you do in the wider world of gaming. Is there any game ever produced that even somewhat compares to TES3? (yes, I'm biased about Morrowined, and yes, I'm lumping Beth and Zos together. That's life.) The point here is that you as a company are innovation leaders. Innovate the same way when it comes to ethical standards of privacy, and forget what state or country requires what, because your policy is so good that it's better than any law. Set the ethical standard, ZOS!
Now, a smaller part of the issue with this policy is that it's too generic. It applies to the website itself as well as the game. Obviously, running ESO doesn't require cookies that aren't from Rimmen. But this policy is presented to be before I'm allowed to use the game I already paid for, so maybe it would be worthwhile to adjust that. I understand that the agreement here reflects agreement to the same policy when logging in to your account website, but I still think that it needs better separation. This sentence in particular makes little sense in-game: "you can also set your browser to transmit a "global privacy control" (GPC) signal or another approved "universal opt-out mechanism" to opt out of targeted advertising and sales (as defined under applicable law)." This isn't an issue with ethics, but I'm not going to make a separate post for this comment.
For reference (emphasis mine):
Edited by nightstrike on September 3, 2025 2:20AM (For reference, you can read the new policy at https://account.elderscrollsonline.com/en-us/privacy-policy)
The ESO privacy policy that you must agree to contains the usual smattering of inane provisions whereby all of your personal data could be sold by Zenimax unless you opt out of said sale.
I don't think there is a single person on the planet that would willingly opt *IN* to this sale. Microsoft is literally the largest company in the world by market cap (ok, they're currently trading blows with nVidia). Why on earth would anyone agree to this? If a MS employee approached you and offered to sell your personal information without paying you the money from that sale, simply because you already bought a product from that employee, would you actually say yes?
Zos has some sketchy defense in this policy to try to make the situation seem A-OK. It's not OK. See if you can spot the snake oil in this word salad that is directly in the policy that we are forced to agree to after buying the game (and that they can change at any time with another forced agreement and no refund!):
Do We "Sell" or "Share" Personal Information? California privacy laws define a "sale" as disclosing or making available to a third party, personal information in exchange for monetary or other valuable consideration, and "sharing" includes disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. We do not disclose personal information to third parties in exchange for monetary compensation. We may "sell" (as defined by the CCPA) Identifiers and Usage Data to third-party advertising networks, analytics providers, and social networks. We may "share" (as defined by the CCPA) Identifiers, Customer Records, Commercial Information, Geolocation Data, and Usage Data to third-party advertising networks, analytics providers, and social networks, as well as our Affiliates. We do not "sell" or "share" (as defined by the CCPA) sensitive personal information, nor do we "sell" or "share" any personal information about individuals who we know are under sixteen (16) years old.
....We don't make "sales", we just "sell".....
There's a nice subtlelty in the tail end of that last sentence after a lot of hand waving that comes before it. See if you can spot it. The takeaway is that if you are over 16, your data will be sold, despite the denials at the start of the paragraph. I am aware that it's contrasting California law with the CCPA. I also don't care, because I'd rather you just not do anything at all.
And that leads to my primary issue (now that we're halfway through the post.... I guess I ramble...) --> Just flat out don't do it. Do you realize how powerful the effect of advertising THAT is? Make it into a whole campaign. People care about this stuff. And imagine how simple your policy would become! I am aware that a lot of the policy relates to things like payment processing, storage of data, and fallout of breaches, but let's be honest here. The reason why governments around the world are forcing you to write this wall of text in the first place is to protect consumers when you otherwise would screw them over. Why not try not screwing anyone at all, and then you don't need to be forced into the minimum possible level of compliance? I'd like to believe that ESO can survive as a product line without selling personal information on the side.
The policy further clarifies that depending on where you live, you might not get treated as badly. This makes no sense. Again, hold yourself to a higher ethical standard than the bare minimum that the law requires, and just treat people right because it's the right thing to do, and not because they live in a state that will take you to court if you don't. I understand that most businesses operate this way, but it's a terrible way to operate, and * ZOS * CAN * DO * BETTER *. Seriously. Look at what you do in the wider world of gaming. Is there any game ever produced that even somewhat compares to TES3? (yes, I'm biased about Morrowined, and yes, I'm lumping Beth and Zos together. That's life.) The point here is that you as a company are innovation leaders. Innovate the same way when it comes to ethical standards of privacy, and forget what state or country requires what, because your policy is so good that it's better than any law. Set the ethical standard, ZOS!
Now, a smaller part of the issue with this policy is that it's too generic. It applies to the website itself as well as the game. Obviously, running ESO doesn't require cookies that aren't from Rimmen. But this policy is presented to be before I'm allowed to use the game I already paid for, so maybe it would be worthwhile to adjust that. I understand that the agreement here reflects agreement to the same policy when logging in to your account website, but I still think that it needs better separation. This sentence in particular makes little sense in-game: "you can also set your browser to transmit a "global privacy control" (GPC) signal or another approved "universal opt-out mechanism" to opt out of targeted advertising and sales (as defined under applicable law)." This isn't an issue with ethics, but I'm not going to make a separate post for this comment.
For reference (emphasis mine):
Residents of certain U.S. states have additional privacy rights under applicable privacy laws, subject to certain limitations, including:
Right to Correct: to correct inaccurate personal information, taking into account the nature and purposes of the processing of the personal information.
Right to Delete: to delete personal information provided to or obtained by us.
Right of Access: to confirm whether we are processing personal information and to obtain a copy of personal information in a portable and, to the extent technically feasible, readily usable format.
Rights to Opt Out: to opt out of certain types of processing, including:
to opt out of the "sale" of personal information by ZeniMax.
to opt out of the use and disclosure of personal information for the purposes of targeted advertising (i.e., cross-contextual behavioral advertising).
to opt out of processing (if any) of personal information for purposes of making decisions that produce legal or similarly significant effects.
to opt out of certain uses and disclosures of sensitive personal information by us.
Warning: This signature is tiny!
2