Anti-cheat software vs. data protection: legal risks and design options

Modern multiplayer games battle cheating on a daily basis – unauthorized tricks or hacks that give individual players an unfair advantage. In order to keep their game worlds fair, providers rely on anti-cheat software that can intervene deeply in the player’s system. However, this raises significant data protection issues. This article sheds light on how anti-cheat technologies (e.g. kernel drivers, behavioral analysis and client-side monitoring) are to be legally classified, what risks exist and how a data protection-compliant design can succeed. The article also discusses whether a non-functioning anti-cheat or anti-copy protection system can be considered a material defect under German civil law.

Anti-cheat technologies and their relevance under data protection law

Anti-cheat systems today often work with far-reaching technical means. Some games install kernel drivers that search for cheat software with extensive system rights. Other solutions monitor player behavior using analytics: they log mouse movements, keystrokes or game statistics in order to identify conspicuous patterns. Client-side scanning of memory and running processes is also used to detect manipulation of the game client or unauthorized programs (e.g. aim bots, wallhacks). All these measures serve legitimate purposes – in particular the integrity of the game and the protection of honest players. However, they inevitably encroach on users’ privacy. They collect data directly on the player’s end device and in some cases create detailed profiles of their usage behavior. From a data protection perspective, these are significant intrusions that require a legal basis and careful consideration.

Permitted data processing: legal basis for anti-cheat measures

The first question that arises with any anti-cheat data processing is whether it is lawful under the GDPR. In practice, player consent (Art. 6 para. 1 lit. a GDPR) is usually ruled out – hardly any cheaters will actively consent to being monitored. Consent would also hardly be voluntary if the game cannot be used without anti-cheat. Providers therefore generally rely on other types of permission:

• Performance of the contract (Art. 6 para. 1 lit. b GDPR): There are good arguments for considering anti-cheat measures to be necessary for the performance of the contract with the player. Anyone using an online game can expect that the provider owes them a cheat-free gaming experience. The provision of fair competition – free from cheaters – can be seen as part of the contractual performance. However, this view presupposes that fair play is actually agreed in the contract or in the terms of use as part of the service.
• Legitimate interest (Art. 6 para. 1 lit. f GDPR): In most cases, game companies rely on the legitimate interest of preventing cheating. In fact, the provider has a significant legitimate interest in preserving the integrity of its game. Cheating damages the gaming experience, drives away honest customers and can damage the provider economically. However, Art. 6 para. 1 lit. f GDPR requires a balancing of interests: The measures must not disproportionately interfere with players’ rights. This depends on the design – is only data that is absolutely necessary for cheat detection collected? Is the evaluation automated and non-transparent, or are there human control mechanisms and transparency towards users? A strict purpose limitation (only use of the data to combat cheating) and data economy are essential to protect the interests of the players.

In addition to the GDPR, Section 25 of the Telecommunications Telemedia Data Protection Act (TDDDG, formerly TTDSG) must be observed in Germany. This standard protects the confidentiality of end devices and generally requires consent before information is read from the user’s device. Anti-cheat tools that read hardware IDs or scan memory, for example, fall under this regulation. However, Section 25 para. 2 no. 2 TDDDG provides for an exception: No consent is required if the access is “absolutely necessary” in order to provide the telemedia service expressly requested by the user. The German supervisory authorities (Data Protection Conference) have clarified that anti-cheat measures can fall under this fraud prevention clause. In multiplayer games, the average user expects a certain degree of cheat protection as part of the service. If technical access (such as reading out a hardware ID for a hardware ban) is technically absolutely necessary to enable a fair game, this may be permissible without consent. Nevertheless, the authorities interpret “absolutely necessary” restrictively – the intervention must be technically indispensable and appropriate in order to be able to operate the service as desired.

Automated decisions to ban and Art. 22 GDPR

A central point of contention is what happens if the anti-cheat software fails: Does it automatically lead to sanctions such as a game ban or a permanent ban of the user account? Such decisions have significant consequences for affected players – financial losses (paid games or in-game purchases are lost) and exclusion from the community. In terms of data protection law, this is referred to as an automated decision with a significant impact, which falls under Art. 22 para. 1 GDPR. According to this provision, every person has the right “not to be subject to a decision based solely on automated processing which significantly affects [them]”. Fully automated bans without human intervention are therefore generally not permitted, unless an exception applies.

However, the GDPR recognizes narrow exceptions in Art. 22 (2) in which automated decisions are permitted: (a) if they are necessary for the conclusion or performance of a contract with the data subject, (b) if they are based on explicit consent, or (c) if they are permitted by law (the latter is not yet the case in the gaming sector). It is difficult to apply one of these exceptions to anti-cheat bans. As outlined above, player consent is rarely given. Whether an automatic ban is “necessary for the performance of the contract” is the subject of controversial debate. It can be argued that without rigorous automatic bans, the product will not function in accordance with the contract (cheat-free). However, case law applies strict standards: The ECJ ruled at the end of 2023 (judgment of 07.12.2023, C-634/21 – SCHUFA) that automated score calculations with significant effects are only permissible with express consent or genuine contractual necessity. These principles should also apply to automated cheat detection. In case of doubt, providers should therefore not rely solely on Art. 6 para. 1 lit. f GDPR (legitimate interest) – although this may allow processing, Art. 22 as a more specific prohibition of automated decisions takes precedence.

In practice, it is strongly recommended that human control instances are built in. If the anti-cheat software decides on a ban, at least one trained person should be able to review the case before the final sanction is imposed. Simply “nodding off” the machine’s decision is not enough – the human decision-maker must have a margin of discretion and be able to assess evidence (e.g. whether a detected cheat could possibly be a false alarm). Many game operators set up ticket and objection systems for this purpose: players are initially blocked temporarily and can lodge an objection, whereupon employees check the process. In this way, automated detection ultimately becomes a co-determined decision that is more in line with Art. 22 GDPR. This approach not only serves data protection, but also acceptance by the community – because incorrect bans can be corrected in this way.

It should be noted that legislators and supervisory authorities are increasingly focusing on the topic of automated decisions. In Germany, an amendment to the Federal Data Protection Act is currently being discussed (draft Section 37a BDSG), which is intended to create clearer rules for scoring and automated decisions. As things stand, the draft does not provide for any special permission for anti-cheat systems, but does contain, for example, a ban on purely automated decisions regarding minors. Should this become law, the automatic banning of minors without human review would probably be inadmissible. Game operators must therefore keep an eye on the development of the legal situation and adapt their anti-cheat processes to new requirements if necessary.

Supervisory authorities and current developments (2025)

Data protection supervisory authorities in Europe show understanding for the tension between combating cheating and data protection, but tend towards strict requirements for transparency and proportionality. In Germany, the Data Protection Conference (DSK) – the body of supervisory authorities – has emphasized in a guideline that anti-cheat measures are, in principle, legitimate fraud prevention. The reading of device information (such as hardware IDs or running processes) is considered permissible under certain circumstances, provided that the above-mentioned exception of Section 25 (2) No. 2 TDDDG applies. From the authorities’ perspective, it is important that the scope of data collection remains limited to the necessary minimum and that users are not left in the dark about this.

In practice, this means that an anti-cheat tool that permanently scans all private files, for example, would meet with massive resistance from the supervisory authorities. On the other hand, reading individual unique hardware identifiers or specific memory addresses is more likely to be accepted if this is necessary to identify known cheats. The authorities also expect providers to weigh up the risks in advance: What data should be used for what? Are there milder means? These considerations should be documented (keyword accountability according to Art. 5 para. 2 GDPR).

Recent decisions on the handling of anti-cheat data are interesting. In 2022, for example, the Danish Data Protection Agency allowed a games company not to disclose details of its anti-cheat algorithms in response to a request for information. The reason given: Too much disclosure would give cheaters insight into the protective measures and thus undermine the effectiveness of the system – to the detriment of both the company and honest players. This practical approach signals that confidentiality interests in anti-cheat systems are recognized as long as the principle of data security and integrity of the game is at stake. The European data protection committees (such as the EDPB) have also indicated in guidelines that transparency obligations must not go so far as to provide a kind of instruction manual for cheaters.

Nevertheless, these considerations do not exempt us completely from transparency. Players have a right to know that their data is being processed for cheat detection and, in broad terms, how it is being processed. The trend of the supervisory authorities in 2025 is to demand clear information obligations – for example through data protection declarations that name anti-cheat scanning as a processing activity, as well as information in terms of use. At the same time, however, the authorities support measures that protect the security of anti-cheat systems, e.g. exact algorithms or threshold values can remain under lock and key with reference to business secrets. Overall, the supervisory authorities paint a picture: anti-cheat is permissible and important, but privacy by design please – with a sense of proportion and openness towards players.

Requests for information from players: GDPR vs. anti-cheat secrets

Players who receive a ban or simply want to know what data a game has collected about them can submit a request for information in accordance with Art. 15 GDPR. This allows them to request access to the personal data processed – including data collected by anti-cheat software. This poses a tricky problem for providers: on the one hand, there is a fundamental obligation to provide data subjects with comprehensive information about their stored data. On the other hand, overly detailed information about anti-cheat logs or detection mechanisms could provide a cheater with precisely the knowledge they need to circumvent the system in future.

Legal practice shows possible solutions. On the one hand, a request for information may be abusive. If it is clear that a player is only using the request for information to obtain internal anti-cheat information (i.e. for purposes outside of data protection), the request can be denied. German courts have emphasized that the GDPR must not be misused as a tool for unrelated concerns. On the other hand, Art. 15 GDPR does not protect the provider’s business secrets. For example, a gaming company is not obliged to disclose its anti-cheat software in detail in the context of data disclosure if this information qualifies as confidential business secrets or security-relevant internal information. In such cases, it is sufficient to provide the requesting party with the basic data (e.g. that certain device data, log-in times, detected anomalies, etc. are stored for their person) without disclosing the exact functionality of the cheat detection.

In practice, it is advisable to respond to requests for information promptly and transparently, but in a balanced manner: players should be told which categories of personal data were processed in the anti-cheat process (e.g. hardware ID, process lists, conspicuous game statistics) and whether an automated decision was made. Further information – such as the internal thresholds at which the system “kicks in” or which exact test steps were carried out – can be refused if its disclosure would jeopardize the effectiveness of the security measures. This should also be factually justified in the response letter. This approach is in line with the tendencies of the supervisory authorities, as the aforementioned Danish case shows: transparency yes, but no oath of disclosure that plays into the hands of cheaters.

Data protection-compliant design of anti-cheat systems

In view of the legal requirements, game developers and operators should design anti-cheat measures in a privacy-friendly way from the outset. Some proven approaches to privacy by design in this context are:

• Transparent guidelines: Players need to know in advance that anti-cheat software is used and to what extent. Clear information in the privacy policy and terms of use creates trust. It is important to state the purpose openly (“ensuring fair play by detecting cheating”) and to name the most important data categories. Opaque or hidden monitoring measures can not only be legally problematic, but can also damage the provider’s image.
• Data economy and anonymization: An anti-cheat system should only collect the data that is really necessary. For example, many checks can be carried out locally on the player’s PC without all raw data being sent to the server. Where possible, pseudonymization should be used – for example, storing hardware IDs as hashed values so that no plain text of the serial numbers circulates within the company. Behavioral data can be aggregated or only processed in the event of conspicuous deviations. Any reduction in the amount of data reduces the intrusion weight and the risk to user rights.
• Optional privacy modes: Where practicable, providers can give their users a choice. For example, a game could offer a mode without anti-cheat scanning (e.g. for offline-only functions or single-player mode) in which no invasive checks take place. Another example is the design of competitive vs. recreational spaces: in ranked matches there is strict monitoring, while in private game rounds there may be a lower level of control. Such options give users a sense of control over their data. However, it must be clearly communicated that there may not be full cheat protection outside of protected areas.
• Clear processes and protection mechanisms: Internally, it should be precisely defined who has access to anti-cheat data and how long it is stored. Short deletion periods for harmless data (e.g. regular deletion of scans if no cheat has been detected) are appropriate. If external service providers (such as providers like Easy Anti-Cheat or BattlEye) are involved, order processing contracts in accordance with Art. 28 GDPR are mandatory, and these service providers must be selected carefully from a security and data protection perspective. There should also be an emergency plan in place in case the anti-cheat software goes wrong – including reporting channels for data subjects and corrective measures.

Through these and similar measures, a company can show that it has mastered the balancing act between security and privacy. A data protection-compliant anti-cheat system is not only legally secure, but also strengthens the company’s reputation with a gaming-savvy clientele that increasingly appreciates data protection.

Anti-cheat as a quality feature: Warranty issues according to BGB

Finally, it is worth taking a look at civil law: can an inadequate or non-functioning anti-cheat system even constitute a material defect that triggers warranty claims from buyers? This is a new question, but it is gaining in importance, as online games only actually fulfill their purpose with functioning cheat protection.

According to German law, a purchased product must fulfill the agreed quality and the usual expectations. For digital products – which includes computer games – this is governed by Section 327e BGB. A digital product is free of defects if it meets the subjective requirements (i.e. what has been contractually agreed) and the objective requirements (what a buyer can reasonably expect) when it is made available. Functionality and security are expressly included in these quality characteristics. Applied to online games, this means that if the manufacturer promises a certain anti-cheat system or advertises “high security against cheaters” in the product description, this expectation must also be fulfilled. If the system fails completely – for example because it is technically flawed or was not actively implemented in the first place – it could be argued that the game deviates from the promised quality. Fun and fair competition are at the heart of the performance of multiplayer titles. If a game is practically unenjoyable, e.g. due to massive cheating problems, there may be a defect because it is not suitable for normal use (see Section 327e (3) No. 1-2 BGB: Suitability for normal use and usual quality).

However, the legal situation in this regard has not been clarified by court rulings and is controversial in the literature. Traditionally, in the case of offline games, it has been discussed whether, for example, strict copy protection constitutes a defect – usually negated as long as the game is running, as the copy protection primarily protects the manufacturer, not the buyer. In contrast, a lack of cheat protection directly affects consumer interests: With an online game, the user is not just buying software, but access to a community in which fairness is an implicit promise. Especially in the age of software as a service and regular updates, there is much to suggest that a provider must also ensure that the balance of the game is maintained. The new rules oblige manufacturers to keep digital products up to date and secure (Section 327f of the German Civil Code, for example, stipulates update obligations). If urgently required anti-cheat updates are not carried out, opening the door to fraudsters, this could constitute a breach of the update obligation and therefore a material defect.

In practice, a warranty claim due to a failed anti-cheat system is rarely made – most players are more likely to express their frustration in the forum than legally complain about defects. However, in theory, a buyer who has been sold a game as “competitive and cheat-protected” could assert rights (e.g. reduction of the purchase price or withdrawal) if the system fails blatantly. Providers should keep this perspective in mind, especially when marketing and product promises heavily advertise cheat security. Exaggerated promises could end up having not only reputational but also legal consequences.

Conclusion

Anti-cheat software is caught between the poles of a fair gaming experience and data protection. For providers in the games and software industry, it is essential to know the legal guidelines: The processing of game data and device features to combat cheating is generally permitted for legitimate interests – but strict limits apply. Fully automated banning decisions without human review pose considerable risks under the GDPR. Although the data protection supervisory authorities support the fight against cheaters, they demand transparency, proportionality and technical and organizational precautions to protect player data. Companies should be prepared for requests for information and find a middle ground that protects players’ rights without compromising their own security mechanisms.

Privacy-by-design approaches can be used to implement effective cheat protection that is also compliant with data protection regulations – for example through minimal data collection, clear communication and the option of having decisions reviewed by humans in case of doubt. This not only preserves the loyalty of the player base, but also puts you on the safe side legally. After all, a game that is fair and secure is now part of the quality owed. Data protection and player protection go hand in hand – those who take both seriously show themselves to be an experienced and practical partner for the games industry in the digital age.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.