I'm wondering what The Way Back machine will do, I guess they have to comply too.

Quite possibly yes, though I have no idea how they would go about archiving while still protecting user data. It's hard to say exactly how vast the consequences will be, or how fines and punishments will be handled upon breaching, as there is no real precedent yet.

It will be interessting to see how it pans out.

Originally posted by Eisberg:

Going over the law, I would say it is more about Valve being safe, rather than be sorry later on. The law really isn't clear enough to determine if the game library and time played is really protected under that new law, but i can understand Valve wanting to not worry about that mess to find out if it really is when it is far easier just to comply just in case. It really is not worth it to find out and fight it over something like this. So yeah, I don't blame them at all.

But I do fully expect to see posts whre people are going to want argue that the law doesn't specifically state it is covered under that law and therefore Steam is doing it for a different purpose rather than trying to comply with the law.

That's fair. My workplace is also affected by these changes so there was a bit of discussion about it and the main consensus really was "ask 5 different experts and you'll get 5 different responses". In the broadest sense of explanation your game library and time played would fall under personal data because it is data about you, in that you bought it and played it. Narrow it a bit more, and you could get to information directly created by you in the sense of social media posts, and information like time played could end up falling outside of that.

Is it something anyone would want to find out after enforcement has gone into effect and you end up being thoroughly investigated? Considering the fines I think most would respond with a 'hell no'. Better safe then sorry is a very understandable stance to take when there is no precedent at all yet.

As for the arguments....I mean, it's the internet. People will argue about anything and everything given half an excuse!

It's a bit sad that it took a decade and EU legislation for Valve to implement those features, but I'm really happy about the result. The more I can fine-tune what I want to share, the more I'm inclined to share anything at all. It's in Valves best interest that I share as much as I can, because my friends might see what games I play and buy them, too.

Originally posted by Eisberg:

Going over the law, I would say it is more about Valve being safe, rather than be sorry later on. The law really isn't clear enough to determine if the game library and time played is really protected under that new law...

Have done some work with GDPR and the EU Commission has so far said that "Personal Data" in terms of GDPR is defined as any data that, with the help of all other available data (ALL), can be used to determine who an individual is or anything about them/their activity.
This means that e.g. Steam Library, Achievements, etc, fall squarely under "personal data".
That the definition of personal data is incredibly broad is one of the main talking points when it comes to GDPR.

Here's the official definition:
'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Source: https://gdpr-info.eu/art-4-gdpr/

My understanding is that the law is quite clear when it comes to data like achievements, gameplay hours, etc - these are references to an individual's identity (e.g. cultural/social).

However there's alot of things to keep in mind with GPDR; some laws (local or otherwise) override it, there's an aspect to "reasonable" handling of personal data, and there won't be any really hard lines in the sand until one (or more) case(s) go to court - and receive judgement.
There may well be precedents set, or amendments made to the law, that have a huge effect on practical application.

One way or another, things can potentially get very interesting for many of companies & services - and those who use them. For better or worse :)

Originally posted by sindanar:

Have done some work with GDPR and the EU Commission has so far said that "Personal Data" in terms of GDPR is defined as any data that, with the help of all other available data (ALL), can be used to determine who an individual is or anything about them/their activity.
This means that e.g. Steam Library, Achievements, etc, fall squarely under "personal data".
That the definition of personal data is incredibly broad is one of the main talking points when it comes to GDPR.

Here's the official definition:
'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Source: https://gdpr-info.eu/art-4-gdpr/

My understanding is that the law is quite clear when it comes to data like achievements, gameplay hours, etc - these are references to an individual's identity (e.g. cultural/social).

However there's alot of things to keep in mind with GPDR; some laws (local or otherwise) override it, there's an aspect to "reasonable" handling of personal data, and there won't be any really hard lines in the sand until one (or more) case(s) go to court - and receive judgement.
There may well be precedents set, or amendments made to the law, that have a huge effect on practical application.

One way or another, things can potentially get very interesting for many of companies & services - and those who use them. For better or worse :)

That definition is indeed very broad! I admit to not having looked in depth at the info yet (sue me, I'm at work) so thanks for putting that up here! I'll have to look over the GDPR in more detail later today, because it is rather interesting to finally see the government play catch-up with the internet. I imagine some scandals / lawsuits will pop up in the coming year from companies that played a little less safe than they should've. Facebook will probably stay clear of that, having been caught before the law was enforced. Many preying eyes will be upon them for the foreseeable future though! In that sense the FB privacy scandal reached the light at just the right time. Privacy awareness for all, but no backlash in fines for them.

Maybe just a little to perfect a time? Hmmmm *tinfoil hat intensified*

This change is not related to this law because a lot of info still remains available. On top of that there is already an option that complies (and much better) with the law and that's the private profile.

More privacy options is a good thing and I fully support it.

I however think all users should be informed that their privacy settings have been changed. There aren't alot of people reading the blog posts, these discussion boards or the update notes.

Makeing a descission about the privacy settings on their behalf, without notifying them (no matter the direction of change) isn't good in my opinion.

Originally posted by Eisberg:

Originally posted by Nikaas:

This change is not related to this law because a lot of info still remains available. On top of that there is already an option that complies (and much better) with the law and that's the private profile.

Like what information?

I've been digging around for some time now, and so far I've noticed that if a private profile has published at least one public review then the number of games in their library becomes public.

Besides this, haven't personally seen any other unintentional behaviours.

Originally posted by Nikaas:

This change is not related to this law because a lot of info still remains available. On top of that there is already an option that complies (and much better) with the law and that's the private profile.

One of the changes that (at least in my opinion) points to this being related to the GDPR is that the settings are not default to public (which would be breaking GDPR). Regardless, I am curious about this remaining info. It may be things Valve missed in their updates (and their release now means about a month of time to fix all the wrinkles in the code)

Originally posted by TackerTacker:

More privacy options is a good thing and I fully support it.

I however think all users should be informed that their privacy settings have been changed. There aren't alot of people reading the blog posts, these discussion boards or the update notes.

Makeing a descission about the privacy settings on their behalf, without notifying them (no matter the direction of change) isn't good in my opinion.

This is a good point and I agree. A site-wide inbox message or pop-up notification that informs the user would be appropriate. I myself rarely read the blog posts and just kinda stumbled upon this one by chance....and then rolled my eyes so hard at the 'user feedback' part that they're still spinning in their sockets.

Originally posted by Eisberg:

Originally posted by Nikaas:

This change is not related to this law because a lot of info still remains available. On top of that there is already an option that complies (and much better) with the law and that's the private profile.

Like what information?

Date of birth is transmitted plaintext from your cookies with every click on the Store. It's part of a discontinued feature that pre-filled the age gate.
Seeing as you work in IT it should be easy to test.

Originally posted by Crashed:

Originally posted by Eisberg:

Like what information?

Date of birth is transmitted plaintext from your cookies with every click on the Store. It's part of a discontinued feature that pre-filled the age gate.
Seeing as you work in IT it should be easy to test.

A cookie is stored locally, on my and your computer, and I can clear mine at any time. Privacy windows also do not store these cookies beyond your single session. Other computers cannot access these cookies and their data, making this a separate issue from the privacy settings as this affects what other people see in regards to YOUR info.

Should it be cleaned up? Possibly. If it's indeed unused, the code is just clutter. However, not so much a privacy issue unless your computer is already compromised.

I don't feel like hiding game details is a big change even tho I won't be using it.. I'd like to see more featurs added to protect our privacy beyond game library

Originally posted by Nachtrae:

Originally posted by Crashed:

Date of birth is transmitted plaintext from your cookies with every click on the Store. It's part of a discontinued feature that pre-filled the age gate.
Seeing as you work in IT it should be easy to test.

A cookie is stored locally, on my and your computer, and I can clear mine at any time. Privacy windows also do not store these cookies beyond your single session. Other computers cannot access these cookies and their data, making this a separate issue from the privacy settings as this affects what other people see in regards to YOUR info.

Should it be cleaned up? Possibly. If it's indeed unused, the code is just clutter. However, not so much a privacy issue unless your computer is already compromised.

Actually it stores the lastagecheckage cookie still, and while cookies are stored locally they are processed remotely. The browser has no idea when they are needed so it transmits them with every HTTP request as part of the request headers.