Belgian and Spanish Regulators Release Joint Guide on Data Privacy for Video Games

Belgium’s Data Protection Authority (DPA) and Spain’s Agencia Española de Protección de Datos (AEPD) have issued a new guidance document on 18 June 2026, aimed at helping video‑game developers and publishers navigate the complex web of European data‑privacy rules.

The guide zeroes in on how the General Data Protection Regulation (GDPR) and the ePrivacy Directive apply to the gaming sector. It spells out the steps game operators must take to secure valid consent for cookies and other trackers, how to handle player data responsibly, and the obligations that arise when offering in‑game purchases such as loot boxes.

The publication follows the Belgian DPA’s 2026‑2028 strategic framework, adopted after a public consultation in November 2025. The framework prioritises two enforcement areas: (1) large‑scale data‑processing activities that pose high risks to citizens’ rights, and (2) high‑risk processing of personal data in sectors such as advertising and media. In line with these priorities, the Belgian authority has already settled with four media websites—L’Avenir, RTBF, Mediafin, and IPM—over cookie usage after complaints from the non‑profit organisation noyb.

Spain’s AEPD has updated its cookie and tracker guidance to align with the European Data Protection Board’s (EDPB) consent guidelines. The new guidance makes clear that any non‑essential cookie must be preceded by explicit, informed consent and that consent can be withdrawn at any time. It also reflects the EU ePrivacy Regulation’s forthcoming entry into force, which is expected to replace the 2002/58/EC directive.

Beyond cookies, the guide tackles the growing regulatory scrutiny of loot boxes. Spain is drafting legislation that would require game publishers to disclose the odds of obtaining items from loot boxes and to implement spending limits for minors. If enacted, the law would position Spain as the first EU country to regulate this feature.

The guidance cites the GDPR’s core principles—lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. It explains that game operators must conduct a data‑protection impact assessment (DPIA) when processing large volumes of player data, especially if the data is used for behavioural profiling or targeted advertising.

Industry stakeholders have welcomed the clarity. A spokesperson for a leading European game publisher said the joint guidance will help the company align its data‑processing practices with both national and EU requirements, thereby reducing the risk of enforcement actions.

Regulators stress that the guide is a practical tool, not a legal instrument. The Belgian DPA and the AEPD encourage game developers to review their privacy policies, cookie banners, and data‑processing contracts in light of the new recommendations.

The guidance is available in French, Dutch, and Spanish, reflecting the linguistic diversity of the two countries. It is distributed through the official websites of the Belgian DPA and the AEPD and is also promoted by the European Data Protection Board.

For now, the guide serves as a reference point for compliance. Game operators are advised to update their privacy notices, implement robust consent mechanisms, and, where applicable, disclose loot‑box odds. The next steps involve monitoring the implementation of the proposed Spanish loot‑box law and any further regulatory updates from the Belgian DPA, especially as the 2026‑2028 enforcement priorities take shape.

In summary, the joint guide offers a comprehensive roadmap for video‑game companies operating in Belgium and Spain to meet GDPR and ePrivacy obligations, with a particular focus on cookie consent, data‑processing transparency, and the emerging regulatory landscape around loot boxes.