Esports’ Surge Requires Navigating a Privacy Compliance Maze

The 2025 Esports World Cup attracted hundreds of millions of viewers,featured record-breaking prize pools, and showcased elite competition. It also marks another milestone in the ascent of esports, which has evolved from niche local gatherings into a multibillion-dollar global enterprise.

The global esports market is projected to reach $4.8 billion by the end of 2025, according to 2024 market research. This explosive growth coincides with a rapidly evolving international privacy landscape. In an ecosystem where virtually every interaction is mediated through digital platforms, privacy is central to the sustainability and integrity of the esports industry.

In the past five years alone, the US has seen a wide swath of state-level privacy laws come into effect, ranging from comprehensive privacy protection, to sectoral laws protecting specialized categories of data such as biometric information.

The esports industry is inherently digital. Players stream live to millions of viewers across platforms such as Twitch and Discord, developers collect real-time performance analytics, and professional players use wearable tools to monitor metrics such as heart rate and reaction time.

These activities generate substantial personal data, subjecting industry participants to increasing global legal scrutiny.

Compliance Concerns

Due to the consumer-facing nature of the esports industry, participants must comply with consumer privacy laws, such as the California Consumer Privacy Act in the US and General Data Protection Regulation in the EU and UK. This requires adhering to privacy-by-design principles, honoring consumer privacy rights, performing privacy risk assessments, and maintaining accurate privacy policies.

Industry participants who engage in advertising in addition to the provision of their services must obtain affirmative, opt-in consent from users prior to collecting data for these purposes. Companies, meanwhile, need to ensure that use of personal data doesn’t trigger US federal scrutiny and liability under Section 5 of the FTC Act relating to unfair or deceptive business practices.

According to a 2024 study, 85% of teens play video games and, based on 2025 market research, two out of every five US children aspire to be professional esports players. The popularity of esports with minors raises additional compliance considerations under laws such as the GDPR, Children’s Online Privacy Protection Act, and state laws.

The GDPR imposes strict requirements for the lawful processing of children’s data, including transparency and parental authorization obligations. Under COPPA, operators must obtain verifiable parental consent before collecting data from children under the age of 13. Privacy laws and design code acts in the US and UK also regulate the collection of children’s data.

Certain US state children’s privacy laws, such as New York’s Child Data Protection Act, impose consent requirements for minors up to the age of 18 and impose additional limitations on how children’s data may be used and shared.

Wearable devices, worn by players to gain an edge using data-driven performance insights, create highly sensitive datasets related to players’ immutable characteristics. This biometric and “consumer health” data is subject to onerous requirements relating to consent and use.

Device manufacturers that process such data must treat it with heightened caution, adhering to applicable privacy regulations such as the Illinois Biometric Information Privacy Act and Washington’s My Health My Data Act.

Complying with these frameworks will require companies to obtain informed, opt-in consent prior to collection, especially when information will be disclosed to advertisers or used for purposes other than providing the direct user service.

The international character of the esports industry risks triggering legal obligations under cross-border data transfer laws. Entities engaged in the esport industry must adopt robust controls and globally compliant privacy governance programs.

For example, the GDPR prohibits the transfer of personal data outside the European Economic Area unless data exporters implement adequate safeguards such as standard contractual clauses or participation in frameworks like the EU-US Data Privacy Framework.

US regulations, such as the Department of Justice’s Bulk Data Rule, create new restrictions for transferring US citizen data to specific countries of concern, including China, Russia, and Iran.

Unlike traditional sports, where surveillance typically ends at the field of play, surveillance technologies used to enforce anti-cheating measures blur the line between necessary oversight and invasive monitoring. Anti-cheating software may track not just player inputs but also background processes on their systems.

Additionally, professional players may be monitored for sponsorship compliance, behavior, and training performance, sometimes to the extent of logging keystrokes or system usage. Developers and team managers should take care with the design and deployment of these technologies.

Certain esport industry participants, such as wearable device manufacturers, may be “processors” to esports streaming platforms and other businesses. Because some businesses in this space provide their offerings to both businesses and consumers, it can be easy for data flows to become co-mingled.

Businesses that agree to processor obligations should ensure any collection or processing done, with respect to player data, is compliant with the privacy and security related contractual restrictions appropriate for their role as a processor.

Stakeholder Responsibilities

Responsibility for safeguarding privacy must be shared across the entire esports ecosystem. Developers and publishers are the primary controllers of game data and must ensure their practices are:

• Transparent and well-documented
• Align with privacy-by-design principles
• Secure, with appropriate encryption and audit mechanisms
• User-centric, including tools for access, deletion, and opt-out

Event organizers and team managers are tasked with overseeing registration systems, broadcast infrastructure, and logistics. They must:

• Ensure secure data handling practices
• Verify that third-party platforms comply with applicable privacy laws
• Establish and enforce policies that protect against data misuse

Platforms and sponsors must conduct robust due diligence to avoid legal exposure, which includes:

• Reviewing and negotiating data-sharing agreements
• Requiring partners to certify compliance with applicable privacy laws
• Offering meaningful controls over targeted advertising and data tracking

The evolution of the esports industry comes with a corresponding responsibility to prioritize privacy and cybersecurity. As lawmakers expand regulatory frameworks and enforcement actions increase, industry participants must “level-up” legally and treat data protection as a core business function.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Jacqueline Klosek is partner in Goodwin’s technology and life sciences business unit.

Jonathan Ng is an associate in Goodwin’s data, privacy, and cybersecurity practice.

Jacob Lee is an associate in Goodwin’s data, privacy, and cybersecurity practice.

Write for Us: Author Guidelines