Hindenburg Research's October 2024 report called Roblox an X-rated pedophile hellscape. Searching adult revealed Adult Studios with 3,334 members trading CSAM and soliciting children. 38 connected groups, one with 103,000 members. Former employees said Roblox chose not to implement parental controls because it would hurt growth metrics. Stock dropped 9%. SEC and FTC opened investigations.

The companion app (com.oculus.twilight) embeds Meta Audience Network — Meta's advertising SDK — alongside Facebook Analytics. Meta's head of global affairs Nick Clegg confirmed to the Financial Times that eye tracking data could be used "to understand whether people engage with an advertisement." The policy language "personalise your experiences and improve Meta Quest" is standard industry phrasing for ad targeting. Eye tracking reveals what captures attention, cognitive load, and emotional responses — precisely the data an advertising platform needs.

Mozilla Foundation review reveals Sony collects granular gameplay telemetry: "what obstacles I jump in a game, what levels I reach, who I play against, how many times I die." This level of behavioral surveillance goes far beyond what users expect from "how you use the software." Combined with hardcoded telemetry.api.playstation.com and activity.api.np.km.playstation.net endpoints, Sony is conducting detailed behavioral profiling, not just service improvement.

In December 2022, the FTC fined Epic Games $275 million for violating COPPA -- the largest COPPA penalty in history. Epic collected personal information from children under 13 without obtaining verifiable parental consent. Children's real names, email addresses, and voice recordings were collected and stored. Epic's age gate was trivially bypassed -- children could enter any birthdate. The company knew millions of its players were under 13 and did nothing to implement meaningful age verification. Internal documents showed Epic was aware of COPPA risks but prioritized growth over compliance. FTC Chair Lina Khan stated Epic used "privacy-invasive default settings" that harmed children. The company that made the most popular game among children treated child protection law as an afterthought.

In October 2025, Gaming Copilot was enabled by default, capturing screenshots via OCR and sending text to Microsoft for AI training without clear consent. 2026 rollout extends to entire Xbox user base. GDPR concerns raised in EU.

The Switch eShop silently added Google Analytics tracking in December 2020. US Nintendo Accounts are opted in by default with no age-gating for this telemetry. Telemetry opt-out settings are only available to EU/EEA users — NA/JP/AU users (including children with parental-consent accounts) have no way to disable eShop tracking without changing their account region. Children's browsing and purchase behavior is tracked by Google regardless of parental controls.

In August 2020, researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster exposing approximately 100,000 Razer customers' full names, email addresses, phone numbers, customer internal IDs, order numbers, order details, and billing/shipping addresses. The data was publicly accessible since 18 August 2020 and was indexed by search engines. A company "committed to safeguarding privacy" left a database of 100,000 customers' personal and financial details findable via Google.

Steam hosts hundreds of games with loot box mechanics -- randomized paid items with variable monetary value. CS:GO (Counter-Strike: Global Offensive) weapon skins created a multi-billion-dollar gambling economy. A 2016 Bloomberg investigation found CS:GO skin gambling was a $7.4 billion industry with no age verification. Third-party gambling sites used Steam's API to enable skin betting, with children participating. Trevor "TmarTn" Martin and Tom "ProSyndicate" Cassell were exposed by h3h3Productions for secretly owning CS:GO gambling site CSGO Lotto while promoting it to their young audiences without disclosure. The Netherlands' Gaming Authority classified certain loot boxes as illegal gambling (2018). Belgium's Gaming Commission banned paid loot boxes entirely (2018), declaring them gambling under Belgian law. Valve was slow to restrict third-party gambling sites, acting only after significant media pressure and FTC scrutiny.