Can we include the use of Third Party Services in our games?
For example when a player joins the game we check if they have a tag of some sort in a website through Third Party Services and if they are tagged then do something but it can be for anything else other than a tag and it can be anything other than a website too, does Roblox allow this kind of stuff or not?
I wanted to ask this because I don’t fully understand the explanation on Third Party Services in Roblox’s Terms of Use, they didn’t explain if we can use them in our games or not.
Yes, that is why the HttpService exists after all.
The only thing you are not allowed to do is to sell ingame stuff via a 3rd party channel outside roblox.
Roblox didn’t state these informations in their Terms of Use when they explained how Third Party Services should work in their platform, from my understanding they only explained how social media websites such as Twitter would work with their platform so where exactly did you get your claims from and can you prove that they are true?
I would like if you go deeper into this so we could fully understand how Roblox behaves when they find this kind of stuff in their games.
I got accepted into the dev forum back in 2017 for a system I made (think xbox achievement system), that used my website to store data, and I would access it. Now a project I have uses my website, along with a Discord OAuth token to get things.
It’s allowed, but I’m pretty sure there are scenarios where you have to be careful. If you’re storing data about players, I’m pretty sure you need to follow GDPR. You also need to make sure that your use of an external service is permitted by their Terms of Service.
For example, if you’re using Discord, you’d want to ensure that your use follows their developer/API policy and ToS. Discord was/is blocked from Roblox servers due to spamming their API. I think they have let up on this restriction and focus more on individual abusers, but I haven’t checked recently.
Follow local and federal data collection guidelines for your target audience. I don’t think it’s quite ready yet, but PolicyService should assist with this later on.
Do not prompt for additional data beyond Roblox Username and UserId. Having a Player sign into a third party service in game (even if pushing to use a different password/alternative authentication method) leads into grey to black areas. It’s best to avoid it at all costs
For any data you do store, use best practices for transmission and storing of data.
As long as you follow these tips, you should be good.
Edit: Clarification for third party authentication
Now, there is a way this can be done, you just gotta be careful. Let’s use RoVer/Bloxlink for example, as these services validate your Roblox identity on Discord. As long as you do not directly promote the third party service in-game, use the Roblox approved external URL slots, and follow known accepted practices on this (such as having a pinned tweet on your main Twitter containing links to websites or on your bio), you can have users do additional validation/whatever on your third party service.
@ChasingSpace Thank you for your informative reply but I still have some questions about your reply:
In the link that you provided it also contains something called “CCPA” and then goes to deeply explain it, should I also learn more about the “CCPA” too whilst learning more about “GDPR” or is that not related to Third Party Services?
@Reinitialized Thank you for your informative reply too but I also have a few questions about your reply:
Do you know where I can learn more about local and federal data collection guidelines?
Do you know where I can learn more about these best practices so I can improve what I’m doing?
Where am I able to find these “Roblox approved external URL slots” and known accepted practices and is there any explanation on why I should have a pinned tweet on my main Twitter account containing links to websites and also what websites are they, the websites that I use for the Third Party Services?
Yes. As @Reinitialized said, you can use PolicyService:GetPolicyInfoForPlayerAsync to get specific policy rules for an individual player. This includes a table of acceptable external URLs, however I don’t know if this feature is enabled either. Documentation seems to point towards it being available right now.
For whatever data you store about players, even down to their user ID, ensure you have a way to permanently delete it. You should only have to delete these when you are sent an official message from Roblox on behalf of someone requesting their data be deleted through one of these policies.
The data collection laws will heavily depend on the audience you are targeting. There are engine provided APIs which allow you to determine which countries your Players come from, however I do believe PolicyService will become the standard for staying compliant in the future as Roblox expands. Unfortunately, I don’t know when they plan to expand nor officially release the service.
Best practices for transmission and storing of data include, but not limited to:
~ HTTPS on endpoints handling sensitive data at minimal (full domain coverage recommended). You can look into LetsEncrypt on how to do this for free
~ Using a battle tested database such as PostgreSQL (you should be able to Google best practices regarding configuring and storing data)
~ Endpoint authentication/authorization for ensuring only authorized systems are accessing your data (I’d look into JSON Web Tokens/JWT as a simple but secure way into handling this)
~ This is not an complete list. I’d advise Googling best practices for handling sensitive data over Internet facing services.
I’m not at my computer at the moment, so I’m not sure if these settings are for Games or the individually associated places, but you should be able to find a tab called “Social Links” under the configuration of one of these two areas
I will be checking out the policy service but there’s a question that I have about the link that you sent which is a law that’s in the link that you provided which is called the “CCPA” law, should I be worried about this law along with the “GDPR” law? Does it have to do something about Third Party Services?
It only has to do with the storage of data about players and their rights to privacy. It doesn’t directly relate to usage of third-party services if you aren’t storing data about players on them.