Complying with GDPR

Hi. I’m working on a game where users can have multiple “save files.” I purposely have designed my system in a way that allows for users to have as many save files as they’d like, and I also designed it such that the key to the save files is “secure” and can only be known by the user.

Let me elaborate: Users set the name of their own save files. When I save a user’s data to my data store, I set the key equal to the first 49 digits of SHA256(UserID + UserSaveFileName). I use only the first 49 digits because Roblox limits the length of a datastore key.

By saving user data in this way, I have guaranteed that even if someone breaks into one of my users’ Roblox accounts, they will not be able to access any of the user’s save files unless they ALSO know the name of the save file, which is unlikely.

The problem is this though: what happens if I get a GDPR request to remove all of a user’s data? It seems like it would be impossible for me to comply with this request because I literally don’t know where it is located in the data store unless they tell me the names of all of their save files.

Also, if the solution to this isn’t scripting, I apologize for having posted this in the wrong board, but this forum is the most relevant one I have permission to post in.

Know that nobody on the developer forums is a lawyer and you shouldn’t ask us for legal advice.

Then you have to change the way you store data. GDPR requires you erase their data.

CC @IntegerUnderflow

You are the developer. You develop the game how its supposed to be. As a developer you should have the right resources to be complying with these regulations to stop your game being moderated. I suggest you should at least store those keys so that you know which player has what key.

I’d suggest you have a server-side method like :GetSaveFilesFromUserId or similar so only YOU can access the data.

This whole method of having names for save files and such like that seems a bit over-the-top though. I’d suggest rethinking your idea.

Aside from privacy, I’m also assuming you are going to want to monetize your project at some point. What happens if someone spends a lot of money, or just time, on your game and then forgets the name of their save file? How would you go about doing customer support for those instances if you are not even able to get to the data yourself?

I would highly recommend to refrain from something so complex and just simply give them X slots that you can also show to the user. The sentiment is nice but this doesn’t seem like the right way to make sure bad actors can’t mess with their data, there are too many risks associated with this. It’s probably better to just do something like what Runescape does, give them the ability to set a bank PIN for important actions and then they can request to remove the PIN if they forgot it, but it takes 1-2 weeks to wear off.

If you don’t know where the data is saved without the save name, how are you listing the saves to the player?

It’d be a major inconvenience to the player if they had to remember the name of their data save.

On a semi-unrelated note: The GDPR was created to protect against people misusing personally identifiable information of a living person. You don’t have access to the majority of this. The only thing I can think of is you logging how many hours a player has played and at what timestamp - but this still makes it MASSIVELY hard to identify a living individual. I’m not a lawyer, but I believe Roblox has got the general idea of the GDPR wrong (in a sense that developers are having to delete user data). Yes, Roblox do need to comply their selves, as they store personally identifiable data, such as passwords and email addresses.

Just want to emphasise that I am not a lawyer, and that this statement is my current understanding of the GDPR.

Pretty sure the data erasure procedures (“the right to be forgotten”) don’t care about if its PII or not. It’s called the right to be forgotten, your game should act as if they have never even played the game before.

Not according to a quick scan-read of this: Right to erasure | ICO

This is un-needed and overkill - the only time you should be hashing anything in a database is in the case of passwords (and if you are doing that in a Roblox game, you are doing something wrong)

You are fine just storing the saves under a user specific key, no hashing needed. This also solves your GDPR problem.

I think the best thing to do here is to follow everyone else’s suggestion: find a new way to do this. The only “advantage” is that players can hide their save files. This doesn’t actually provide any data safety since their data is still sitting around unencrypted in a hard drive in a computer somewhere.

If you just want players to be able to hide their save files, you can be compliant by just keeping a hidden list of their save files.

The interesting part, in my opinion, is the whole GDPR question in theory. What would you have to do here?

There are certainly exceptions, for example:

• You can keep data in backups for a limited time
• You can keep encrypted data if the encryption key is removed
• There are relaxed protections for pseudonymous data

What does GDPR say about submitting information anonymously? If I submit a photo of myself to a site without making an account, how can the website owners know that it’s my photo if I ask them to delete photos by “Corecii”? What about a site that lets you submit anonymous comments? It’s not reasonable to expect them to delete my comments if neither me nor their database will tell them which is mine.

I doubt anonymously-submitted data has to be removed if all that’s provided for removal is a name or user id. On the other hand, if links to the specific image or comment are provided, then it makes sense to require removal.

Your situation is practically one where data was submitted anonymously: you have a “save id” and data, but no user id or user name. That’s no different from a “comment id” or “photo id” and data, but no user id or name.

I would guess that the GDPR has relaxed restrictions if you’re asked to delete data for a certain id, but you don’t have any data with relevant fields matching that id. I would guess that the user would need to provide links to the specific, anonymously-submitted data that they want deleted. Nothing else is reasonable.

Anyway, that’s not legal advice. I can’t give that to you. I also couldn’t find any articles about this and I couldn’t find anything about it in the GDPR with a cursory look.

Please just find another way to do this. It’ll make it easier for yourself and your players.

Although there are a lot of replies advocating I ditch this method of storing data, from my understanding of GDPR, it seems like I am required to store my data in the way I have devised (or a similar way.)

The GDPR refers to pseudonymisation as a process that is required when data is stored (as an alternative to the other option of complete data anonymisation)[15] to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.

I transform the key to the personal information such that it cannot be attributed to any data subject (user) without the use of additional information (their save file name.)

How could I store users data in a way to comply with this rule and also be able to retrieve and delete it upon request?

You can just store it in the format of the key being Player_UserId
For example, if you wanted to store my data then my key would be Player_31224409
It doesn’t need to be that- it can just be the UserId. You should always use the UserId so you can actually locate the player, regardless of the name changes the user may make.

But then that doesn’t meet the criteria for pseudonymisation/complete anonymisation because it’s trivial to attribute the personal data from the save file to exactly which user it corresponds with.

I don’t understand what you mean by that but you can fully delete the data corresponding to that player. As you can see on my previous post, you can just have the key as the UserId.

I’m saying that - from my understanding, as per the Wikipedia page for GDPR - it would not be sufficient to store the data in the way you’ve described because no anonymisation/pseudonymisation has taken place. Anonymisation/pseudonymisation is a required process in GDPR when storing data.

I believe you may be taking this too literal. Multiple of developers store data by the player’s UserId. I suggest you should look at the announcement for this change in TOS.

It was mentioned there by one of the Developer Relation Staff that its recommended to store data by UserId

ROBLOX usually sends you a message telling you if you need to remove a certain user’s data where you can use the UserId to index into your DataStore to remove his/her data.

I will likely just change the way my data is being stored and my users will no longer have the security of being able to anonymously store their save files.

I agree that it is totally common sense to just store the user’s data with the key being their userId, but it just seems like GDPR’s restrictions technically say you can’t do that without requiring an additional piece of information to deanonymize the data. I’m going to just assume it won’t be a problem since Roblox has recommended to do it this way.

You don’t have to comply with this rule.

Pseudonymising data gives you relaxed rules for how you treat the data. If you don’t pseudonymise the data, you have to follow more strict rules. One of those rules is that the user can request all of their personal data to be deleted.

Storing personally data that’s not pseudo- or anon-ymised is fine under GDPR, you just have to delete it on request. If you couldn’t personal data then nearly all well-known internet businesses would be out of compliance.

We can’t exactly get someone’s personal information through UserId, only ROBLOX can, essentially they’re anonymous to us. GDPR varies for ROBLOX developers because of the personal information privatised.

Every source I can find says that if you are storing data, you still must psuedoanonymise or anonymise it:

According to the GDPR, personal data must be stored and processed “in such a way that the person concerned cannot be identified or can no longer be identified”

https://eperi.com/pseudonymization-anonymization/

Edit: Of course, pseudononymization that it must be stored so that the data cannot be de-anonymized WITHOUT some extra info. For example, if some company is storing my credit card number, I would imagine that GDPR mandates that they cannot store that number is a way that it could be connected to me without me having logged in with my password first.