Complying with GDPR

Aside from privacy, I’m also assuming you are going to want to monetize your project at some point. What happens if someone spends a lot of money, or just time, on your game and then forgets the name of their save file? How would you go about doing customer support for those instances if you are not even able to get to the data yourself?

I would highly recommend to refrain from something so complex and just simply give them X slots that you can also show to the user. The sentiment is nice but this doesn’t seem like the right way to make sure bad actors can’t mess with their data, there are too many risks associated with this. It’s probably better to just do something like what Runescape does, give them the ability to set a bank PIN for important actions and then they can request to remove the PIN if they forgot it, but it takes 1-2 weeks to wear off.

If you don’t know where the data is saved without the save name, how are you listing the saves to the player?

It’d be a major inconvenience to the player if they had to remember the name of their data save.

On a semi-unrelated note: The GDPR was created to protect against people misusing personally identifiable information of a living person. You don’t have access to the majority of this. The only thing I can think of is you logging how many hours a player has played and at what timestamp - but this still makes it MASSIVELY hard to identify a living individual. I’m not a lawyer, but I believe Roblox has got the general idea of the GDPR wrong (in a sense that developers are having to delete user data). Yes, Roblox do need to comply their selves, as they store personally identifiable data, such as passwords and email addresses.

Just want to emphasise that I am not a lawyer, and that this statement is my current understanding of the GDPR.

Pretty sure the data erasure procedures (“the right to be forgotten”) don’t care about if its PII or not. It’s called the right to be forgotten, your game should act as if they have never even played the game before.

Not according to a quick scan-read of this: Right to erasure | ICO

This is un-needed and overkill - the only time you should be hashing anything in a database is in the case of passwords (and if you are doing that in a Roblox game, you are doing something wrong)

You are fine just storing the saves under a user specific key, no hashing needed. This also solves your GDPR problem.

I think the best thing to do here is to follow everyone else’s suggestion: find a new way to do this. The only “advantage” is that players can hide their save files. This doesn’t actually provide any data safety since their data is still sitting around unencrypted in a hard drive in a computer somewhere.

If you just want players to be able to hide their save files, you can be compliant by just keeping a hidden list of their save files.

The interesting part, in my opinion, is the whole GDPR question in theory. What would you have to do here?

There are certainly exceptions, for example:

• You can keep data in backups for a limited time
• You can keep encrypted data if the encryption key is removed
• There are relaxed protections for pseudonymous data

What does GDPR say about submitting information anonymously? If I submit a photo of myself to a site without making an account, how can the website owners know that it’s my photo if I ask them to delete photos by “Corecii”? What about a site that lets you submit anonymous comments? It’s not reasonable to expect them to delete my comments if neither me nor their database will tell them which is mine.

I doubt anonymously-submitted data has to be removed if all that’s provided for removal is a name or user id. On the other hand, if links to the specific image or comment are provided, then it makes sense to require removal.

Your situation is practically one where data was submitted anonymously: you have a “save id” and data, but no user id or user name. That’s no different from a “comment id” or “photo id” and data, but no user id or name.

I would guess that the GDPR has relaxed restrictions if you’re asked to delete data for a certain id, but you don’t have any data with relevant fields matching that id. I would guess that the user would need to provide links to the specific, anonymously-submitted data that they want deleted. Nothing else is reasonable.

Anyway, that’s not legal advice. I can’t give that to you. I also couldn’t find any articles about this and I couldn’t find anything about it in the GDPR with a cursory look.

Please just find another way to do this. It’ll make it easier for yourself and your players.

Although there are a lot of replies advocating I ditch this method of storing data, from my understanding of GDPR, it seems like I am required to store my data in the way I have devised (or a similar way.)

The GDPR refers to pseudonymisation as a process that is required when data is stored (as an alternative to the other option of complete data anonymisation)[15] to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.

I transform the key to the personal information such that it cannot be attributed to any data subject (user) without the use of additional information (their save file name.)

How could I store users data in a way to comply with this rule and also be able to retrieve and delete it upon request?

You can just store it in the format of the key being Player_UserId
For example, if you wanted to store my data then my key would be Player_31224409
It doesn’t need to be that- it can just be the UserId. You should always use the UserId so you can actually locate the player, regardless of the name changes the user may make.

But then that doesn’t meet the criteria for pseudonymisation/complete anonymisation because it’s trivial to attribute the personal data from the save file to exactly which user it corresponds with.

I don’t understand what you mean by that but you can fully delete the data corresponding to that player. As you can see on my previous post, you can just have the key as the UserId.

I’m saying that - from my understanding, as per the Wikipedia page for GDPR - it would not be sufficient to store the data in the way you’ve described because no anonymisation/pseudonymisation has taken place. Anonymisation/pseudonymisation is a required process in GDPR when storing data.

I believe you may be taking this too literal. Multiple of developers store data by the player’s UserId. I suggest you should look at the announcement for this change in TOS.

It was mentioned there by one of the Developer Relation Staff that its recommended to store data by UserId

ROBLOX usually sends you a message telling you if you need to remove a certain user’s data where you can use the UserId to index into your DataStore to remove his/her data.

I will likely just change the way my data is being stored and my users will no longer have the security of being able to anonymously store their save files.

I agree that it is totally common sense to just store the user’s data with the key being their userId, but it just seems like GDPR’s restrictions technically say you can’t do that without requiring an additional piece of information to deanonymize the data. I’m going to just assume it won’t be a problem since Roblox has recommended to do it this way.

You don’t have to comply with this rule.

Pseudonymising data gives you relaxed rules for how you treat the data. If you don’t pseudonymise the data, you have to follow more strict rules. One of those rules is that the user can request all of their personal data to be deleted.

Storing personally data that’s not pseudo- or anon-ymised is fine under GDPR, you just have to delete it on request. If you couldn’t personal data then nearly all well-known internet businesses would be out of compliance.

We can’t exactly get someone’s personal information through UserId, only ROBLOX can, essentially they’re anonymous to us. GDPR varies for ROBLOX developers because of the personal information privatised.

Every source I can find says that if you are storing data, you still must psuedoanonymise or anonymise it:

According to the GDPR, personal data must be stored and processed “in such a way that the person concerned cannot be identified or can no longer be identified”

https://eperi.com/pseudonymization-anonymization/

Edit: Of course, pseudononymization that it must be stored so that the data cannot be de-anonymized WITHOUT some extra info. For example, if some company is storing my credit card number, I would imagine that GDPR mandates that they cannot store that number is a way that it could be connected to me without me having logged in with my password first.

Your save data for a game you’re playing is not personal data. You shouldn’t be storing personal data like names, age, location, so you don’t need to anonymise it further.

I have a few doubts about this:

1. I don’t think the information that needs to be pseudonymized is “all data”, but rather specifically data that identifies a person such as name or address.
2. I don’t think this actually applies to all data – “How to protect your data with eperi” suggests that eperi is trying to sell their services to me, not that this is an article including all necessary information for my own benefit. This checklist site doesn’t say “pseudonymize everything”. I think most articles related to pseodonymization are meant for data processing and analytics companies, and most articles are geared towards people looking for those types of articles. Try starting from “what do I need to comply” from multiple sources and make sure that “personal data” is what you think it is.
3. It’s possible that Roblox’s user ids are already pseudonymous.

Having to make any and all possible personal information pseudonymous does not make any sense in the context of modern internet services. You don’t have to “unlock” your Google, Microsoft, Paypal, etc. accounts with an encryption key to see your name, address, etc. I don’t know exactly what GDPR actually says, but I do know that by induction, it would make no sense that all data has to be pseudonymized in storage.

Also keep in mind that you don’t need to conform to every item in the checklist. Roblox might need to, and by extension Roblox needs to be able to manage data in all of the games on its website. That’s why they send us GDPR right to removal notices – so that we can do our part in Roblox’s compliance.

If you store reasonable game-related or user-submitted data and delete it on request, then you’ll be fine. If you do those things, Roblox won’t shut you down. If you do those things, you won’t get sued and you won’t get scary legal letters. You wouldn’t get sued anyway — Roblox would – but Roblox won’t be getting sued for that either. You don’t need to pseudonymize everything.

Precisely. Anything that needs pseudonymising is something you should not be collecting (and the player should not be asked to provide) if you’re complying with Roblox TOS.

If, which I assume, user data has no tie to identify the original user behind it, and the save file name is reasonably hard to predict, then you may qualify as “anonymous data” per Recital 26, GDPR, Paragraphs 5 and 6

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

However, a solution to this seems pretty easy, you could keep a server side mapping of the save file names used by the user, such that the user never see’s them but if necessary you have a tie from save files to users in order to delete them, this would be the safest bet.

I am not a lawyer, this is not legal advice, my views are my own and do not represent those of others.