Your save data for a game you’re playing is not personal data. You shouldn’t be storing personal data like names, age, location, so you don’t need to anonymise it further.
2 Likes
I have a few doubts about this:
- I don’t think the information that needs to be pseudonymized is “all data”, but rather specifically data that identifies a person such as name or address.
- I don’t think this actually applies to all data – “How to protect your data with eperi” suggests that eperi is trying to sell their services to me, not that this is an article including all necessary information for my own benefit. This checklist site doesn’t say “pseudonymize everything”. I think most articles related to pseodonymization are meant for data processing and analytics companies, and most articles are geared towards people looking for those types of articles. Try starting from “what do I need to comply” from multiple sources and make sure that “personal data” is what you think it is.
- It’s possible that Roblox’s user ids are already pseudonymous.
Having to make any and all possible personal information pseudonymous does not make any sense in the context of modern internet services. You don’t have to “unlock” your Google, Microsoft, Paypal, etc. accounts with an encryption key to see your name, address, etc. I don’t know exactly what GDPR actually says, but I do know that by induction, it would make no sense that all data has to be pseudonymized in storage.
Also keep in mind that you don’t need to conform to every item in the checklist. Roblox might need to, and by extension Roblox needs to be able to manage data in all of the games on its website. That’s why they send us GDPR right to removal notices – so that we can do our part in Roblox’s compliance.
If you store reasonable game-related or user-submitted data and delete it on request, then you’ll be fine. If you do those things, Roblox won’t shut you down. If you do those things, you won’t get sued and you won’t get scary legal letters. You wouldn’t get sued anyway — Roblox would – but Roblox won’t be getting sued for that either. You don’t need to pseudonymize everything.
Precisely. Anything that needs pseudonymising is something you should not be collecting (and the player should not be asked to provide) if you’re complying with Roblox TOS.
If, which I assume, user data has no tie to identify the original user behind it, and the save file name is reasonably hard to predict, then you may qualify as “anonymous data” per Recital 26, GDPR, Paragraphs 5 and 6
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
However, a solution to this seems pretty easy, you could keep a server side mapping of the save file names used by the user, such that the user never see’s them but if necessary you have a tie from save files to users in order to delete them, this would be the safest bet.
I am not a lawyer, this is not legal advice, my views are my own and do not represent those of others.
1 Like