The function SetAsync includes an argument called userIds (accessible through GetUserIds) for GDPR compliance.
My question is this:
What if you are storing the data of multiple users in a single key?
For example:
If the player (for example Player2) decides to send a Right To Erasure request, the entire group data should not be cleared, only the Player2 component.
It is not an option to use separate keys either, as the DataStore limits are too harsh to use effectively here.
I don’t believe you would need to remove this data under GDPR because it is not personal information about the user it is just the id of an object in the Roblox system. If the user closed their account and asked Roblox to remove all their data, then you might have redundant data in this part of the store but that is a different subject.
You don’t need to clear the group data, just remove the UserId and clear anything that references the user from the data table. Setting UserIds is more designed for personal data persistence or because you’re actively tracking the UserId for data purposes.
The purpose of GDPR requests is not having any records of the given user in your databases. You’ve successfully complied when it’s impossible to query any information that contains the user, their UserId or any information tied to the user. It should be as if they never visited your experience.