(To preface, I am not a lawyer and this is not legal advice.)
If you’ve never used DataStores for that game and haven’t stored any user data associated with the UserId shown in the message (both in-game or outside of the game via a 3rd party analytics tool), then you’ve likely already complied with it since there is no existing data associated with that player.
From what I understand, Roblox automatically sends that message when a user who has played your game before submits a GDPR Data Erasure Request (which is a request that any and all personally identifying data that can be linked back to that player is erased off of the platform). Even if no data about that player was actually ever stored in your game, it’s sent to make sure you are aware of the request so that you can take proper action to comply if you have not done so already.
Even if “nothing happened”, this is a dangerous claim to make. For reference, the “GDPR compliance checklist for US companies” on the official GDPR website explicitly states that:
The EU General Data Protection Regulation also requires companies outside the European Union to safeguard personal data.
…
The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.
What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR.
Because Roblox operates in the EU, they DO have to comply with GDPR Requests, and part of that process happens to include notifying developers of such requests in order to make sure that any data associated with such users is deleted, as requested.
There are pretty hefty fines for not complying with GDPR Requests, and while I don’t know if the onus would be on Roblox themselves or the developers of games where data may still exist, it’s best to do your due diligence and comply with the data erasure requests as best you can, regardless of what country you reside in.
And again, even if there are plenty of examples out there of “nothing happening” when developers ignore those messages from Roblox, there’s a non-zero chance that negative repercussions could come to fruition in the future for those who failed to comply. Fortunately, it seems that Roblox has plans to make it easier to automatically comply with GDPR Requests in the future through the upcoming UserDataStoreService, which would mean that the process of complying with such requests will probably be much faster and more user-friendly.
