As an EU player and developer, I don’t believe Roblox gives enough power to developers to provide users with their rights under the GDPR.
This is a serious issue and can result in major fines under the GDPR (depending on what the body decides, this could be as high as €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher)
Thinking about that, I want to enforce every game who handles personal data to offer a privacy policy. This policy must be easily accessible to any person or entity for review, eg it’s own tab or button on the game page.
While that is a major task, I believe that it’s possible to make it easy for developers to comply with this demand. There is two ways I suggest to do this.
Allow developers to directly post their own privacy policy, along with the ability to create a TL;DR version (the original full version will take priority on that respect)
Similarly, Roblox can allow developers to do the opposite and allow developers to simply tick what applies and that creates both the full version and TL;DR.
On top of this, as an extra you should be able to directly issue GDPR requests to game developers in a simple and easy way; Roblox developers can directly respond to any such requests in a timely manner
In terms of moderation, I feel that failure to comply should result in similar nature to actual GDPR failures and IP theft; help should be given but in events of major GDPR issues formal moderation should be taken, up to and including termination of users, groups and games.
Feel free to give any meaningful feedback below. Let’s ensure we protect ourselves and our users.
Out of curiosity, but what exactly do you define as “personal data”. I honestly can’t think of any personal data that games would even be able to collect without violating the current terms of service in the first place.
I refer to “personal data” as the same definition as the GDPR.
According to the ICO, UK’s independent body set up to uphold information rights, personal data is defined as “information that relates to an identified or identifiable individual.” As found in better detail @ this link.
This could include in game data (such as money earned, items, upgrades, etc); this could include analytics (if it’s possible to identify a user from that data).
However this would depend on the game and the content within, speaking with an expert on that field is strongly advised, as it’s not an area I want to provide full advice on.
As a Roblox developer, and the Data Protection Officer for a company, which has Roblox related business activities, I am in support of more features and tools which make it easier for game developers to respond to specific GDPR requests.
Although this guide exists to respond to Right of Erasure (aka “Right to be Forgotten”) requests, there is little to no information in regards for how to deal with Subject Access Requests (aka “Right of Access”), etc.
Game developers should have more tools available to them which allow for the quick and easy execution of such requests from data subjects.