Update to GDPR Right-to-be-Forgotten Messaging

RuizuKun_Dev · November 23, 2020, 11:27pm

I’m curious what does the request do? Does the account get deleted from Roblox?

What happens to an account that requests a GDPR?

buildthomas · November 23, 2020, 11:32pm

Anonymized and deleted, they won’t be able to log in with that account anymore.

shadowcalen1 · November 23, 2020, 11:46pm

Finally. Now if only you could remove the " this is an obligation under data protection laws " because its not. It may be under select circumstances, but it is not universally the case.

https://devforum.roblox.com/t/why-you-can-probably-ignore-robloxs-right-to-erasure-requests-not-legal-advice/486395

Fire540Games · November 23, 2020, 11:48pm

But how would they check? They’re is no way for Roblox to know if a certain DataStore key belongs to a player, because keys are not attached to a player, they are attached to a string (which could literally be anything).

Of course I would always delete player data if it was requested, because it be kinda risky if I didn’t, but I just wondered how Roblox could punish you for not clearing their data when there’s no way for them to know if it was cleared or not.

zachariapopcorn · November 23, 2020, 11:50pm

Maybe Roblox keeps logs on players

tukars · November 23, 2020, 11:54pm

While this is better, maybe there should be API in game so that whenever a server runs or is running and there is a request to delete data it can be automatically completed without the dev having to worry about it

Sublivion · November 24, 2020, 12:08am

I do not collect personal data, and it is against the ToS to do so, so how is GDPR relevant to us?

Noble_Draconian · November 24, 2020, 12:10am

This isn’t about collecting user’s personal data - this is about collecting data relating to the user. If you store the user’s ID in your datastores (which you should, as this is the standard method of retrieving a user’s data when they join your game), that falls under GDPR and needs to be removed.

DataProxy · November 24, 2020, 12:25am

How are we supposed to store banned players if we get a request to remove their user ID from our records? Do you expect us to just “pardon them” and let them do whatever they want? Yeah, no.

EDIT: Sorry, I meant to post this in the main thread, not as a reply.

NachtHemd · November 24, 2020, 12:39am

Read the other replies in this thread before asking a question first since it’s been answered multiple times.

RessyIsBored · November 24, 2020, 1:40am

Does this include the username of said player? I log Usernames of players into a site to track how active users are, sorta like what you do but Usernames not UserIDs

EDIT 2: If you are gonna respond to go off on collecting when people are logging in and out of my games, go off on the people that log in-game chats offsite as well, or who use external sites to store data.

mistrustfully · November 24, 2020, 1:42am

Their account is deleted so they can’t access your game afterwards anyways.

RessyIsBored · November 24, 2020, 1:44am

Wait we get emails for Premium payouts? Where do these filter?

shadowcalen1 · November 24, 2020, 1:44am

The UID in and of itself is not actually personally identifiable information under the GPDR.

identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, 
physiological, genetic, mental, economic, cultural or social identity of that natural 
person;

However, because it is linked to Roblox, and Roblox may have billing information on file, the UID can be classed as “Personal Information”. Now a caveat to this: To comply with the GPDR, roblox has to delete all personal information on the user (which is kinda ironic because by sending you a message telling you to delete the UID of the player, they are storing the UID that they have to delete on there servers), which means that the UID of the player can no longer qualify as personal information.

TheNexusAvenger · November 24, 2020, 1:45am

You should get an email the first time you get premium emails from some sort of “no reply” email. Ideally, the GDPR messages should be able to go through the same system.

RessyIsBored · November 24, 2020, 1:46am

Oh yeah I remember that email. I wish there was a separate tab in group pages to see when Premium payouts show up, as of now you just randomly receive around 100 R$ depending on how popular your game is. But thats off topic.

jumbopushpop112 · November 24, 2020, 2:09am

I was getting to a point like this in my game soon. Love the idea!

Noble_Draconian · November 24, 2020, 3:15am

Yes, exactly. Their ID is associated with their account and their game data. Therefore you must purge the data relating to it, and, by extension, the ID itself from your datastores.

shadowcalen1 · November 24, 2020, 3:40am

The ID being associated with there account and game data have nothing to do with anything. The question is whether or not that game or account data is identifiable information. If Roblox has done their job, the ID cannot be used to identify a natural person, and therefore is no longer personal information, and by logical extension, we have no obligation to delete it.

I go into this in greater detail in the post I linked above, but based on my communications with Roblox about this, the erasure messages are sent in compliance with Article 17.2 of the GDPR. This means that we are only responsible for the data about the user given to us by Roblox. This is why the erasure message only mentioned deleting the user ID, not information about the user.

Noble_Draconian · November 24, 2020, 3:56am

If you don’t want to comply with a data erasure request, that’s your choice. But it can and will lead to consequences later on down the road.