Might be off topic, but what are guidelines for GDPR Right-to-be-Forgotten. I’ve never heard of such a thing in the US, begging the question, what if I store user data on a local server in America. Am I by law obligated to delete data then seeing as US Laws don’t affect say Europe and vice versa?
Would Roblox be able to prove, and as such terminate your account if you store data off their site such as on something else like a personal SQL Database on a personal server?
Yes, I do understand non compliance always has risks of termination anyway, just figured I’d ask anyway since I’m curious.
If I a user has reset their data, would it be ok to restrict them from playing the game? They can abuse the system to reset data and change what they achieved in the game.
According to the information I researched on google, yes, if anyone who accessed your game on Roblox is from the EU, by definition of the GDPR, you must erase their data from anything you have it on, regardless of the country you’re in
The GDPR is a European law, not a American. However it applies for EU citizens, and the hassle of figuring out whether or not someone is a EU citizen is cost prohibitive, and therefore the rules are generally applied evenly (though you as a data processor have the right to validate that the requester is a EU citizen if you so desire).
Where things get dicey is Roblox is receiving the request, not the developer. As such, the only data that is in play with the GDPR is data Roblox has given to you. I have post linked above expanding on what this most likely means.
As a Top Contributor, are in a far better position to request clarification on this matter then I am. If you think I am wrong, you can take it up with Roblox and get answers that will benefit the community as a whole instead of promising undefined consequences against those who agree with my position.
As it stands, I have read the GDPR in its entirety multiple times to best understand how this all works. Not to be confrontational here, but based on your lack of citing the actual law I am willing to bet that you haven’t. If I am wrong in that, you have my apologies in advance, but using your more authoritative platform to spread information that you have (likely) not researched is not beneficial to Devs trying to figure out what their options are.
Based on polls that have been conducted (I think on twitter), most developers ignore these requests entirely. As none of these developers have been banned, and based on a message I received from Roblox stating “The assessment as well as the decision on the request remains with the individual Dev”, I don’t think Roblox has a interest in doing anything.
Legally you are still liable, but that would require a the requester to make a claim against you for anything actionable to happen.
Do we need to do that? I think that’s Roblox’s job not developers’. It’ll be a lot easier if Roblox did that automatically instead of developers doing it manually.
I’ve never had any requests for GDPR Erasure Requests for my games but when it does in the near future I never have to even check the game of where that user has the data on!
With the exception of one possible interpretation of the GDPR, you are legally required to respond (which can mean telling Roblox you are not going to do it) to these requests within 30 days.
That said, the odds of the EU auditing and then sanctioning you is rather low (though game ending if they do) which is where the general idea of “can be ignored without conflict” comes from.
If Roblox does what I will have to do to remove the data connected to that user, why would I not like it? They will just be removing that user’s data, right?
Roblox has no idea how your data stores are formatted. Outside the issues of letting Roblox examine your data without your explicit consent or your knowing, there is no guarantee that deleting data from your datastore will not end up breaking something unintentionally.
Also, you own the data in the data stores, not Roblox, but the request is being made to Roblox. As Roblox provided you with the UID though, they are required to inform you of the users erasure request. Whether or not you can ignore them outright is not clear, though you can refuse the request on a number of grounds.
This is a great update, I think many people ignored these messages as they couldn’t find ways (or didn’t want the hassle) to delete players user data.
I’m all for the «right-to-be-forgotten» and now I can gladly wipe a persons existence on Roblox away.
It’ll still be quite hard, and worksome to delete a players userdata - if you think about «time per player». In the future I imagine Roblox can find ways to do this automatically!
Anyhow, the only struggle that I face now, is knowing how to remove them from the data store - do I add a line in each game accessing their data store and then deleting it? If yes, then I know. (Are there better alternatives?)
Anyways, it’s great that Roblox makes it easier for us to follow laws, and not to mention, privacy!
I wouldn’t recommend doing that. If the person who made the Right to be Forgotten request discovers that their data isn’t deleted, they can go to the judge to start an entire legal process about the developer.
And above all, why not just respect these requests and give the people the privacy they deserve? Don’t ignore those GDPR requests, even not with the fact that it is unlikely to get legal steps taken against you.