There’s are very simple ways Roblox could make the job a LOT easier.
If they pseudonymize it within their system to some sort of a compatible marker we could equally change the same reference and it would equally remove the possible connection for us.
Say for example player with user ID 1234 made a GDPR request to Roblox.
Roblox deletes all personal and relevant information to user 1234
At this point, the 1234 in itself is not necessarily identifying as it can no longer be linked to a tangible person.
Now the only possible exception to this would be through player profile links using the player ID that they “could” have advertised on other social links such as if a YouTuber had it in their bio.
Roblox could easily pseudonymize the player ID to something that would break even that potential link but still be compatible with typical player ID recognition.
Not saying this specific example, but maybe it’s now #4567 or whatever, it does not matter how they really do it as long as they ensure it’s compatible with player ID recognition.
It would be easy to replace all 1234 references with a compatible pseudonym and be done with it and most people could write a script that would do this where you simply plugin the old value and the new one and replace.
Personally, if I got a GDPR request and I didn’t want to break a datastore trying to remove a player ID I would simply make a trash alt account and replace all references to the removed player ID with the new trash account.
The moment you break the possible social connection to a tangible person any and all obligations are done and aside from people who are storing additional data through http services that player ID is the only remotely possible connection we have to contend with. Depending on the datastore some people could probably get away with just replacing the player ID with all 0s.
I agree that could work, but that’s not what I was talking about. I was talking about manually scraping and deleting data from DataStores either automatically on roblox’s end, or via a lua event (which is what everyone was describing).
That would be the best solution, just make it so the UserID itself cant be linked to them, but I assume the reason they haven’t is because they have such a large dataset, it’s not easy changing databases with billions and billions of rows after the fact. Careful consideration is made when setting up databases for this very reason. Creating it is easy, changing it later is not.
edit for clarification: they didn’t have GDPR in mind when they created the infrastructure, is my point, and it may not be an easy task to change said infrastructure to break the connection between the UserID and the user.
If they use pseudonymisation properly then it’s highly plausible something like a simple addon could be done for the individual games and in theory it could within reason be automated.
Yes it’s true that where strings are used to figure a player ID that could get tricky.
Within reason though it should be pretty doable to make something like an addon in studio that can change the necessary references properly.
Maybe not fully automating but certainly easier than it is now especially for beginner developers or many people running games that don’t even do scripting themselves.
Edit: I would never suggest scrapping or deleting. That’s a disaster waiting to happen and it’s completely unnecessary for GDPR requirements.
Anything is possible. Does not mean it will happen. It’s not worth the R&D time/money.
You can argue that fact all you want, but the reality is if they wanted to, they would’ve. There’s a reason they don’t acknowledge a single person about automated GDPR. They don’t intend to create it.
If you really want automated GDPR, why don’t you just make it yourself. HttpService can fetch a list of IDs it needs to clean up, and then send a second HTTP request confirming it was completed successfully. If it doesn’t get a response within X time it sends those UserIDs to a different server. Rinse and repeat.
I’d be surprised if top devs, the people who really need automated GDPR haven’t done this already. And if you don’t have the resources to do that, then you shouldn’t have a problem creating a Roblox plugin that does it for you when you paste a UserID into the studio version of your game.
My opinion is that this will never happen as you describe. I believe if people want automated GDPR, just create it, I pitched two solid methods.
Edit: and besides, live game servers is not the place for this type of behavior. A website doesn’t clean up database records when you load their homepage. It doesn’t make sense to host something like that across all your live production video game servers.
I agree that most developers who would need automated GDPR probably already have automated GDPR setup or should.
I also agree Roblox most likely does not intend to attempt to automate it, though I don’t think the R&D behind that would be substantial by any means.
Personally, I don’t even consider this a problem, it’s really no big deal and any future datastores I make will be built with a system to deal with this as well as my existing ones will be modified accordingly.
The problem Roblox will face IF GDRP non-compliance requests become a problem (which they probably won’t) is that as the platform they will ultimately be held liable, no differently than eBay was held liable for people selling pirated software on their platform and not stopping it.
There are a LOT of games on Roblox using free datastore scripts by players who have no idea even remotely how to edit them. In fact, I would argue it’s likely that is the case for the majority of games on the platform.
Ultimately if non-compliance becomes a problem whether Roblox themselves want or intend to do it or not becomes irrelevant, they will be forced to do it.
Especially when you consider that the overwhelming majority of people with games on Roblox aren’t even on these dev forums, they don’t participate in these discussions and many of them probably just ignore Roblox’s emails altogether.
As I said, player ID’s even themselves if Roblox does what they have to for GDPR could barely even be considered identifying anyway and it would require special circumstances for that to even be the case. There are however a lot of games and I am certain there are people out there who will try to make money off of this and cash in on violations.
If it comes to that, Roblox can post all the terms of service and conditions they want but in the end, at some point, they’ll most likely have to decide if they want to do something to address this or be forced to mass delete games that aren’t complying. If those games are making them money that financial equation has to be considered because many may not be top developers but I assure you there’s enough of them out there that the income they generate for Roblox does matter.
Well, then what the hell are we arguing for! lol, seems like we’re on the same page here.
If it was a well-requested thing somebody could always make it a public service, people are nice in this community more often than not. I just don’t see it as a problem myself either.
The reason we have the current system, in my opinion is not because they even care if we delete anything at all. It’s for legal liability purposes. They are passing the liability onto the developer. Even if that data is stored in their DataStores, on their servers, they are not responsible after notifying all involved parties.
Most top devs openly admit they don’t handle these (or at least I’ve seen many in the past). For that reason, I don’t think they care. No developers thus far have been investigated, fined, or punished to my knowledge because of this. How would they know whether or not you removed it anyways?
That’s precisely why I think none of this even matters. They are just covering their own ass legally by notifying you. I’ve never seen any evidence that they actually care about whether or not you listen, nor have I seen any backlash in any manor towards any developer over it. It’s simply not a problem right now, even if you don’t respond at all.
edit: just to clarify twice, this is my opinion, although I’m not the only one who holds such opinions regarding our current GDPR.
Personally in my opinion I don’t think it matters either.
The only time I think it really even could matter is if someone heavily invested in Roblox such as a YouTuber or game critic made one, in which case, why would they as it would be as harmful to themselves anyway.
I would argue that for 99.99% of all Roblox players their player ID couldn’t even be considered as socially identifying to a tangible person once Roblox does the part I’m sure they are doing already for their own compliance.
Beyond that IF someone who somehow fit that criteria wanted to make a stink they would have to somehow show reasonable cause to believe Roblox has not complied. Even under a GDPR request to receive all of their information I think there would be many steps involved before it ever got to an individual developer which would give plenty of time to deal with it afterwards.
So I agree they are probably just covering themselves from a legal standpoint.
The only unknown variable here I would consider is how many will try to cash in on the situation.
There are many people making a lot of money scamming and performing not only things that are against the rules, but outright illegal to make a buck on Roblox.
Ultimately if those people find grounds to cash in or some really paranoid people try to make a big fuss is the only time I think it would become an issue. That kind of situation isn’t going to happen in months it will be years before we see such possible fallout. Lawyers who will go to court over GDPR issues will have a lot of fine legal details get refined through case rulings and in time there will be law firms that specialize in such legal actions. Right now this is still young enough I doubt there’s much groundwork for it, especially internationally. I imagine law firms in the EU are still learning how to fight local battles over it.
My only point here is that people as a group always have within them those who seek to take advantage of situations. I know lawyers who sue debt collectors for a living and will handle debt collection accounts for free just based on the amount of them who break the law knowing they can cash in.
At some point it’s likely the GDPR will reach this. More importantly, with all the battles over data privacy and security going on here in the US, I would be surprised if it’s too long before we have our own such laws, especially in California where we already have laws regarding sale of personal information which is also where Roblox is located.
The world and data privacy is rapidly changing. Roblox will likely have to learn to change with it especially if they truly want to go public as they claim.
I do see your point, but personally I’ve stopped caring, and I’ll openly admit that as will some other devs out there because I assess the risk of such an event as to be low. However, considering there is in fact a risk, I can’t say your’re wrong to be concerned, and it is nice to know positively that you are in compliance regardless. Even knowing that 99.99% of IDs probably cant be considered socially identifiable as you said, that is still a level of uncertainty not everyone is comfortable with. It seems your argument is that developers should have peace of mind in the matter, rather than everyone openly speculating about the what-ifs and potential legal ramifications as we are currently.
Although we have not reached that point yet, you could be right and it could indeed happen down the road.
That is a very true statement, by the way.
Perhaps Roblox is already considering a better method given their poll regarding message usage. I think they realize that this system is totally ineffective (with the exception of passing legal liability from their end, of course). Perhaps all this debate over how to handle these in batch & mass quantities is for nothing because a plan is already on the drawing board for what they can do going forward to mitigate such risk of developers being persued. Especially if those developers are just receiving too much to handle, I’m certain they would want to ease the potential legal burden they face with not being equipped to properly handle it.
“Universe Scripts” (which has been deferred until an known time rip, could never come) would be a better way to process this type of stuff than individual live game servers doing it imo, but Roblox knows best of what they should do - not me. Maybe they have something cooking to handle this efficiently, and effectively at any scale. It’s like getting to the center of a tootsie pop. The world may never know.
I appreciate the civil discourse on the matter, and I’m glad we found some common ground in our discussion. Cheers!
I would guess within a few years we’ll all probably see more of how this stuff unfolds.
I’m a little OCD myself just trying to cover my bases and I admit look to possible and likely future outcomes a lot, just how I’m wired.
That said I don’t fault you or anyone who has stopped caring. Peace of mind is important to me but I also recognize statistical probability and risk vs. reward.
Personally, I think obligation should be just as much on the person requesting GDPR and any other such requests to detach themselves from those they’ve requested to be forgotten from and I don’t think anyone who has requested to be forgotten by Roblox or any other company should retain the right to identify by that companies internal ID systems anyway.
There’s a decent chance that courts will come to such senses themselves in the coming years and all this will be for nothing. If you want Roblox to forget you then you should forget any association you have with Roblox in my opinion. I can only hope that is how this ends up going.
