About GDPR and CCPA
About GDPR and CCPA
The information contained in this document does not constitute legal advice. If you ever have specific questions or concerns, we encourage you to talk to a lawyer. Roblox does not and cannot serve as your lawyer, and Roblox is not responsible for any liability or costs you may incur as a result of relying on this information.
What is GDPR?
GDPR stands for the General Data Protection Regulation. The GDPR is a law in the European Union that focuses on protecting the personal information of everyone in the European Union and European Economic Area by guaranteeing specific rights to the collection, use, and sharing of their personal information. These rights extend beyond the territorial boundaries of Europe, such that many companies or individuals that collect EU personal information are subject to GDPR.
What is CCPA?
CCPA stands for the California Consumer Privacy Act and it becomes effective January 1, 2020. This law provides rights to consumers who reside in California, USA, including knowing what information is collected about them, requesting a business to delete any personal information about a consumer from that consumer, and not to discriminate against a consumer if they exercise their privacy rights.
What is Personal Information?
Most people associate the terms “personal information” or “personally identifiable information” (PII) as data like a name, email address, or home address. However, GDPR and CCPA have broader definitions for personal information which can also cover information that does not directly link to a specific individual, such as user IDs or IP addresses.
As a general rule, developers should not collect more personal information than what is supplied by Roblox, for instance the user ID and username for their players. For more information, see our community rules.
Impact on Developers
As a developer, here are some ways to honor a player’s rights under GDPR and CCPA:
- You may receive a message from Roblox regarding a personal information deletion request. Roblox takes special care to verify these requests to ensure that they’re legitimate, so you should only comply to requests from Roblox. If a player contacts you first, please ask them to make the request at https://www.roblox.com/support.
- Aside from user ID and username, do not store other forms of personal information such as birth dates or personal photos.
- If you have already stored other personal information beyond what Roblox provides access to, remove it and update your game so that it doesn’t store that data in the future.
Removing Personal Information
If you’re asked by Roblox to delete personal information about an individual who has exercised their right under GDPR or CCPA, you may need to delete specific data from your game’s
articles/Data store|Data Stores. A common pattern for identifying Roblox users in a data store is by their unique
Player/UserId|UserId prefixed by Player_, for instance Player_12345678. To create a console command script which deletes player data, follow the steps below.
- Open your game’s starting place.
- Inside ServerStorage, create a
BindableEventand rename it RemovePlayerData.
- Inside ServerScriptService, create a new
Scriptand rename it ConsoleEvent.
- Paste the following code into the new script. Note that
GlobalDataStore/RemoveAsync|RemoveAsync()(line 13) is the required method for removing a key from the data store.
- Publish the place, then run it in the Roblox client (not within Studio).
- Once in the game, open the
/articles/Developer Console|Developer Consoleby pressing F9 or typing
/consoleinto the chat.
- In the Log section, click the Server tab.
- In the console’s command line, enter the following command, where XXXXXXXX is the user’s ID provided to you by Roblox.