GDPR
Overview
AccelByte Cloud's GDPR service helps you ensure your game's compliance with the General Data Protection Regulation (GDPR) of the EU as well as the California Consumer Privacy Act (CCPA) of the state of California in the United States. These laws dictate how you and your users can use and manage the user's personal data. Below you'll find two tables that list each right guaranteed by these laws, and which AccelByte service is related to that right.
GDPR
| Individual Right | Related Service | Remarks |
|---|---|---|
| The Right to Restrict Processing | UAM | Allows users to prevent their personal data from being used. Compliance with this right is ensured by giving each user the option to deactivate their account at any time. |
| The Right to Rectification | UAM, Event Log | Allows users to make changes to any personal data stored within the UAM Service. It also requires the platform to be able to inform users of any changes made to that data. We use the event log service and mailer service to inform users about those changes. |
| The Right to Object | Legal | AccelByte Cloud's Legal Service acts as a gatekeeper that allows players to object to how the platform uses their data by requiring them to agree to your terms and conditions before they can access the platform. |
| The Right to Erasure | GDPR | AccelByte Cloud's GDPR service functions as an automated service that schedules deletion of user data across services when a user requests it. |
| The Right to Data Portability | GDPR | AccelByte Cloud's GDPR service ensures that user data collected across services is readable and potentially usable by different external services. |
| The Right to be Informed | Legal | AccelByte Cloud's Legal service allows you to provide players with information related to how the platform works and what personal data it collects from them. |
| The Right to Access | GDPR | AccelByte Cloud's GDPR service functions as an automated service that schedules collection of user data across services when a user requests it. |
| Rights in Relation to Automated Decision Making and Profiling | Event Log, Telemetry, Analytics | Telemetry and Analytics are configurable to ensure that users can opt-in or opt-out of the data collection process performed by those services. |
CCPA
| Individual Right | Related Service | Remarks |
|---|---|---|
| Rights to Notice | Legal | AccelByte Cloud's Legal service allows you to provide players with information related to how the platform works and what personal data it collects from them. |
| Rights to Know | GDPR | The GDPR service functions as an automated service that schedules collection of user data across services when a user requests it. |
| Rights to Data Portability | GDPR | AccelByte Cloud's GDPR service ensures that user data collected across services is readable and potentially usable by different external services. |
| Rights to Deletion | GDPR | AccelByte Cloud's GDPR service functions as an automated service that schedules deletion of user data across services when a user requests it. |
| Rights to Opt-Out | N/A | AccelByte Cloud doesn't sell consumer data, so we don't support this by default. It is your responsibility to ensure adherence to this regulation. |
| Rights to Opt-In for Children's Personal Information | N/A | AccelByte Cloud doesn't sell consumer data, so we don't support this by default. It is your responsibility to ensure adherence to this regulation. |
| Notify Consumers of Their Rights | Legal | AccelByte Cloud's Legal service allows you to provide players with information related to their rights under CCPA. |
How it Works
The two most basic rights users have to their data are the right to access that data and the right to delete it. The sequence diagrams below show how these requests are handled by our services.
Right of Access
Users can request access to their personal data either through the user platform, or manually. A personal data request should be processed within 28 days.
Personal Data Retrieval Process
The chart below shows the different statuses a personal data request may move through, and for how long the request can be processed before it expires or is removed from the queue.
These are all the statuses that will happen when requesting the personal data request.
- Pending The request is waiting to be processed.
- In-progress The request process has been started.
- Retrying If the request fails it will be automatically retried. The request will be retried a maximum of three times by default.
- Failed The request will be marked as Failed if the third retry is not successful. Both the user and the admin will be notified of this failure, so that they can re-submit the request either from the user portal or admin portal.
- Expired This status only occurs if there is a problem with the related services. If a request expires, the user or admin will have to make a new request.
- Removed from queue After 56 days, any remaining requests are automatically removed to optimize the service.
Successful Personal Data Request
Canceled Personal Data Request
Failed Personal Data Request
Right to Erasure
Users can request their personal data be deleted either through the user platform, or manually. The request should be processed within 28 days.
Personal Data Deletion Process
The chart below shows the different statuses a data deletion request may move through, and for how long the request can be processed before it fails.
These are all request statuses when request deletion of personal data happens.
- Request This status indicates that the request has just been made but the user's access token has not been revoked yet.
- Pending This status indicates that the user's access token has already been revoked. The deletion request can still be canceled until the expiry date of the request.
- In Progress After the request has expired, the scheduler will begin the deletion process for the user's account.
- Failed If the deletion process fails, the admin will be notified via email. The admin can then re-request the account be deleted, which will change the request's status back to pending.
Successful Data Deletion By User
Canceled Data Deletion By User
Data Deletion by Admin on Behalf of User
Deletion Process After Request Expiration
Retry Process for Failed Request
Manage GDPR in the Admin Portal
Personal Data Retrieval
Game administrators can request a user's account data, which can be used to troubleshoot problems that occur in the account system or to keep track of a user's changes to their account. Users can request access to their personal data either through the Player Portal or Launcher.
You can request other user's personal data by using super admin in the admin portal. But it will only be retrieved by the user who has already requested it from the admin. The personal data request status will be sent to the email of the user.
NOTE
This tutorial only occurs in the publisher namespace.
In the Admin Portal, expand the Users Management section and click Users.
Search for the player whose data you want to retrieve using the credential of that player you have on hand. For more information, see the Search for a User tutorial.
The results of your search will appear. Browse the list to find the account you're looking for and click View in the Action column of the account listing to open it.
In the Details window of the Overview tab, click the Send Request button next to Personal Data Request.
A pop-up will appear and you need to confirm the personal data request by clicking the Send Request button.
Once the request is sent, the approval process can take up to 28 days, based on how many requests have occurred at the same time.
As an admin, you can check the status of a personal data request by clicking the Personal Data Request button under the Platform Configuration drop down panel.
Here you can see all the lists of personal data requests that are happening. This all happens when the user or admin requests the personal data request. You can also filter when the request personal data occurs by clicking the filtering system on the top of the list.
Connect Custom Services to GDPR using the Server SDKs
SDK Initialization
Before using the GDPR service from the SDK, you will need to initialize your server-side SDK to ensure that you are authorized and able to perform create, read, update, and delete actions.
Golang SDK Initialization
Before using the GDPR service from the Golang SDK, you will need to initialize the SDK by following the steps below:
- Create your OAuth Client and assign the necessary permissions to access the GDPR service.
- Log in as a Client using the SDK.
- Initialize the GDPR service using the following function:
dataRetrievalService := &gdpr.DataRetrievalService{
Client: factory.NewGdprClient(&repository.ConfigRepositoryImpl{}),
TokenRepository: &repository.TokenRepositoryImpl{},
}
Once completed, you can use the Golang SDK to create, read, update, or delete the GDPR service from your serverless app.
Python SDK Initialization
Before using the GDPR service from the Python SDK, you will need to initialize the SDK by following the steps below:
- Create your OAuth Client and assign the necessary permissions to access the GDPR service.
- Log in as a Client using the SDK.
Once completed, you can use the Python SDK to create, read, update, or delete the GDPR service from your serverless app.
.NET (C#) SDK Initialization
Before using the GDPR service, you will need to set some permissions. Use the following .NET namespaces:
using AccelByte.Sdk.Api.Gdpr.Model;
using AccelByte.Sdk.Api.Gdpr.Operation;
using AccelByte.Sdk.Api.Gdpr.Wrapper;
Java SDK Initialization
Before using the GDPR service, you will need to set some permissions. Initialize the DataRetrieval wrapper from the GDPR service using the following code:
DataRetrieval wGdprRetrieval = new DataRetrieval(sdk);
Once completed, you can use the SDK to create, read, update, or delete GDPRs.
Create an Admin Email Configuration
To create an admin email configuration, use the following function.
- Golang
- Python
- C#
- Java
err := dataRetrievalService.SaveAdminEmailConfiguration(input)
if err != nil {
return err
}
return nil
from accelbyte_py_sdk.api.gdpr import save_admin_email_configuration
result, error = save_admin_email_configuration(
body=[
"foo"
]
)
if error:
print(error)
DataRetrieval wGdprRetrieval = new DataRetrieval(sdk);
wGdprRetrieval.SaveAdminEmailConfiguration(
SaveAdminEmailConfiguration.Builder
.Build(new List<string>
{
"dummy@example.com"
}, sdk.Namespace));
List<string>? emails = wGdprRetrieval.GetAdminEmailConfiguration(
GetAdminEmailConfiguration.Builder
.Build(sdk.Namespace));
wGdprRetrieval.saveAdminEmailConfiguration(SaveAdminEmailConfiguration.builder()
.namespace(namespace)
.body(Arrays.asList(new String[] { emailToTest }))
.build());
Retrieve an Admin Email Configuration
To retrieve an admin email configuration, use the following function.
- Golang
- Python
- Java
ok, err := dataRetrievalService.GetAdminEmailConfiguration(input)
if err != nil {
return err
}
return nil
from accelbyte_py_sdk.api.gdpr import get_admin_email_configuration
result, error = get_admin_email_configuration()
if error:
print(error)
List<String> emails = wGdprRetrieval.getAdminEmailConfiguration(
GetAdminEmailConfiguration.builder()
.namespace(namespace)
.build());
Update an Admin Email Configuration
To update an admin email configuration, use the following function.
- Golang
- Python
- C#
- Java
err := dataRetrievalService.UpdateAdminEmailConfiguration(input)
if err != nil {
return err
}
return nil
from accelbyte_py_sdk.api.gdpr import update_admin_email_configuration
result, error = update_admin_email_configuration(
body=[
"foo"
]
)
if error:
print(error)
DataRetrieval wGdprRetrieval = new DataRetrieval(sdk);
wGdprRetrieval.UpdateAdminEmailConfiguration(
UpdateAdminEmailConfiguration.Builder
.Build(new List<string>() { "anotheremail@dummy.com" }, sdk.Namespace));
wGdprRetrieval.updateAdminEmailConfiguration(UpdateAdminEmailConfiguration.builder()
.namespace(namespace)
.body(Arrays.asList(new String[] { anotherEmailToTest }))
.build());
Delete an Admin Email Configuration
To delete an admin email configuration, use the following function.
- Golang
- Python
- C#
- Java
err := dataRetrievalService.DeleteAdminEmailConfiguration(input)
if err != nil {
return err
}
return nil
from accelbyte_py_sdk.api.gdpr import delete_admin_email_configuration
result, error = delete_admin_email_configuration(
emails=[
"email@email.foo"
]
)
if error:
print(error)
DataRetrieval wGdprRetrieval = new DataRetrieval(sdk);
wGdprRetrieval.DeleteAdminEmailConfiguration(Api.Gdpr.Operation.DeleteAdminEmailConfiguration.Builder
.Build(sdk.Namespace, new List<string>() { "anotheremail@dummy.com" }));
wGdprRetrieval.deleteAdminEmailConfiguration(DeleteAdminEmailConfiguration.builder()
.namespace(namespace)
.emails(Arrays.asList(new String[] { anotherEmailToTest }))
.build());
Request for a User's Account Deletion
To submit a request for a user's account deletion, use the following function.
- Golang
- Python
- C#
ok, err := dataDeletionService.AdminSubmitUserAccountDeletionRequest(input)
if err != nil {
return err
}
return nil
from accelbyte_py_sdk.api.gdpr import admin_submit_user_account_deletion_request
result, error = admin_submit_user_account_deletion_request(
user_id="<user-id>"
)
if error:
print(error)
DataDeletion wGdprDeletion = new DataDeletion(_Sdk);
ModelsRequestDeleteResponse? delResp = wGdprDeletion.AdminSubmitUserAccountDeletionRequest(
AdminSubmitUserAccountDeletionRequest.Builder
.Build(sdk.Namespace, "<user_id>"));
Retrieve the User's Personal Data Request
To retrieve the user's personal data request, use the following function.
- Golang
- Python
- C#
ok, err := dataRetrievalService.AdminGetUserPersonalDataRequests(input)
if err != nil {
return err
}
return nil
from accelbyte_py_sdk.api.gdpr import admin_get_user_personal_data_requests
result, error = admin_get_user_personal_data_requests(
user_id="<user-id>"
)
if error:
print(error)
DataRetrieval wGdprRetrieval = new DataRetrieval(sdk);
ModelsUserPersonalDataResponse? reqResp = wGdprRetrieval.AdminGetUserPersonalDataRequests(
AdminGetUserPersonalDataRequests.Builder
.SetLimit(10)
.SetOffset(0)
.Build(_Sdk.Namespace, "<user_id>"));