Manage User Data Portability & Erasure

Last updated on May 14, 2024

Overview

AccelByte Gaming Services (AGS) GDPR service ensures your game is compliant with EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of the state of California. These data privacy laws govern how you and your users can use and manage their personal information.

The two most basic rights users have to their data are the right to access that data and the right to delete it. The following sequence diagrams show how these requests are handled by our services.

Important

While we can help you with the technical aspects of data protection and compliance, we cannot provide you with legal advice. We recommend that you consult a legal professional to ensure your compliance with specific legal regulations.

AGS Starter

The GDPR service feature is not yet supported in AGS Starter.

Right of access

Users can request access to their personal data either through the user platform. A personal data request should be processed within 28 days.

Personal data retrieval

The following chart shows the different statuses a personal data request may move through, and for how long the request can be processed before it expires or is removed from the queue.

personal-data-retrieval-process

These are all the statuses that will happen when requesting the personal data request.

  • Pending: The request is waiting to be processed.
  • In-progress: The request process has been started.
  • Retrying: If the request fails it will be automatically retried. The request will be retried a maximum of three times by default.
  • Failed: The request will be marked as Failed if the third retry is not successful. Both the user and the admin will be notified of this failure, so that they can re-submit the request either from the user portal or admin portal.
  • Expired: This status only occurs if there is a problem with the related services. If a request expires, the user or admin will have to make a new request.
  • Removed from queue: Any remaining requests are automatically removed after 56 days to optimize the service.

Successful personal data request

successful-personal-data-retrieval

Canceled personal data request

cancelled-request-for-personal-data-retrieval

Failed personal data request

failed-request-for-personal-data-retrieval

Right to erasure

You can request personal data deletion through the user platform, or manually. Most requests are processed within 28 days.  

Personal data deletion

The following chart shows the different statuses a data deletion request may move through. It also shows for how long the request can be processed before failing.

personal-data-deletion

The following are the request statuses during the deletion of personal data:

  • Request: This indicates that the request has just been made, but the user's access token is not revoked yet.
  • Pending: This indicates that the user's access token has already been revoked. It is still possible to cancel the deletion request until its expiration date.
  • In Progress: This indicates that the scheduler has begun deleting the user's account after the request has expired.
  • Failed: This indicates that the deletion process has failed. In such cases, the admin is notified via email. The admin can then resubmit the request to delete the account, thereby changing its status back to pending.  

Successful data deletion by user

successful-data-deletion-request

Canceled data deletion by user

cancelled-request-for-data-deletion

Data deletion by admin on behalf of user

data-deletion-request-by-admin

Deletion process after request expiration

data-deletion-after-request-expiry

Retry process for failed request

retry-failed-request

Manage GDPR in the Admin Portal

Personal data retrieval

An administrator can request a user's account data to troubleshoot problems with the account system or to keep track of changes made to the account. Player Portal or Launcher users can request access to their personal data.

The super admin feature in the admin portal lets you request personal data about other users. The admin can only retrieve it on behalf of the user who requested it. An email is sent to the user regarding the status of the personal data request.

NOTE

The following functionality is only available in the publisher namespace.

  1. In the Admin Portal, expand the User Management section and click Users.

    personal-data-retrieval-process

  2. Search for the player whose data you want to retrieve using the credential of that player you have on hand.

    search-user-in-usermanagement

  3. The results of your search will appear. Browse the list to find the account you're looking for and click View in the Action column of the account listing to open it.

    user-view-action

  4. In the Details window of the Overview tab, click the Send Request button next to Personal Data Request.

    user-overview-send-data-request

  5. A pop-up will appear and you need to confirm the personal data request by clicking the Send Request button.

    personal-data-request-confirmation

    Once the request is sent, the approval process can take up to 28 days, based on how many requests have occurred at the same time.

  6. As an admin, you can check the status of a personal data request by clicking the Personal Data Request button under the Platform Configuration drop down panel.

    personal-data-request-platform-configurations

  7. Here you can see all the lists of personal data requests that are happening. This all happens when the user or admin requests the personal data request. You can also filter when the request personal data occurs by clicking the filtering system on the top of the list.

    personal-data-request-dashboard

Connect Custom Services to GDPR using the server SDKs

SDK initialization

Before using the GDPR service from the SDK, you will need to initialize your server-side SDK to ensure that you are authorized and able to perform create, read, update, and delete actions.

  1. Create your IAM Client.

  2. Log in as a Client using the SDK.

  3. Initialize the OAuth 2.0 service using the following function:

    import (
        ...
        "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
    )

    input := &data_retrieval.SaveAdminEmailConfigurationParams{
        Body:      []string{"foo"},
        Namespace: "<namespace>",
    }

    err := dataRetrievalService.SaveAdminEmailConfigurationShort(input)
    if err != nil {
    return err
    }

    Once completed, you can use the Golang SDK to create, read, update, or delete the GDPR service from your serverless app.

    Golang test case files

Create an Admin email configuration

To create an admin email configuration, use the following function.

import (
    ...
    "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
)

input := &data_retrieval.SaveAdminEmailConfigurationParams{
    Body:      []string{"foo"},
    Namespace: "<namespace>",
}

err := dataRetrievalService.SaveAdminEmailConfigurationShort(input)
if err != nil {
  return err
}

Retrieve an Admin email configuration

To retrieve an admin email configuration, use the following function.

import (
    ...
    "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
)

input := &data_retrieval.GetAdminEmailConfigurationParams{
    Namespace: "<namespace>",
}

// using the initiation, invoke the endpoint
ok, err := dataRetrievalService.GetAdminEmailConfigurationShort(input)
if err != nil {
  return err
}

Update an Admin email configuration

To update an admin email configuration, use the following function.

import (
    ...
    "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
)

input := &data_retrieval.UpdateAdminEmailConfigurationParams{
    Body:      []string{"foo"},
    Namespace: "<namespace>",
}

err := dataRetrievalService.UpdateAdminEmailConfigurationShort(input)
if err != nil {
  return err
}

Delete an Admin email configuration

To delete an admin email configuration, use the following function.

import (
    ...
    "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
)

input := &data_retrieval.DeleteAdminEmailConfigurationParams{
    Emails:    []string{"foo"},
    Namespace: "<namespace>",
}

err := dataRetrievalService.DeleteAdminEmailConfigurationShort(input)
if err != nil {
  return err
}

Request for a user's account deletion

To submit a request for a user's account deletion, use the following function.

import (
    ...
    "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
)

input := &data_deletion.AdminSubmitUserAccountDeletionRequestParams{
    Namespace: "<namespace>",
    UserID:    "<user-id>",
}

// using the initiation, invoke the endpoint
ok, err := dataDeletionService.AdminSubmitUserAccountDeletionRequestShort(input)
if err != nil {
  return err
}

Retrieve the user's personal data request

To retrieve the user's personal data request, use the following function.

import (
    ...
    "github.com/AccelByte/accelbyte-go-sdk/gdpr-sdk/pkg/gdprclient/data_retrieval"
)

limit := int64(10)
offset := int64(0)
input := &data_retrieval.AdminGetUserPersonalDataRequestsParams{
    Namespace: "<namespace>",
    UserID:    "<user-id>",
    Limit:     &limit,
    Offset:    &offset,
}

// using the initiation, invoke the endpoint
ok, err := dataRetrievalService.AdminGetUserPersonalDataRequestsShort(input)
if err != nil {
  return err
}
Last updated on

On this page