Roblox updated its Privacy and Cookie Policy effective April 23, 2026 to add detailed language about how it collects and uses persistent identifiers (IP addresses and device identifiers) from all users, including children, for internal operations such as authentication, ad frequency capping, security, and legal compliance. The policy previously included a summary of changes section describing updates to ad personalization and authority-sharing practices; this summary was removed and replaced with specific disclosures about persistent identifier collection and the role of service providers. The operational change clarifies what data Roblox collects from minors and establishes technical and contractual measures limiting persistent identifier use to the listed internal purposes.
The updated policy adds explicit language disclosing that Roblox collects persistent identifiers (IP addresses and unique device identifiers) from all users, including children, for purposes including account authentication, ad frequency capping, network communications, and security. The policy states Roblox implements technical, contractual, and other measures to ensure these identifiers are not used for purposes outside the listed scope. This represents a clarification and formalization of practices rather than a change to what data is collected, but it does establish contractual limits on how that data may be used. You can review the full updated Privacy Policy to understand which persistent identifiers are collected and the specific operational purposes for which they are retained.
The updated policy establishes explicit contractual bounds on how Roblox uses persistent identifiers collected from all users including children. By stating that technical, contractual, and other measures limit identifier use to enumerated purposes, the policy creates an affirmative representation about data handling scope that may be enforceable and that affects how vendors and regulators assess the platform's compliance with data protection obligations.
→ Review the full updated Privacy Policy to understand which persistent identifiers are collected and for which specific operational purposes
→ The stated limitations on persistent identifier use will apply as written in the updated terms
→ If you do not understand how device and network identifiers are used, you will not have reviewed the specific operational purposes enumerated in the policy
ConductAtlas has recorded 2 material changes to this document over 45 days of monitoring (since March 2026). An additional minor or cosmetic changes were excluded.
Across all monitored documents, Roblox has made 5 significant changes.
Added contractual statement that persistent identifiers are collected from all users including children and are limited to enumerated internal operations through technical and contractual measures.
Specified six categories of internal operations for which persistent identifiers may be used: maintaining functioning, network communications, authentication, contextual ad serving with frequency capping, security, and regulatory compliance.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The company has committed in writing that device identifiers and IP addresses will be used only for specific purposes like authentication and ad frequency capping, not for other secondary uses.
Roblox added approximately 19 sentences detailing its collection and use of persistent identifiers from all users including minors. The new language discloses specific internal operational purposes (authentication, ad frequency capping, security, regulatory compliance) and states that technical and contractual measures restrict use of these identifiers to those stated purposes. The policy also removed summary language previously describing ad personalization and authority-sharing practices, replacing it with more granular disclosure of identifier collection. Organizations using Roblox to serve their own customers should evaluate whether this disclosure affects their own privacy notices, vendor agreements, or compliance reporting, particularly given the specific mention of persistent identifier collection from minors.
COPPA (Children's Online Privacy Protection Act), GDPR, CCPA/CPRA, UK Data Protection Act 2018. The change discloses persistent identifier collection from children under 13, which engages COPPA's disclosure and parental consent requirements. The identifier categories (IP address, device identifiers) and purposes (authentication, ad serving) implicate GDPR Articles 6 and 9 regarding lawful basis and children's data; CCPA Section 1798.100 regarding consumer rights to know; and COPPA Rule 16 regarding persistent identifiers used to recognize children.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001396.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherRoblox streamlined its Terms of Use on May 9, 2026 by removing redundant corporate entity listings and organizational boilerplate that …
On May 7, 2026, Roblox updated its Terms of Use to clarify the legal entities that operate the platform. The …
Roblox's privacy policy was updated on May 6, 2026 with an effective date of April 30, 2026. The update added …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.