The policy states that account deletion initiates permanent data deletion but permits retention and processing of persistent identifiers such as IP addresses and device identifiers for up to two years after deletion for stated safety and security purposes.
This analysis describes what Roblox's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a two-year post-deletion retention period for persistent identifiers, which creates a materially longer data lifecycle than account deletion alone would suggest. Under GDPR, retention beyond what is necessary for the original purpose requires a documented lawful basis and proportionality justification; under CCPA and similar state laws, users' deletion rights may be subject to exceptions for security and fraud prevention purposes.
Under this clause, users who delete their Roblox accounts may have persistent identifiers including IP addresses and device identifiers retained for up to two years after deletion for safety and security purposes as stated in the policy. The agreement characterizes this as an exception to the general permanent deletion practice initiated upon account closure.
How other platforms handle this
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
Monitoring
Roblox has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When you delete your account, Roblox initiates permanent deletion of data in our systems. For safety and security purposes (e.g., bot prevention), Roblox may process persistent identifiers for up to two years after account deletion.— Excerpt from Roblox's Roblox Privacy Policy
REGULATORY LANDSCAPE: Post-deletion data retention implicates GDPR's storage limitation principle, which requires that personal data not be retained longer than necessary for the specified purpose; US state privacy laws including CCPA contain security and fraud prevention exceptions to deletion rights that may permit this practice. The relevant enforcement authorities are GDPR supervisory authorities for EU and UK users and state Attorneys General for US state law purposes. GOVERNANCE EXPOSURE: Medium. The two-year retention period for persistent identifiers is specific and bounded, and the stated purpose of bot prevention is a recognized security rationale; however, GDPR compliance requires that the proportionality of this retention period be documented and defensible. JURISDICTION FLAGS: EEA and UK users have stronger deletion rights under GDPR Article 17; the security exception to deletion must be narrowly construed and documented. California residents have CCPA deletion rights subject to security exceptions, but the scope of those exceptions has been subject to regulatory scrutiny. CONTRACT AND VENDOR IMPLICATIONS: Service providers with access to retained post-deletion persistent identifiers should be subject to data processing agreements that restrict use to the stated security purposes and include deletion obligations at the end of the two-year period. COMPLIANCE CONSIDERATIONS: Compliance teams should document the legal basis for the two-year post-deletion retention under GDPR, confirm that access to retained identifiers is restricted to security use cases, establish automated deletion workflows triggered at the end of the retention period, and evaluate whether the retention period is the minimum necessary for the stated bot prevention purpose.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a two-year post-deletion retention period for persistent identifiers, which creates a materially longer data lifecycle than account deletion alone would suggest. Under GDPR, retention beyond what is necessary for the original purpose requires a documented lawful basis and proportionality justification; under CCPA and similar state laws, users' deletion rights may be subject to exceptions for security and …
Under this clause, users who delete their Roblox accounts may have persistent identifiers including IP addresses and device identifiers retained for up to two years after deletion for safety and security purposes as stated in the policy. The agreement characterizes this as an exception to the general permanent deletion practice initiated upon account closure.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Roblox.