Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.
Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.
Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.
The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.
Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.
“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”
Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024.
This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.
In response to the lawsuit, a Roblox spokesperson provided the following statement to Hackread.com:
“Roblox prioritizes safety and aims to provide a secure, civil and welcoming platform for all. We respect applicable laws and regulations, collaborating with regulators, authorities and safety organizations in the countries in which we operate. We are committed to helping protect our youngest users, undergoing regular third-party audits of our policies and practices to certify that Roblox has safety measures in place and is COPPA-compliant. We consistently update our policies to enhance user safety, security, and privacy.”
Roblox Spokesperson
According to Roblox, the platform is certified as COPPA-compliant by kidSAFE, an FTC-approved certifier. The company says it has built its systems in alignment with major data privacy laws, including the GDPR in the EU and the CCPA in California.
Roblox states it does not collect, use, sell, or share sensitive personal data such as health information, race, religion, or sexual orientation. To protect user data, the company claims to use encryption, secure storage, and other safeguards to prevent unauthorized access or disclosure.
Additionally, users can control who interacts with them limiting or disabling chat, messages, and private server invites. Roblox also notes that when users enable camera features, any visual data is processed locally and deleted in real-time, with video never leaving the device.
Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.
“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”
The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.
For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.
Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.
