The Lie at the Heart of Roblox’s Surveillance Empire
The Non-Financial Ledger: What Was Stolen From One Family
R.G. was nine years old when she started playing Roblox. Her parents, Michael and Salena Garcia, let her. Why wouldn’t they? The platform marketed itself as a safe, bright, cartoon-filled world for kids. It had a “#1 kids’ gaming platform” reputation. It even let parents know that accounts for children under 13 would have chat filters. Everything about the product said: we know your kids are here, and we are handling them carefully.
That was a lie.
From the moment R.G.’s device touched the Roblox platform, software was running in the background that had nothing to do with the games she was playing. Code was extracting a unique signature from the way her specific graphics card renders pixels, invisible to her. Code was measuring the exact sound her device’s audio processor produced when playing a tone she couldn’t hear, turning that measurement into an identifier she could never clear. Her mouse movements, her scroll speed, the cadence of her keystrokes on the chat field, the characters she typed before she decided to delete them and write something different: all of it was captured, packaged, and sent off her device in real time to Roblox’s servers and to at least three outside companies she had never heard of.
None of this was disclosed to her parents. Michael Garcia downloaded the app. Salena Garcia helped set up the account. By doing those ordinary things, both of them were also immediately subjected to the same data extraction as their daughter. The tracking attached to them too.
When the Garcias eventually discovered what Roblox had been doing, the complaint documents that they experienced anxiety and distress. That language is legal understatement for something more human and more serious. These parents had made a deliberate decision to supervise their child’s internet access. They thought they had evaluated the risks. They trusted a company that was spending its marketing budget to look trustworthy. That trust was the mechanism Roblox used to gain access to their child. The betrayal is not abstract.
R.G. is now identified in this lawsuit only by her initials. She still does not fully know the scope of what was collected from her. The profile Roblox built on her, linking her gaming habits, her friend interactions, her device fingerprint, her behavioral biometrics, may still exist on Roblox’s servers and on servers belonging to companies she has never dealt with. The lawsuit asks for that data to be deleted. Roblox has not deleted it.
R.G. represents over 32 million children worldwide who were using Roblox while under the age of 13. Every one of them was subjected to the same system. Most of their parents still do not know.
How Roblox Built a Wiretap Inside a Children’s Game
The complaint is built on forensic evidence: network logs, HTTP Archive files, packet captures. The surveillance system it describes is not speculation. It is documented, technical, and deliberate. These are the specific mechanisms Roblox deployed.
- Canvas Fingerprinting: When you load Roblox, code immediately instructs your browser to draw a hidden image using your device’s graphics hardware and software. The way your specific GPU renders that image is unique. Roblox reads back the pixel data, hashes it into a single identifier, and keeps it. This happens before you click anything, before you log in, before you see a cookie banner.
- Audio Fingerprinting: Roblox’s code uses the Web Audio API to generate an inaudible oscillator tone through an OfflineAudioContext, then measures the tiny variations in how your device’s audio processor handles that signal. Those variations are unique to your hardware and create a second, independent identifier. No sound plays. No permission is asked.
- Persistent Unique Identifiers (UIDs): Roblox generates values including deviceUniqueID, RBXID, and RBXSessionID and stores them in the browser’s local storage. These are designed to survive logout, cookie deletion, incognito mode, and app reinstallation. The complaint states forensic evidence shows Roblox can re-link a returning user to their prior profile even after those conventional privacy measures are taken.
- Keystroke and Mouse Logging: Roblox attaches hidden event listeners to form fields and interaction areas. The complaint documents that each keystroke in a login or chat field is captured with timing data and sent to Roblox’s servers even if the user never submits the form. If a child types “I hate school” in a chat and then deletes it and types something else, both versions were captured.
- Behavioral Biometrics via Arkose Labs: A third-party “bot detection” vendor called Arkose Labs has scripts running inside Roblox that collect mouse movement patterns, typing rhythms, cursor velocity, and tap cadence. The stated purpose is distinguishing humans from bots. The effect is that Roblox and Arkose hold detailed biometric-proxy profiles of every user, including children.
- Real-Time Third-Party Transmission: Network requests to ecsv2.roblox.com (Roblox’s own analytics), ssl.google-analytics.com (Google), and Stripe’s servers begin firing within seconds of a page load, before any consent interface appears. Forensic capture confirmed these requests contain fingerprint hashes, device information, and unique identifiers. The user’s data is sent to at least three external companies before the user has read a single word of a privacy policy.
- Stripe on Non-Payment Pages: Roblox loads Stripe’s code on pages that involve no financial transaction. Stripe’s scripts are documented to perform device fingerprinting. Roblox uses Stripe purely as an additional data collection mechanism on pages where Stripe has no business purpose.
- Cross-Platform Profiling: By combining canvas hash, audio hash, browser characteristics, installed fonts, GPU and CPU identifiers, and behavioral metrics, Roblox can link a single user’s activity across different devices, different browsers, different accounts, and different sessions over years. A child switching from a school Chromebook to a home iPad is still recognized as the same profile.
β Class Action Complaint, Paragraph 25
Legal Receipts: What the Complaint States in Its Own Words
These are direct quotations from the filed complaint. They are not summaries or paraphrases. Read them carefully.
“Roblox has been surreptitiously intercepting their electronic communications and harvesting detailed personal data through covert tracking code embedded in its website and apps. This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent.”
β Paragraph 1, Nature of the Action
- This establishes that surveillance is automatic and pre-consent, meaning Roblox’s position that users agreed to terms is factually impossible: the data collection precedes any opportunity for agreement.
- The phrase “even before account login” is legally significant because it eliminates any argument that Roblox’s terms of service constitute meaningful consent: users are tracked before they ever see those terms.
“Roblox’s code executes canvas fingerprinting… and audio fingerprinting… immediately upon a user’s visit and assigns unique tracking IDs that persist across sessions and devices, enabling the re-identification of users even after they log out or clear cookies.”
β Paragraph 2
- This confirms the tracking system is engineered specifically to defeat conventional privacy measures. Clearing cookies is the standard advice given to users concerned about tracking. Roblox built a system that makes that advice useless.
- “Re-identification” means that even a user who deletes their account can be recognized and linked to their prior data on their next visit. The profile persists even without the account.
“Roblox never provided parents with direct notice of these data practices nor sought parental consent, as required by COPPA.”
β Paragraph 3
- This is the core COPPA violation stated plainly. COPPA is not ambiguous: operators of child-directed services must obtain verifiable parental consent before collecting personal data. The complaint states Roblox simply did not do this.
- The complaint goes further, noting that Roblox’s only gesture toward COPPA compliance was emailing its Terms of Service to a parent’s recovery email after the child had already accessed the platform and been tracked.
“Each keystroke in a login or chat field is captured (with timing data) and sent to Roblox’s servers even if the user never submits the form.”
β Paragraph 25(c)
- This is a keylogger. The complaint uses the more clinical term “hidden event listeners,” but the function is identical to what the word keylogger describes: recording what a person types without their knowledge.
- The phrase “even if the user never submits the form” is particularly significant. It means that private thoughts a child typed and then decided to delete were still captured and transmitted.
“Roblox operates a dedicated tracking domain rbxtrk.com for user data collection and also relies on mainstream trackers like Google Analytics. Thus, a child playing a game on Roblox could unknowingly have their information shared with external advertising networks that build a broader profile of that child across the web.”
β Paragraph 27(b)
- This establishes that Roblox’s tracking does not stay inside Roblox. Data about a child’s behavior on Roblox feeds into advertising ecosystems that track that child across unrelated websites and apps.
- The dedicated domain rbxtrk.com is documented evidence of infrastructure Roblox built specifically for surveillance, as separate from the infrastructure needed to run the actual game platform.
“Roblox’s only gesture toward COPPA compliance in this context is the delivery of its ‘Roblox Terms’ to the provided parental email address after the minor has already accessed and engaged with the platform. At no point prior to the collection of the child’s personal information does Roblox obtain verifiable parental consent.”
β Paragraph 29
- This exposes Roblox’s COPPA compliance as performed rather than real. The company sends a notification after the child is already on the platform and already being tracked. The data has already been collected before the parent receives any notice.
- COPPA’s requirement of “verifiable parental consent” has specific approved methods: signed forms, credit card verification, toll-free phone calls. Sending a terms-of-service email after the fact satisfies none of them.
β Paragraph 25(b)
Who’s Listening: The Full Network of Data Recipients
Roblox did not build this surveillance system alone, and it does not profit alone. The complaint identifies a web of entities receiving user data, each playing a specific role. The relationship below documents who receives what and why.
Societal Impact: Who Gets Hurt and How
Public Health: The Psychological and Safety Costs of Surveilling Children
The complaint is explicit that the harms to children are distinct from the harms to adults, and that children are uniquely vulnerable to what Roblox built. These are the documented harms the complaint identifies.
- Children are less aware of privacy risks than adults, and Roblox’s tracking exploits that gap directly. The platform was designed to appear as a game while functioning as a behavioral data collection instrument, targeting a demographic specifically because they cannot recognize what is being done to them.
- Roblox’s behavioral profiling enables algorithmic manipulation of children’s in-platform experience. By analyzing play habits, chat activity, and biometric proxies like typing cadence, Roblox could predict what would keep a child engaged longer and adjust content accordingly, prioritizing platform revenue over the child’s welfare.
- The unauthorized creation of a persistent, cross-platform profile on a child carries ongoing safety risks. If Roblox’s servers or any third-party server holding that data were breached, the exposed profile would contain device fingerprints, behavioral patterns, and potentially location-inferring data tied to a specific identified minor.
- Parents Michael and Salena Garcia are documented in the complaint as experiencing anxiety and distress upon learning of the surveillance. The complaint acknowledges this as a concrete, non-abstract harm: the emotional consequence of discovering your child was secretly profiled on a platform you trusted.
- The complaint notes that children were being profiled by Roblox and its ad-tech partners “unbeknownst to their parents.” This actively undermined parents’ ability to make informed decisions about their children’s online safety, stripping parents of the oversight role that is foundational to child protection law.
- Roblox’s data on children’s gameplay and social interactions could potentially be accessed by or shared with third parties in ways that go beyond advertising, including future commercial exploitation or use by parties with interests that are adverse to children’s wellbeing.
β Complaint, Paragraph 33
Economic Inequality: Who Bears the Cost of Roblox’s Profit Model
Roblox monetized the data of its poorest-protected users, children, without their knowledge or consent, while keeping all financial benefit. These are the documented economic dimensions of that arrangement.
- Roblox’s platform is free to join, which is explicitly how it attracted a massive youth audience. The free model was economically viable specifically because user data, including children’s data, replaced subscription fees as the revenue mechanism. Users who could not afford to pay were paying in surveillance.
- Many class members, including the Garcias, spent real money on Robux virtual currency during the period when Roblox was secretly collecting their data. The complaint states they would not have financially supported the platform had they known. That money is now part of Roblox’s revenue built on undisclosed surveillance.
- The data economy numbers cited in the complaint illustrate the scale of what was extracted without compensation. Data-driven internet advertising was valued at over $112 billion, vastly exceeding the $33.3 billion generated by direct data sales. Roblox participates in the former, the more lucrative model, using its users as the raw material.
- Individual statutory damages under ECPA are set at $10,000 per person, or $100 per day of violation. For a child who used Roblox on 200 separate days, that is $20,000. Most individual users will never pursue that claim on their own, which is precisely why this is structured as a class action: the economic barrier to individual litigation is how companies like Roblox get away with this at scale.
- Roblox is a publicly traded corporation. The data practices alleged in this complaint directly supported user engagement metrics and advertising revenue that benefited institutional investors and executives, while the cost in privacy, safety, and lost autonomy was borne entirely by children and their families.
- The OECD data cited in the complaint documents that personal data points have explicit market prices: addresses, birthdates, device identifiers. Every child who used Roblox was generating data with real dollar values that Roblox monetized. None of those children or their parents received any share of that value.
The Timeline: How Long This Was Allowed to Continue
The Cost of a Life Metric: What Roblox Extracted vs. What It Offered
What Now: Who To Pressure, Who To Contact, and What To Do
The lawsuit is filed. The class period runs from July 1, 2021 to the present. If you or your child used Roblox during that period, you are a potential class member. Here is where the accountability pressure needs to go.
Corporate Accountability Targets
The complaint names Roblox Corporation, headquartered at 970 Park Place, San Mateo, California 94403, as the primary defendant. The following corporate roles are directly implicated by the complaint’s allegations:
- Chief Executive Officer of Roblox Corporation: responsible for the business model that monetizes user surveillance, including children.
- Chief Technology Officer: responsible for the technical architecture that deploys canvas fingerprinting, audio fingerprinting, keystroke logging, and third-party tracker integration.
- Chief Privacy Officer / Head of Legal Compliance: responsible for Roblox’s COPPA compliance program, which the complaint documents as non-functional.
- Chief Revenue Officer: responsible for the advertising and analytics partnerships that received children’s data, including the Google Analytics, Stripe, and Arkose Labs integrations.
- Doe Defendants 1β10: additional third-party analytics and advertising companies whose identities the complaint states will be confirmed through discovery.
Regulatory Watchlist
These agencies have jurisdiction over Roblox’s conduct and can impose civil penalties, issue orders, and initiate their own investigations independently of this lawsuit.
- Federal Trade Commission (FTC): COPPA is an FTC-enforced statute. The FTC can impose civil penalties per violation per day against Roblox for collecting children’s data without parental consent. File a complaint at ftc.gov/complaint.
- State Attorneys General: COPPA authorizes state AGs to bring civil actions on behalf of state residents. California, New York, and Illinois AGs have each previously pursued children’s privacy enforcement actions. Contact your state AG directly.
- Department of Justice (DOJ): ECPA violations (the Wiretap Act charges) carry criminal penalties in addition to the civil remedies sought here. The DOJ’s Computer Crime and Intellectual Property Section (CCIPS) handles these cases.
- Consumer Financial Protection Bureau (CFPB): Relevant to the extent Roblox’s data practices intersect with in-game financial transactions and the exploitation of minors in commercial contexts.
- Securities and Exchange Commission (SEC): Roblox is a publicly traded company. Misrepresentations to investors about its data practices or COPPA compliance exposure may constitute securities fraud. File tips at sec.gov/tcr.
Mutual Aid and Grassroots Actions
- Install a browser extension that blocks tracking scripts, such as uBlock Origin or Privacy Badger, on any device your child uses to access Roblox. These will not stop all tracking but will interrupt some third-party data transmission documented in the complaint.
- Contact Counterpoint Legal (morgan@counterpointfirm.com / rsalgado@counterpointfirm.com) if you or your child used Roblox between July 1, 2021, and the present. You do not need to have suffered financial loss to be a class member. Your privacy rights were violated at the moment of first access.
- Share this investigation with every parent in your network. Most parents of Roblox users still do not know this lawsuit exists or that their child’s data was collected in this way. Awareness is the precondition for organizing.
- Contact your federal representatives and demand a strengthening of COPPA. The current law does not provide a private right of action for damages. Families cannot sue for COPPA violations directly; only regulators can. This legal gap is why Roblox was able to operate this way for years without accountability.
- Support organizations working on children’s digital rights, including the Electronic Frontier Foundation (EFF), the Center for Digital Democracy, and Common Sense Media, all of which advocate for stronger federal children’s privacy legislation and publish independent analyses of platform tracking practices.
- If you are a Roblox developer or current or former employee who has direct knowledge of the tracking systems described in this complaint, federal whistleblower protections exist. The FTC and SEC both have whistleblower programs that include financial awards for information leading to enforcement actions.
The source document for this investigation is attached below.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →


