GDPR just says you cannot keep personal data for longer than is required for the purpose it was collected for (with some exceptions where it can be kept longer).
If you have paid for digital goods with an account, the data is clearly required! Deleting an inactive account after say a year is a choice made by the company, not directly imposed by GDPR.
The problem is that distinction isn’t made clear in the actual law - which is again - why meta is far from alone here even in the gaming space itself. It’s on the EU to clarify compliance here otherwise we will continue to have stories pop up like this.
The law is deliberately silent on exactly how long "necessary" is, as it cannot possibly define that for all uses of personal data in all circumstances.
It's trying to establish principles of good personal data governance, rather than being prescriptive about all uses of data.
This does make it hard for legal teams to determine compliance I guess. But don't expect the EU to be more definite any time soon!
If you have paid for digital goods with an account, the data is clearly required! Deleting an inactive account after say a year is a choice made by the company, not directly imposed by GDPR.