04 April 2023

The Information Commissioner’s Office (ICO) has recently published guidance for game designers providing tips on how to best comply with their “Children’s Code”, which applies to those who process the data of persons aged 18 and under. The Children’s Commissioner for England estimated that 93% of children and young people in the UK play video games of some description and the ICO estimate that 1 in 5 children in the UK access the internet “on a regular basis”.

The guidance is aimed at games designers to allow them to effectively and correctly comply with the 7 key principles contained within UKGDPR and the Data Protection Act 2018, and which provide the foundation upon which all data protection law is based.

Children’s Code

The Children’s Code came into force on 2 September 2020 and, following a 12 month transition period, became effective and required organisations to comply by 2 September 2021. The guidance  is aimed at  those who are Information Society Services and provide online products or services (e.g. apps; programs; games; community environments; and connected toys with or without a screen) and are likely to process personal data and be accessed by children. The code identified 15 standards that require to be followed:

1. The best interests of the child are safeguarded at all times;
2. Data Protection Impact Assessments must be undertaken in relation to the processing of children’s data;
3. Age appropriateness must be assessed encompassing the needs of children at different ages and stages of development;
4. Data of children must be processed transparently;
5. Data must not be used in a way that could be or shown to be detrimental to their wellbeing;
6. Providers must follow their own published terms, policies and community standards relating to children;
7. Default settings for children must be “high privacy”;
8. The data collected must be the minimum amount needed to provide services to children that are known to actively engage with a product or service;
9. Data should not be disclosed or shared, the welfare of the child being paramount;
10. Geolocation should be turned off by default and there should be obvious signs when geolocating is active. There is also an obligation to reset geolocation to off at the beginning of every new session;
11. If parental controls are available, children should be given appropriate information about them (tailored to the age of the child) and provide signs to children if/when parents can monitor their activity;
12. Default settings for “profiling” (automated processing of personal data to evaluate certain aspects of an individual) are off and only allowed where there are appropriate safeguards for the child;
13. “Nudge Techniques” (e.g. making a “yes” option more visible than a “no” option) should not be used to encourage children to provide personal data or turn off privacy protections;
14. Connected toys and devices (e.g. fitness bands; home hub smart speakers; or interactive toys) should be designed in such a way to comply with the code; and
15. Prominent and easy to access/understand online tools should be provided to assist children in understanding their data protection rights and reporting concerns.

The code reflects an increasing concern about the position of children in the digital world and access to their personal data. It addresses the increasing use of the digital world by children and “instead of protecting children from the digital seeks to protect them in the digital world”.

The full text of the code can be read here and a summary can be found here.

ICO Recommendation

After an audit of the games design sector, the ICO has produced the following recommendations for games companies to follow:

1. “Sussing out the danger – running risk assessments”

• Consult with external stakeholders (including appropriate children) as part of risk assessments. This could include user testing and consultation to gather the views of children and their parents;
• Assess the impact of the game’s appeal to children and how that will affect game design and data privacy safeguards;
• Regularly review risks once the game is live and  address any unexpected problems as soon as possible;
• Ensure that the risk of randomised rewards (i.e. loot boxes) are compliant with the UK Government response to loot boxes and gambling

2. “Open World Gameplay – being transparent”

• User research should be undertaken to trial user friendly information with different age groups;
• Different, age appropriate, methods should be implemented to communicate privacy information in a clear and understandable way for all children.

3. “Buff your age assurance – know your player’s ages”

• Assessments should be undertaken on how best to identify players aged under 18 and work out actual ages with a degree of certainty (the ICO understands that certain players may falsify their age and providers must have appropriate investigation mechanisms where that is suspected);
• Investigate potential age assurance solutions that allow for greater accuracy in determining the age of a player;
• Implement measures to prevent or discourage children from falsifying their age (for example access only to a data-free core section of a game until age assurance or parental consent measures have been followed);
• Ensure that privacy information is tailored to children of certain ages and ensure that it is in a format easy for them to understand.

4. “Preventing a critical hit – preventing the detrimental use of children’s data”

• Ensure that all optional uses of personal data are turned off until valid consent is contained (and for those aged under 13 the consent of a parent or guardian), this should include direct marketing purposes;
• Introduce age appropriate checkpoints or prompts to encourage children to take regular breaks and allow children to disengage without feeling pressured or left out;
• Introduce safeguards to monitor product placement, advertising or sponsorship agreements within community servers where those servers can be accessed by children.

5. “Stealth mode – setting high privacy settings and parental controls”

• Provide parents with real time alerts about their child’s activity, for example, where privacy settings are changed or “riskier” elements of games are being accessed (e.g. inappropriate content). Children should, however, be given understandable alerts that parents have “opted in” to real time alerts;
• Ensure children are given age appropriate explanations and warnings about specific privacy settings along with the risks and impact of turning them off or lowering them;
• Asses if it is possible to introduce variable privacy settings (like the opportunity to hide usernames when with other players so their account cannot be found);
• Have voice chat functions off by default for children, allow a “do not disturb” function in games which can be session specific or permanent; change default “friend request” settings to no-one; and consider options for age assurance in chat functions to identify adults posing as children.

6. “Scouting – profiling responsibly”

• Check third party advertisers in games and ensure that they are providing children with age-appropriate content;
• Provide age appropriate information in-game at the point where profiling is taking place with an encouragement to seek adult input and ensure children understand how profiling affects their personal data;
• Separate opt-in consent to Terms of Service and Privacy Policies from marketing when players create new accounts to reduce the risk of unintended opt-ins to the use of personal data for marketing;
• Ensure that marketing is off by default for children and consider restricting marketing to contextual advertising that doesn’t process children’s data.

7. “Pushing FOMO – implementing positive nudge techniques”

• Assess and document risks of introducing time limited or one time only offers on items targeted at children;
• Implement “positive nudges” to promote the best interests of children (for example nudges towards high privacy options, sensible purchases of in game items, use of parental controls and/or taking regular breaks);
• Review how social media communications and partnerships are advertised to children and be mindful of encouraging children to create social media accounts for fear of missing out when running activities on platforms that have an age restriction;
• Monitor behaviour through activity to identify “unintentional nudge points” where players are nudged towards reduced privacy settings where they may not have intended to do so;
• Purchase buttons should be neutral and not designed to push purchases, instead offering balance with decisions not to purchase. Refunds should also be made within reasonable time where children make unintentional purchases.

Any developers wishing to understand their current data protection levels and work with the ICO to devise strategies on how to better safeguard the data rights of children in their games can volunteer for a free audit, details can be found here.

Analysis

Whilst promising in theory, there are concerns about how effective the guidance and code will be in influencing game designers in practice given that codes of practice and guidance by the ICO are not legally binding.

Those in the gaming industry should endeavour to comply with the ICO guidance. It remains to be seen what will be the consequences, if indeed any, for those who do not.

If you have any concerns or questions about the safety of your data online, while gaming, or you would like advice on how to best protect your users’ data, please get in touch with a member of the BTO Data Protection Team.

Jamie Stewart, Trainee Solicitor: jgs@bto.co.uk / 0131 222 2939

Lauren McFarlane, Associate: lmf@bto.co.uk / 0131 222 2939