The Information Commissioner's Office (the ICO, UK regulator for data protection laws) has published important guidance for games designers and developers to help them comply with the ICO's own Age Appropriate Design Code (often referred to as the "Children's Code").
The Children's Code came into effect in September 2021 and introduced a set of standards online services should follow when using children's data. The newly published guidance, described as "top tips for games designers" builds on the standards introduced by the Children's Code and has been developed following a number of audits of games design companies.
Games designers are encouraged to build children's rights into the whole process of design and development of games.
Pre- and early development stage
Early on, designers should conduct risk assessments which might involve:
- consulting with stakeholders, including children;
- conducting a Children's Rights Impact Assessment;
- assessing whether the game will appeal to children and consider if you need to tailor any in-game content for children. Just because the game isn’t aimed at children, doesn’t mean they won’t want to play it; and
- ensuring you risk assess any randomised rewards, such as loot boxes, against the Children’s Code and the UK Government’s response to their consultation on loot boxes and gambling.
Access and age verification
Designers are still faced with the tricky issue of ensuring access to a game is only possible for those for whom it is appropriate. The ICO doesn't have clear cut guidance on how to achieve this, but recommends:
- assessing and documenting how you will identify if players are under 18 and work out their actual ages with an appropriate level of certainty;
- investigating potential age assurance solutions; and
- implementing measures to discourage or prevent players from giving false declarations of age.
Transparency and openness
Transparency about how children's data might be used is key in design. Children should be told, in a way that they can understand, what will happen with their information if they play a game. Suggestions here include:
- running user research to trial child friendly privacy information with different age groups;
- displaying transparency information based on ability rather than age. For example, transparency information at beginner, intermediate, and expert levels; and
- using age-appropriate videos and graphics in 'bite-sized' chunks, using mission-style storylines or deploying in-game pop-ups or messages.
Avoiding harmful outcomes
A crucial aspect of design is building in measures to ensure children's data is not used in a way that could be detrimental to their health or wellbeing. This can be achieved by:
- ensuring that all optional uses of personal data (such as tailored product recommendations or offers designed to promote or market other services) are off by default and only activated after valid consent is obtained from the player (or for children under 13-years-old, their parent or guardian);
- introducing checkpoints, automatic periodic saving of progress, or natural breaks in play between game matches into game design so that children don't feel pressurised to continue playing or becoming fearful of missing out; and
- implementing measures to control or monitor product placement, advertising, or sponsorship arrangements within community servers, where children can access those servers from within the game.
Games should be designed so that the default mode is the one that best protects privacy, but also where possible enables meaningful parent-child interactions. Suggestions are:
- ensuring that settings are by default set at the highest level of privacy;
- providing parents with ‘real time alerts’ about their child’s activity, where it is in the child’s best interests (for instance notifications if their child tries to change a privacy setting, access ‘riskier’ in-game features or is exposed to inappropriate content);
- giving players age-appropriate explanations and prompts at the point they try to change any privacy settings;
- allowing players to hide their account name, so that other players cannot search for them; and
- having variable controls to restrict, and to be able to choose to restrict, who can communicate with them during gameplay.
Profiling of child players
Although data protection law does not specially forbid the profiling of children, for instance for the purposes of marketing, it does stress that they need specific protections in this area. With this in mind, the ICO recommends:
- considering restricting marketing to contextual advertising that doesn't process children's data;
- where it is to be used, making sure profiling for marketing purposes is off by default for children;
- providing age-appropriate information in-game at the point that profiling takes place. You should encourage children to seek a trusted adult and to only activate profiling if they understand how profiling uses their personal data; and
- checking that any third-party advertising provider is displaying age-appropriate content to children in-game.
Implementing "positive nudge techniques"
Examples suggested are:
- encouraging children towards high privacy options, sensible purchasing of in-game items, use of parental controls, and pro-wellbeing behaviours such as taking breaks;
- reviewing how you communicate social media competitions and partnerships to children;
- monitoring player behaviour and click-throughs to identify any unintentional nudge points; and
- using neutral purchase button design and support workflows to allow a decision not to proceed with a purchase.
Audit and assessment
The ICO invites designers to volunteer for an audit, from which, says the ICO, they can benefit from the knowledge and experience of the audit team, at no expense, and get an independent assessment of their conformance with the Code.
Although this is, in the right circumstances, a potentially very beneficial opportunity for designers and developers, it should be borne in mind that any engagement with a regulator that involves discussion of legal issues can result in complex situations. We would recommend that advice be taken before pursuing such an opportunity.
The ICO has also published a sample Data Protection Impact Assessment, developed in partnership with a games company, and offers a Children's Code self-assessment tool,
Although not mentioned specifically in the new guidance, underlying it all is the fact that the ICO has strong enforcement measures available. This includes fines to a maximum of £17.5 million or 4% of global annual turnover (whichever is higher) and the power to issue notices requiring ceasing of activities.
Games designers – and indeed, all within the industry – should be aware that failure to follow the guidance, especially if that failure leads to serious infringements of the law, could have significant and detrimental effects on their business.