The Information Commissioner's Office for the UK has expressed concerns about the "lack of clarity" around how games companies collect personal data.
A hearing at Parliament today kicked off with the Commons committee saying that previous hearings with games companies hadn't made it "particularly clear to us just how much data they're gathering and how it's being processed and used" -- a message repeated throughout the session.
In particular, there were references to the recent session with Electronic Arts and Epic Games, where representatives of both companies were accused of evasive behaviour.
The first of today's two hearings saw Information Commissioner Elizabeth Denham and her deputy Steve Wood speaking to the committee as it continues its inquiry into immersive and addictive technologies. Asked whether the games industry was a concern for the ICO, Denham confirmed her department has been speaking to publishers and developers about the Age Appropriate Design Code the ICO is working on to better protect children online.
"Our ask is really to push, to provoke better design by the companies in the context of children"
Elizabeth Denham, Information Commissioner
"We feel that the industry, e-gaming, has some maturation to do in understanding what their obligations are in data protection law," she said. "That industry is quite concerned about our Code because it feels it will undermine or impact the business model of those games, through nudges and reward loops and the way those techniques are built into games."
Denham did note that the ICO does not currently have any active investigations into how games companies are using people's information.
Wood said that since "a significant number of games will be likely to be accessed by children online," the industry remains a key area of focus during work on the Code, adding that once it is published, a children's privacy strategy will be a long-term goal for the office.
"We've identified it an area of regulatory action priority," he said. "We will follow up and use our powers where necessary to use our code as a template to do audits, to look at practices, to see whether we're actually getting that step-change, which is really privacy-by-design and really putting the best interests of the child at the centre of the way these services are designed. That really hasn't happened extensively yet."
Denham added that the broad range of companies in the games industry -- from major publishers to smaller developers -- makes it "a good testing ground" for the ICO to help make sure the focus is on design that is transparent and fair, and where data collection is minimised.
The ICO has brought in games companies to be involved with the consultation for the Code, but Denham says these firms have expressed concern about proposals that the default for children and younger users should be high privacy settings.
Games companies are worried that limiting the amount of data collected as children play, or limiting the personalisation and profiling games do online, "would interfere with or undermine the business model, which is based on collecting more and more data and keeping eyeballs online and playing the game in order to provoke more rewards, more playing, bringing more people onto the game."
Larger publishers and developers have also raised concerns about the ways the ICO hopes to change how ages are estimated and verified through the design principles of the Code, but Denham says these criticisms "just don't hold up."
"Design in these companies is fairly mature," she said. "There's so much innovation that's been done around personalisation and profiling and using algorithms to target messaging to individuals. What we want to do is create the design imperatives in these companies to ensure children are protected online and the least amount of information is collected, and that defaults go to high privacy settings. Our ask is really to push, to provoke better design by the companies in the context of children. I think that will create much more innovation in this space, including in age estimation and verification.
"We don't know the extent of what some of these larger companies know"
Elizabeth Denham, Information Commissioner
"I would also say the larger companies already know a lot about who's online and easily estimate their age now. But because we don't have access to their homework, they haven't told us about this, and it's true of some of the gaming companies -- and [the committee has] been asking questions of them, and they're not telling you -- we don't know the extent of what some of these larger companies know."
Having followed the previous hearings, Denham admitted the ICO is "concerned" about how vague games companies have been about the data they are collecting and the way it is used, but reiterated that "the GDPR rules apply to games companies as much as they do any other company."
"[For] the sharing of information, they need consent or another legal basis, there has to be transparency, and there has to be the right to challenge," she said. "It is an area where I think there needs to be more focus around their privacy obligations and transparency. Looking at nudges and likes and [daily reward] streaks and how the whole system works is an area of focus [for us]."
The hearing touched upon the ongoing consultation around the government's Online Harms White Paper, with one member of the committee saying he had been frustrated by the lack of evidence collected about potential harm by the games companies it has spoken to. The frustration is felt on both sides, as the industry has frequently said it wants more research done into the World Health Organisation's recently classified 'Gaming Disorder.'
"I wish the gaming companies would come and speak to the ICO about this, because we're certainly not against research, we certainly understand there may be ways of intervention to help people," said Denham.
"At the same time, people's rights have to be respected in terms of targeting them or putting them in a category or determining that they might be someone who could suffer from addiction. I think there are ways to square the circle on this, but we need to be involved in real proposals that companies might have to be able to help individuals."
She later added that there is a "societal expectation" for games companies to "understand the risks they're creating for others and [find] ways that they can mitigate those risks."
Most references to specific firms were towards larger players like EA, Epic and King, but Wood said the ICO recognises the industry is a "diverse sector" with a lot of small businesses, and assured that the office will be thinking of ways to support them as work on the Code progresses.
Towards the end of the session, Denham was asked whether games companies -- or even the players they reach -- are clear on what constitutes personal data when running online experiences. The Commissioner said there is a "lack of clarity" and "needs to be more understanding of data protection responsibilities."
While she reiterated that the ICO hasn't investigated a games company at this point, she did say it has the power to do so if the need arises, pointing to a current investigation into social media app TikTok.
"We do expect to use these powers, so watch this space."