As of September 1, 2021, all online businesses that are likely to be accessed by children under 18 must comply with the UK's new Age Appropriate Design Code (aka, the Code or the Children's Code).
While based around existing data protection principles (e.g. the GDPR), the Code has potential to introduce significant new technical, commercial and legal challenges for developers and publishers. This overview provides a quick guide to some of the Code's key features and first steps businesses can begin taking towards compliance.
What is the Code?
The Code is a new piece of guidance from the UK's data protection authority, the Information Commissioner's Office. The Code doesn't contain 'new law' so to speak, but instead sets out the standards against which the ICO would measure compliance with existing laws (e.g. GDPR). Think of the Code like GDPR 2.0 but with a focus on making online services safer for children.
Who does the Code apply to?
The Code applies to "providers of information society services" (e.g. online games, apps, distribution platforms, YouTube channels etc.) which are "likely to be accessed by children." Importantly, children in this context means anyone under 18.
There are early indications the games industry will be a particular focus area for the ICO
The ICO's view is that a service is "likely to be accessed by children" if it is more probable than not that children may access the service, considering factors such as the nature and content of the service, whether it has a particular appeal to children, and any measures in place to prevent children from playing it. So it's not just child-focused games that are caught, and even adult-rated games would be caught if they are frequently played by children.
The ICO is intentionally casting a wide net here, so as a rule of thumb, businesses should assume they are caught by the Code unless there is compelling evidence to the contrary.
Does the Code apply to businesses outside of the UK?
Yes, the Code applies to any games offered to players in the UK, regardless of where the developer or publisher is based.
When do businesses have to comply with the Code by?
The ICO will begin enforcing the Code from September 1, 2021 onwards. While the ICO has indicated informally that it will take a pragmatic approach to enforcement, there are early indications the games industry will be a particular focus area for the ICO, alongside social media platforms.
What are the penalties for breaching the Code?
The ICO can fine businesses up to 4% of global group turnover or £17.5m. The ICO can also stop businesses processing children's data.
Is this the same as COPPA?
No. There's definitely some overlap between the Code and COPPA but they are not the same. Designing games to operate in compliance with all the different applicable sets of rules is one of the biggest challenges businesses will face.
What do business caught by the Code have to do?
Ultimately, businesses need to make sure that their games are appropriate for the age groups that will play them. So, for example, if your game is predominantly played by players aged 16 or over, you don't need to make everything safe or appropriate for 10 year olds.
Be more specific though - what do business actually have to do?
Step 1 is to review each game to determine if it contains any risks to children. The Code highlights a number of features that are likely to create risks to children, including in-game advertising, adult content, chat functionality, UGC and commercial and engagement practices. Chat functionality is likely to be considered particularly high-risk given the risky user-user behaviours it can facilitate (bullying, harassment, sharing inappropriate content, grooming etc).
Step 2 is to assess whether you can remove or appropriately limit these risks. For example, can you remove the adult content, turn off behavioural advertising for younger users, add automated chat-filters and player reporting functionality, moderate UGC submissions etc.
Think of the Code like GDPR 2.0 but with a focus on making online services safer for children
If you cannot remove or limit risks to be age appropriate, Step 3 is to either restrict children from accessing your game at all (which may not be commercially viable), or limit children's access to an age-appropriate environment (e.g. a version of the game with risk components removed).
Alternatively, businesses could opt for a "one-size-fits-all" approach and treat all of its users as children, but this could lead to over-restriction.
Some of these don't strictly sound data protection related - is that right?
That's right. While the Code is founded around data protection principles, its overall goal is to protect the best interests of children, and sometimes those interests are not strictly data protection related. It remains to be seen how the Code will work alongside the UK's Online Safety Bill which will be regulated and enforced by Ofcom, once that comes into force (likely in a few years).
If I want to block users under a certain age, can I just use a self-declaration age gate?
Maybe, it depends on the risks presented by your game. The greater the risk children face if they play your game, the more robust the age verification method should be. The ICO has indicated various methods may be appropriate in different circumstances, including self-declaration, AI and the use of third party age verification services. The ICO has indicated it will issue further guidance on this point in due course.
Is there anything else?
Yes! Remember, in addition to the points above, businesses still need to comply with more general existing data protection requirements such as minimising data collection, understanding what data is being collected and how it is being used, having clear and age-appropriate privacy documentation and setting privacy settings to high by default. Businesses should also complete a Data Protection Impact Assessment for each of their games, which is basically a fancy name for keeping a written record of the steps taken to identify and mitigate the risks presented by a particular game.
Are there any other resources?
Yes, the ICO has created a dedicated Children's Code 'hub' which contains a bunch of helpful additional resources. The ICO has also announced that it plans to create games industry specific guidance on issues such as age verification and DPIA completion in due course.
Of course, if there's anything you'd like to discuss before then, feel free to reach out.
Peter Lewin and Patrick O'Connell are both senior associates at UK-based law firm Wiggin LLP