Back in 2017, the UK Government made a bold statement that it would make Britain the "safest place in the world to be online."
Since then, we have seen various legislative proposals emerge, such as the huge Online Safety Bill which continues to be hotly debated, and some regulations dropped, such as age verification measures for access to online pornography, part of the Digital Economy Act 2017.
One initiative that has been finalised and is now in force is the Age Appropriate Design Code. While a rather innocuous sounding document, it is arguably anything but and has far reaching implications for those offering games that may be used by any under 18s. In this article we explore the key issues for games companies.
What is the Code? Can you be fined if you do not comply?
The Age Appropriate Design Code (AADC) is a statutory code of practice issued by the UK's data protection regulator, the ICO.
As a statutory code, approved by Parliament, the AADC is not mere guidance but may be taken into consideration by the ICO in enforcement action against companies in relation to general data protection laws. Therefore, the same high fines that everyone hears about for GDPR are in play here. There is also of course the risk of private action by individuals.
The ICO did a lot of proactive outreach prior to the AADC coming into force and within the space of just a couple of weeks since it has been in force has already started writing to some companies for details of the steps they have taken to comply.
Who does it apply to?
The Code is applicable to any information society service, including any app, website, online or mobile game that is "likely to be accessed by children."
The most important point to first bear in mind is that "children" specifically covers anyone up to the age of 18.
It will also apply even to companies outside of the UK where games within scope are offered to children in the UK
It will also apply even to companies outside of the UK where games within scope are offered to children in the UK.
On this point, one side issue that companies need to remember is that, following Brexit, any company providing services to individuals in the UK but which does not have an establishment in the UK will need to appoint a representative for the purposes of communications for rights and enforcement. It is not sufficient to just have an establishment in the EU.
What are the key issues for games companies specifically?
The AADC contains 15 standards, many of which can seem a little vague or repetitive, however, there are five that will have significant implications and raise practical issues for video game businesses.
- Age appropriate application
Few games will be able to say with certainty that they are not accessed by anyone under the age of 18. The first question therefore will be to decide whether to apply all the AADC's protections to all users, with adult users then potentially being frustrated by a perceived dumbing down and less functionality, or to separate out users and apply them just to children.
This will be no mean feat since separation may require significant product development work, essentially creating two or more versions of each game, including consideration of options for age-gating and potentially also the implementation of 'profiles' within games where multiple users including adults as well as children may be users.
- Data minimisation and default settings
Any use of personal data that goes beyond that required to provide the service should be either stopped or turned off by default. Again, that's a pretty massive requirement. Examples would include personalisation within game play, recommendations, targeted advertising, many of which may have functionality as well as commercial ramifications.
- Detrimental use of data
Any processing of personal data must be in the best interest of the child and should not be used to their detriment
Although the AADC is not about content itself and instead about the use of personal data, a fundamental part of the code is that any processing of personal data must be in the best interest of the child and should not be used to their detriment. Therefore, the issues become intertwined since, for example, to access a game which may only be suitable for an older audience, an account may be needed which uses personal data or cookies may be dropped.
Further, much functionality beyond simple game play will involve personal data processing and therefore care is needed to consider how this may impact children. Particular areas for careful consideration in games would include chat functions which could give rise in a worst-case scenario to bullying or grooming, data sharing whether cross device or platform, for example integration with social media and payment integration where options or prompts for purchases are based on data.
Another specific focus area for games is on wellbeing and continuous gameplay. Providers will be expected to show that they have considered the risk of harm to children and design in protections. Where there are community terms and standards in place, it is necessary to show that these are not just there but enforced in practice.
- Child friendly transparency and settings
It is not enough to just comply in principle and look to justify a position if a complaint arises
We have also seen a rise in the creation of FAQs and other information to assist parents in understanding functionality and data processing within the game. It is also important to consider not just the policy but how information is presented throughout the game experience, for example in any prompts or choices that individuals are presented with that may involve data processing.
There has been a focus in privacy regulation recently on the danger of 'nudges' and dark patterns which may seek to encourage users to agree to more data collection than is necessary or which may be detrimental to them. Reviewing settings and options to make sure that wording is clear and neutral is key here.
As with GDPR more broadly, it is really important that companies understand that it is not enough to just comply in principle and look to justify a position if a complaint arises. Compliance requires accountability such as having a robust data protection impact assessment specific to AADC and carefully documenting decisions made about processing of children's data.
The ICO has already been asking some companies for this documentation as part of its proactive outreach so those who have not written decisions down would be well-placed to prioritise this now.
Even if AADC functionality changes are a work in progress, showing that there is a documented and well-considered plan for such changes and compliance will at least help demonstrate to the ICO that a company is taking its obligations seriously.
Elle Todd is partner at Reed Smith, with over 20 years of experience specialising in technology and data. She joined Reed Smith in 2019 and previously was partner and head of digital and data at CMS LLP.