The final version of the ICO's Age Appropriate Design Code was published earlier this year. It needs to be approved by Parliament, and there will then be a 12 month period before it comes into force. The ICO expects the Code to be in force by autumn 2021.
Although this may sound like a long time away, to comply with the Code existing services will need to be reviewed and where necessary updated, and changes to design processes for new services will likely be required. It is therefore important to start thinking now about how the Code may apply.
In recognition of the practical impact the Code will have, the ICO recently consulted on measures to support organisations, as it intends to provide guidance and tools to help organisations comply.
The Code is part of the current wider backdrop in the UK of other developments that also impact video games, such as the House of Commons Digital, Culture, Media and Sport Committee inquiry into Immersive and Addictive Technologies, and Government's White Paper on Online Harms and proposed legislation in that area. These all show a concern from policy makers for children online, and their view that changes are needed to protect children.
Can the Code apply to video games?
Yes. The Code applies to most online services, including video games. This is because the Code applies to “information society services”, which are services normally provided for remuneration, at a distance, electronically, and at the request of the recipient of the service.
These all show a concern from policy makers for children online, and their view that changes are needed to protect children
The Code can apply to video games whether these are mobile games, downloaded on consoles/devices, available on streaming services, are paid for or are free-to-play, to the extent personal data of children is processed. The concept of personal data is wide and can include player behaviour, items interacted with, purchases made, and usernames, as well as any other information that could directly or indirectly identify the player.
It will apply to games that are “likely” -- which for the purposes of the Code means more probable than not -- to be accessed by a child, which here means anyone under the age of 18. Therefore, the Code is likely to apply to most games, even if these are not specifically targeted at children. Whether the game is “likely” to be played by children will be determined based on the nature and content of the game, whether it has a particular appeal to children, the way it is accessed, and any measures in place to prevent children from playing it.
In practice, unless there are appropriate age verification mechanisms in place to prevent players under the age of 18, and/or the game is clearly not intended or appropriate for children under the age of 18 -- due to adult content, age ratings, etc -- there is a risk the Code will apply.
What does the Code mean for video games?
First, it will be necessary to assess if the Code applies to your existing games. In some cases it will be obvious, such as games intentionally targeted at children of certain age groups. However, for other games it may not be so clear cut. If you decide the Code does not apply, you should document why you think that is the case, as you may need to justify this decision to the ICO at a later date.
For any new games that the Code applies to, the design process will need to be reviewed and updated to ensure the standards of the Code are incorporated from start to finish. For any existing games, there are aspects that will need to be reviewed, and where necessary updated, to conform to the standards of the Code. The Code includes 15 standards of age appropriate design, which games companies will need to demonstrate have been complied with for any games that the Code applies to.
Under the Code, the “best interests of the child” is the primary consideration when designing and developing games that are likely to be accessed by children. It requires considering the needs of child players, and determining how those needs can be best supported through the way the game is designed to process their personal data.
It is still possible for games companies to pursue their own commercial or other interests, although where there is a conflict the ICO's view is that it is unlikely the commercial interests of the company will outweigh the child's right to privacy.
The Code requires:
- Data protection impact assessments (DPIA) are conducted as part of the initial design process to assess the risks. The ICO expects larger organisations to conduct some form of consultation with children and parents as part of the DPIA process.
- Privacy information should be provided in a way that is appropriate to the age of the child, with child-friendly explanations alongside terms, policies and community standards, including video/audio, gamified or interactive content, and cartoons/graphics.
- Default settings of the game should be “high privacy” for children, which means use of children's personal data should be limited to what is essential to provide the service unless the default setting is changed. Children should not be “nudged” towards choosing lower privacy settings, and age-appropriate prompts should be provided at points where a child attempts to change a privacy setting.
- Only the minimum amount of personal data of children should be collected.
- If you have player policies, community standards or guidelines, these should be upheld.
- Children's personal data should not be disclosed unless there is a compelling reason that can be demonstrated for doing so, taking into account the best interests of the child. It is unlikely that selling children's personal data for commercial re-use would be a compelling reason.
- If parental controls are provided, the child must be given age-appropriate information about these.
- Profiling should be switched “off” by default, unless there is a compelling reason which can be demonstrated for profiling to be on by default, taking into account the best interests of the child.
- Online tools appropriate to the age of the child should be provided to allow children to exercise their rights under data protection laws -- e.g. access to personal data, deletion, etc.
What else should games companies be aware of?
Detrimental use of data
One of the standards particularly relevant for video games companies is the “detrimental use of data”, which states that children's personal data should not be used in a way that has been shown to be detrimental to their well-being, or goes against industry codes of practice, Government advice, or other regulatory provisions. This requires keeping up to date with other areas of guidance and recommendations, such as marketing and advertising under the Committee of Advertising Practice (CAP) code, and principles for online and app-based games from the Office of Fair Trading (OFT), among others.
Under the Code, the "best interests of the child” is the primary consideration when designing and developing games
This obligation extends not just to areas where there is actual Government advice or regulation, but also areas where further research is required. Therefore, areas that have formally been identified as requiring further research or evidence to establish whether they are detrimental to children, need to be taken into account in order to comply with the Code.
One of the areas highlighted in the Code are “sticky” features such as reward loops, notifications, and auto-play features which encourage users to continue playing. The precautionary advice from the UK chief medical officers regarding features that use personal data and make it difficult for children to disengage should be taken into account, even though there is no formal Government position on these mechanisms. The ICO's view in the Code is that features which use children's personal data to make it difficult for them to disengage are unlikely to comply with the fairness principles under the GDPR.
Although it's not the case that all reward or notification features are prohibited, if childrens' personal data is involved it will be very important to demonstrate compliance with the Code -- such as avoiding personalised in-game advantages based on personal data in return for extended play -- as well as introducing mechanisms to allow children to take a break without losing progress in their game.
The age range of the player should be established with a level of certainty appropriate to the risks to the child that arise from the data processing, so the protections and safeguards are tailored to the age of the child. If this isn't possible or the company doesn't want to do this, the options are either to apply the standards of the Code to all players regardless of their age, or put in place measures to increase the confidence in the age of the user or reduce the risk to the personal data. The Code doesn't mandate specific age verification methods, but provides examples for companies to consider. It is clear that reliance on self-declaration of age alone is unlikely to be sufficient, unless the risks to the child are low in relation to that game.
Profiling might be used to personalise advertising, develop features for the game, or extend player engagement with methods like timed notifications in response to inactivity. In relation to children, under the Code most profiling will need to be subject to a privacy setting, and should be switched “off” by default (unless there is a compelling reason for profiling to be on by default). Importantly, separate privacy settings should be provided for each different type of profiling, and catch-all purposes such as “providing a personalised service” are in the ICO's view not specific enough.
Geolocation data may be collected, for example for mobile games. Under the Code, options for collecting geolocation should be off by default, unless there is a compelling reason for geolocation to be on by default (taking into account the best interest of the child). If there are geolocation services which are additional to the core service, these should be subject to separate privacy settings. The Code also requires that an obvious sign should be provided to the child when location tracking is active, and any options that would make the child's location visible to others must be “off” by default at the end of each session.
What can be done now to start to prepare?
Once you have assessed if the Code applies to your existing and future games, some practical steps to start to think about now include:
- Review existing and introducing new age verification mechanisms where necessary.
- Ensure age-appropriate tools are in place for children to exercise their rights under data protection laws.
- Update data protection impact assessment templates to include elements which demonstrate how the requirements of the Code have been met, as well as conduct/update DPIAs on existing games and consulting with children/parents where necessary.
- Review/create new privacy information and resources for child users appropriate for their age.
- Consider what changes may be necessary for existing games, and how to ensure requirements of the Code are built in to the process for new games, including default privacy settings, profiling, nudge techniques, just in time notices, etc.
The ICO is likely to publish more detailed resources and information to help businesses comply with the Code in the future, and UKIE has previously stated it looks forward to working with the ICO to gain clarity on how some of the aspects of the Code apply in practice to games.
Therefore, although it's possible that further guidance and clarity on certain aspects of the Code may arrive in the future, if the Code applies to your game it would be prudent to start considering and preparing now to ensure you are in compliance when it comes into force.
Ben Slinn is a Senior Associate at global law firm Baker McKenzie and advises on data protection, immersive technologies and video games.