Skip to main content

New loot box transparency guidance in the UK – is it game-changing?

Fieldfisher goes through the new guidance's requirements, and what it means for game businesses in practice

On 18 July 2023, the UK Department for Culture, Media and Sport (DCMS) announced the latest set of guidance on the use of loot boxes in video games, coordinated by trade body UKIE and comes as the result of the Technical Work Group that DCMS convened at the end of last year.

The guidance makes some fairly uncontroversial recommendations around improving transparency standards and information sharing which we expect will not create substantial new compliance challenges for most businesses. However, it also establishes a number of new and more ambitious requirements, particularly on the topic of age-gating and age assurance, which could have more dramatic implications for issues of children's privacy and online safety.

What does the new guidance require?


Many of the UKIE's 11 industry principles that form the centre of the guidance focus on improving transparency standards surrounding loot boxes in video games. In particular, these include (among others):

  1. Principle 4 – requires that platforms, publishers and developers disclose the presence of paid loot boxes prior to purchase and download of a game so that the gamer can make an informed decision.
  2. Principle 5 – requires that businesses give clear probability disclosures.
  3. Principle 6 – requires that paid loot boxes be designed and presented in a manner that is easily understandable to players, and which promotes fair and responsible play.

In a similar vein, Principles 2 and 10 focus on providing parents and players with "information about how to play responsibly," "manage their spending effectively," and "driving awareness" of what tools and technological controls are available to manage this.

This is an approach that we have already seen adopted in other jurisdictions. China, for instance, has required such disclosures since 2017, with Taiwan following suit last year, and a similar law will be coming into effect in South Korea from early 2024.

John Brunning is a partner in Fieldfisher's technology and data team

However, in all these instances, the practical impact of the provisions seems to have been limited by the lack of requirements around the methodology for complying with this mandate, i.e. without specific prominence or placement requirements for the disclosures, it is simple enough to just tuck this information away somewhere among various other information such that it is unlikely to have any significant impact on a regular player (for more details you can refer to Leon Y. Xiao's Loot Box Regulation State of Play 2023).

The new UK guidance provides more practical suggestions in this respect. For example, the guidance suggests that "chances of acquiring an item or category of items is displayed in an easily accessible, meaningful and understandable manner appropriate to the players and audience for which it is intended."

The objective here is clearly to provide companies with a degree of independence to consider what level of transparency they will adopt. However, the guidance is clear that companies should not expect to be able to bury the information behind endless links and technical jargon.

Nevertheless, companies that had been hoping for a more standardised approach must for now continue to rely on the guidelines set out by individual platforms (e.g. Apple, Google, Microsoft). For those who are already complying with these regimes, we expect there will not be much substantive change to be made. For those who were taking a risk-based approach, we expect the scrutiny may increase from the platforms themselves. Although there are no new enforcement measures to speak of, we are seeing a tightening up of standards across the industry.


Beyond transparency to users, the guidelines also commit the industry to providing improved information around loot boxes to researchers and to the government. In that respect, Principle 7 promotes support for the implementation of the new Video Games Research Framework that was published at the end of May; and Principle 10 promises to promote collaboration with the government in reviewing the impact of these new principles and their effectiveness on an annual basis.

Lorna Cropper is a data protection lawyer in Fieldfisher's technology and data team

Other European jurisdictions (including the Netherlands and at the EU level itself) have been considering more aggressive regulatory approaches to loot boxes.

Most recently for example, on 29 June, the Dutch central government put out an update with their new consumer protection agenda (only available in Dutch). This stated that "[a]s far as the government is concerned, there will in any case be a ban on 'loot boxes'" and the Dutch minister of Economic Affairs and Climate clarified in her letter to the Dutch parliament that she will push for amendments of EU law in order for loot boxes to qualify as unfair commercial practices under all circumstances.

We have previously speculated that the UK might be taking something of a "wait and see" approach – offering the industry an opportunity to demonstrate that self-regulation is effective, but retaining the threat of a wider ban as an incentive for compliance. A gathering consensus around a European ban would certainly increase pressure on the UK to follow suit, if compliance was as patchy as we have seen elsewhere.

New requirements

Most interestingly, the guidance also proposes some more dramatic substantive changes. In particular:

  • Principles 1 and 3 focus on the issue of age assurance, requiring: the development of new technological controls to effectively restrict anyone under the age of 18 from acquiring a paid loot box without the consent or knowledge of a parent, caregiver or guardian, and the formation of a new expert panel on this topic for the industry.
  • Principle 9 urges video game companies to adopt lenient refund policies on directly purchased paid loot boxes or purchased in-game currency (particularly where this "demonstrably occurred without parental consent or knowledge").
  • Principle 8 focuses on unauthorised external sale of items acquired from paid loot boxes for real money.

The first of these is particularly interesting, given the recent focus on age assurance technologies, e.g. as part of the regime being proposed under the UK's Online Safety Bill, and the FTC's announcement that it is consulting with respect to facial recognition ID in collaboration with the ESRB, Yoti and SuperAwesome.

Paul Lanois is a European technology and privacy professional at Fieldfisher

The second follows a trend that we have seen growing in the USA particularly (e.g. see the FTC's decisions against Epic Games and Microsoft) pushing businesses to remove barriers for players reversing their purchase decisions and claiming refunds for in-game goods (particularly where it was not clear these were made with parental consent).

Although one might wish for more details on what a "fair and prompt" refund policy would look like, we are already seeing examples of this in practice and there is certainly scope for drawing on the American experience in this respect.

Finally, Principle 8 sits somewhat apart from the others in that it identifies an issue, but is much less clear on how to resolve it. Clearly, "continued investment in IP protection" is the Technical Working Group's preferred solution to the issue of unauthorised digital reselling of in-game goods, but unlike most of the other principles, we are provided with scant detail on what this would look like in practice.

Given the footprint and the pedigree of the members involved, all we can say is that we can expect a crackdown is coming eventually, even if we're unsure precisely what this will look like or when it would happen.

What does this mean for business in practice?

Without a clear enforcement mechanism for the principles, there is a degree of uncertainty as to the scale and speed of change we can expect to current market practice. Certainly, the announcements portend a stricter approach in the industry towards transparency and information sharing, but we expect for most businesses this will be a change only of degree rather than of substance.

The mandate to pursue greater IP enforcement similarly might focus minds, but we suspect will not have businesses doing much that they weren't already doing. Nevertheless, we would suggest that businesses will want to keep brand reputation at the forefront of their mind when considering this new guidance.

If nothing else, we can expect that increased public scrutiny will undoubtedly follow this news, and companies which find themselves at the back of the pack risk becoming mired in protracted proceedings in the court of public opinion (and ultimately pushing players to more compliant competitors).

In either case, the new approach to age-gating also purports to be something quite game-changing.

John Brunning is a partner in Fieldfisher's technology and data team, with experience across a broad range of commercial, technology and telecoms focused projects. Lorna Cropper is a data protection lawyer in Fieldfisher's technology and data team and she assists a variety of national and global clients. Paul Lanois is a European technology and privacy professional at Fieldfisher and an attorney admitted to the bar in California, New York, the District of Columbia and the Supreme Court of the United States.

With thanks to James Russell, legal advisor in Fieldfisher's Silicon Valley office, and Laurent van der Bruggen, an associate in the Amsterdam office, for their assistance in the preparation of this article.

Sign up for the GI Daily here to get the biggest news straight to your inbox

Related topics