Skip to main content

The Children’s Code: What we’ve learned one year on

Wiggin's Isabel Davies and Patrick Rennie share key takeaways from the Information Commissioner's Office's engagements with games studios

The Age Appropriate Design Code (more commonly referred to as the Children’s Code) is a binding code of practice which sets out new principles for online services which are "likely to be accessed by children."

The principles build on the UK’s General Data Protection Regulation (GDPR), with a specific focus on making online services safer for children. We wrote a quick guide for the Academy last year that can bring you up to speed.

Since coming into force on 2 September 2021, the UK’s data protection authority (the Information Commissioner's Office, or ICO) has targeted companies providing streaming platforms, social media services and video games. The ICO has engaged video games companies – including platforms, publishers and developers – via voluntary audits and comprehensive questionnaires in order to understand how the industry is complying with the Children’s Code (you can find more details in the ICO's post here).

It also appears that at least part of this engagement is to understand the sector better and the various ways in which compliance can be addressed. Below, we have distilled some of our key takeaways from these ICO engagements with games studios.

1. There’s still a lot of uncertainty around age verification

The ICO’s position is that understanding the age of players is vital to being able to comply with the principles of the Children’s Code, such as implementing appropriate privacy controls. The Children’s Code also states that where player ages are unknown, games which are likely to be accessed by children should assume all players are children.

Isabel Davies, Wiggin's interactive entertainment associate

This approach poses a challenge for many games companies, which have built their services around the GDPR principle of ‘data minimisation’ (i.e. only collecting the data needed to provide the product or service). Therefore, the prospect of collecting more data from players to verify their age is not without its issues.

The Information Commissioner is due to release an opinion on age verification (due October or later) which may further illustrate the expectations on online companies depending on the risks posed by their services.

The conversation around age verification does not just impact the Children’s Code, but other initiatives such as the Online Safety Bill, digital ID framework and the industry-led protections around loot boxes, so regulators understand the need for a common approach here.

2. Having 'per product' privacy policies is preferable

Games companies often opt for one ‘master’ privacy policy which houses all their data processing activities across the business – whether it be for the company’s website, social media activities or all their games. The growing preference under the Children’s Code is to have a ‘per product’ privacy policy (e.g. one privacy policy per game), or alternatively to set out clearly when certain processing applies to only certain products.

3. Dealing with excessive screen time

The problem of excessive screen time has also been considered. Rather than insisting that games companies limit screen times for their users, companies are encouraged by the ICO to add messaging to users around taking regular breaks – particularly for younger players.

For games which do not have natural breaks (such as MMOs or survival games), this becomes even more important. Parental controls around screen time should also be considered – with best practice also being to offer users the ability to apply screen time limits themselves.

4. DPIAs should be a ‘living document’

Data Protection Impact Assessments (DPIAs) should be undertaken for each game in order to assess the risks posed by such game and to mitigate against those risks accordingly. The DPIA standard sets out the various different harms to children that it expects the risks to be measured against.

If there are changes to the game’s features or functionalities at a later date, then the DPIA should be revisited and adjusted accordingly. The ICO has also encouraged that these DPIAs should be reviewed periodically to ensure they remain up-to-date.

5. The two sides of nudge techniques

Nudge techniques have received bad press over the last few years and there’s little wiggle room for the use of negative nudge techniques under the Children’s Code (e.g. those that push users towards extending gameplay or making repeat in-game purchases), regardless of the age of the child. The ICO has suggested that gameplay and monetisation patterns should be tested and assessed to ensure negative nudge techniques have not been unwittingly deployed.

Patrick Rennie, head of data protection at Wiggin

On the other side of the coin, games companies are being encouraged to deploy positive nudge techniques – something not commonly used across the industry to-date. These are nudges that encourage users to make ‘positive’ steps, such as directing users towards support or wellbeing resources, or informing them of the impact of changing their settings away from maximum privacy.

6. Children and social media

Most social media platforms are aimed at users who are at least 13 years old. For games which have under 13s in their audience, the ICO has pointed out that there needs to be care when running giveaways or other prize promotions (which are often for in-game cosmetics) on social media platforms.

The ICO’s concern is that games companies could be unwittingly encouraging child users to set up social media accounts when they are underage. Studios should consider if they need to run their prize promotions concurrently on platforms that are suitable for different age brackets or permitting entries via methods that are suitable for all ages.

7. Accountability is key

A common stumbling block, particularly for indie studios, is the lack of internal documentation logging decisions made about data processing. Indie studios often have studio-wide policies on data minimisation or privacy-by-design, but this is often not written down.

Consider putting a document in place which solidifies your studio’s position on the Children’s Code and data protection more generally – e.g. the studio’s approach to risk, who in the studio is responsible for data protection and when a DPIA should be undertaken.

You could also consider having data protection concerns as a standing item on your weekly/monthly director meetings and keeping a note of any discussions or decisions. Having this documented will make it easier for any discussions (with a regulator or otherwise) about data protection in the future.

Isabel Davies is an interactive entertainment associate and Patrick Rennie is head of data protection at media, technology and IP law firm Wiggin LLP. They have advised several games companies on their Children’s Code engagements with the ICO.

Related topics