The Information Commissioner's Office (the "ICO") in the UK has released guidance for video game companies setting out the steps companies can take to comply with the Age Appropriate Design Code (the "Code"). The guidance is also useful for the processing of children's more data generally.
The Code is a data protection code of practice for online services likely to be accessed by children. See our article comparing the Code and the Data Protection Commission's Fundamentals for a Child-Oriented Approach to Data Processing (the "Fundamentals") here and our article on the Fundamentals here.
The video games guidance was developed following an ICO audit of the sector and includes the below key points.
1. Risk assessments: Companies should have a defined process to help identify and minimise data protection risks. The ICO recommends that companies consult with external stakeholders, including children, to assess and document new and legacy games' appeal to children. This will help determine the most appropriate age assurance measures to put in place. Companies should also regularly review those risk assessments after a game goes live. If unexpected age groups are playing the game, companies should make necessary adjustments.
2. Age assurance: The ICO states that the age range of players and the different needs of children at different ages and stages of development "should be at the heart of how [companies] design games and apply the Code."
Companies should assess and document how they will identify if players are under 18, investigate and implement age assurance solutions and implement measures to discourage or prevent players from giving false age declarations. For example, a cooldown mechanism that prevents players from returning to a previous page to provide a different date of birth within a fixed time period.
3. Be transparent: Companies should conduct user research to trial child friendly privacy information with different age groups. They should display transparency information based on ability, rather than age (e.g. at beginner, intermediate and expert levels) and design different ways to communicate privacy information which may be more appropriate for children. This could include age-appropriate videos and graphics in 'bite sized' chunks, using storylines or deploying in-game pop-ups or messages.
4. Prevent the detrimental use of children's data: The ICO emphasises that it is important to only process children's personal data in ways that is not detrimental to their health or wellbeing.
Companies should ensure that all optional uses of personal data are off by default and only activated after valid consent is obtained from the player or their parent or guardian if the player is under the age of 13 (the age of digital consent in the UK is 13, while in Ireland it is 16). Companies should also introduce checkpoints or natural breaks into the game design, and include age-appropriate prompts to encourage players to take breaks. They should also implement measures to control or monitor product placement, advertising of sponsorship arrangements within community servers, in cases where children can access community servers from within the game.
5. High privacy settings and parental controls: The ICO note "[d]esigning your games to promote meaningful parent or guardian-child interactions, while setting a high level of privacy by default and providing a range of appropriate parental controls is key."
The ICO state that companies could provide parents or guardian with real time alerts about their child's activity, where it is in the child's best interest (e.g. a notification if the child tries to change a privacy setting or is exposed to inappropriate content). The ICO note that if parents or guardians opt-in to receive real time alerts, children should be given age-appropriate information about this.
The ICO state that companies could also give players age appropriate explanations and prompts at the point they try to change their privacy settings. Companies could also assess whether it is possible to introduce settings that allow children to control what personal data is visible to other players and introduce measures regarding child players' interaction with others such as changing the default 'receiving friend requests' setting to 'no-one'.
6. Profiling responsibly: Companies should offer control to children over whether and how companies use their personal data. The ICO notes that companies should check any third-party advertising provider is displaying age-appropriate content to children in-game and that default profiling for marketing is turned off for children. Another option is to consider restricting marketing to contextual advertising that doesn't process children's data.
7. Positive nudge techniques: Companies should assess and document the risks of introducing time-limited or one time only offers on items targeted at children and implement positive nudge techniques to promote the best interests of children such as encouraging children to high privacy options and sensible purchasing of in-game items.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.