Welcome to part two of a five-part series, where we're diving into the anticipated impact the California Age-Appropriate Design Code Act (AADC) will have across industries. In part one, we looked at five things that advertisers need to be aware of.
Here, we will be examining how the California AADC may impact the video game industry, for game developers and publishers alike.
California AADC Updates.
The California AADC is modeled after the UK Age-Appropriate Design Code, commonly referred to as the "Children's Code." Although no enforcement of the Children's Code has come from the UK Information Commissioner's Office (ICO) yet, the ICO recently released guidance meant specifically for video game designers. This guidance may shed some light on how California regulators may enforce the California version of the AADC.
In December, 2022, NetChoice (a group of technology companies) sued in California federal court to block the AADC. Professor Eric Goldman of Santa Clara University School of Law filed an amicus brief, arguing the California AADC is unconstitutional. The U.S. Chamber of Commerce argued in its own amicus brief that the California AADC is preempted by federal law, the Children's Online Privacy Protection Act (COPPA). We are watching this case closely.
Unlike other industries, the video game industry is all but assured to be within the scope of AADC enforcement. Gaming is popular with both children and adults, with many games designed to appeal across all ages. As such, many people of a variety of ages often end up in the same online spaces. While there are many issues that will face game companies under the California AADC, this article focuses primarily on age assurance requirements.
1. Game companies will need to pay close attention to the definition of "online products, services, and features."
The California AADC will apply to certain companies that offer "online products, services, and features" that are likely to be accessed by children under the age of 18. Under the AADC, "online products, services, and features" explicitly excludes the delivery or use of physical products and certain internet and telecommunication providers.
Notably, however, the AADC does not currently define what is within this very broad scope. The definition is interestingly opaque. While massively multiplayer online games seem to clearly fall within this scope, games that are incidentally online may not.
For example, if a single-player RPG game connects to the internet for the sole purpose of providing updates to the game, does it become an "online product?" What if this single-player game is hosted on an online platform, like Steam? What if the game can be downloaded online and accessed offline?
Game companies will need to both keep an eye out for clarification in upcoming regulations and prepare for the possibility that enforcement may extend to these single-player games.
2. Game companies will need to either verify player ages or make their games child-friendly.
Game companies with "online products, services, and features" covered by the AADC will need to estimate players' ages "within a reasonable level of certainty." Although the AADC applies to online products that are "likely to be accessed by a child," this threshold likely covers most, if not all, video games.
As Professor Goldman points out in his amicus brief in the NetChoice case, the California AADC does not require age verification, but rather "age assurances" by covered entities - though this distinction ultimately has little meaning.
This means game companies would need to either: (1) verify all player ages to some degree of reasonable certainty (more on this process below) or (2) redesign aspects of their games to be child-friendly for all players.
The law also arguably requires that game companies complete certain age-estimations, regardless of game design and suitability for children. Again, the threshold question here is whether an online game is "likely to be accessed" by a child under the age of 18. The UK Children's Code includes guidance on appropriate measures for establishing or estimating the age of users while maintaining compliance with data protection obligations. Notably, the California AADC does not include similar guidance, and it is not clear if such regulatory guidance will be forthcoming.
3. Game companies will need to allocate responsibility for compliance.
Another complicated issue for game companies will be determining which party bears the brunt of responsibility for compliance. While all covered entities will need to comply with the AADC, the power to comply may not be shared equally. Realistically, a game developer does not necessarily have the same technical controls over player access that game publishers or game platforms may have.
This raises the very simple question: who will be in charge of estimating ages?
Each party at the various levels of the gaming ecosystems will likely need to confirm players' ages and will also need to determine who bears responsibility for what. For example, game developers may need to build in certain functionalities which allow for age-verification, and game publishers would then implement these systems, or otherwise employ third-party vendors to do so. Alternatively, platforms could be responsible for maintaining age verification processes that can be used across publishers and trickle down individually through each game.
4. Game companies will need to invest in age-assurance mechanisms.
Game companies that choose to limit certain player access to their games based upon age will need to not only think about which party is responsible, but also how they can begin estimating players' ages.
As Professor Goldman suggests, age-assurance processes likely extend well beyond self-reporting where players provide their own ages (commonly referred to as "age-gating"). This means that game companies will need to either collect documentation from players to verify their ages, or use automated means such as facial scans.
The ICO noted in its recent guidance for the UK Children's Code that game designers should implement measures to discourage or prevent players from falsifying their ages. Whether California follows the lead of the ICO is uncertain.
5.Game companies will need to rethink age ratings.
Ratings authorities, such as the ESRB and PEGI, focus on the content of the game. On the other hand, the AADC is concerned with onlinecontent that may – or may not – have been created by the game designers. As the AADC is written, this would likely extend to online and player-to-player interactions.
Compliance with the AADC requires far more than what is required by the ratings authorities. However, it should be noted that ESRB is offering age verification services in connection with the UK Children's Code and GDPR compliance. Although a game may be rated for 'everyone' by a rating authority, that doesn't mean that its online content or other player-to-player interactions are suitable for children.
Games rated for teens face similar problems. Under the AADC, a teen-rated game undoubtedly is "likely to be accessed by a child" – the very rating implies as much. However, AADC compliance is likely not as simple as bifurcating a game into one version for minors and one version for adults. Harmful content can still be generated by otherchildren; take, for example, a game where thirteen-year-olds can interact with seventeen-year-olds.
Conclusion.
Time will tell whether the NetChoice suit or other challenges to the California AADC will succeed.
Nevertheless, businesses covered by the AADC should think about compliance now. Regardless of what happens to the California AADC, children's privacy has obviously become an important current focus for regulators.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
