Privacy protection for children: new ICO guidance for game developers

The Children’s Code (officially, the ‘Age-Appropriate Design Code’) (Code) was published by the information Commissioner’s office (ICO) on 2 September 2021, and sets out standards which require online services including websites, apps, games, social media, streaming services and news services, to provide better privacy protections for children in the digital world in order to comply with UK data protection law.

The Code applies to both UK-based companies and non-UK companies who process the personal data of UK children. 

In the past 18 months, the Children’s Code has prompted changes by, for example, social media platforms and gaming websites. These changes include targeted and personalised ads being blocked for children, children’s accounts being set to private by default, adults being blocked from directly messaging children and notifications being turned off at bedtime.

On 16 February 2023, the ICO released some ‘top tips’ for game designers to help them better understand how the Children’s Code applies in the games sector and what steps games companies can take to make sure they are compliant with the Code. 

The ICO’s ‘top tips’ include the following recommendations:

• Carry out risk assessments that consult with external stakeholders and assess appeal to children; ensure you risk assess any randomised rewards, such as loot boxes.
• Identify if players are under the age of 18 and ensure measures are in place to discourage false declarations of age. For example, by preventing users from changing their date of birth for a fixed cool-down period.
• Ensure games are not detrimental to children’s health and well-being by including ‘checkpoints’ or age-appropriate prompts that encourage players to take breaks. The ICO also suggests implementing measures to control or monitor product placement, advertising and sponsorship arrangements within community servers.
• Display transparency information based on ability rather than age ie at beginner, intermediate and expert levels. Use gamified communication such as age-appropriate videos and graphics in ‘bite sized’ chunks, ‘mission-style’ storylines or deploying in-game pop-ups or messages.
• Switch off profiling for marketing purposes in the default settings for children. Encourage children to speak with a trusted adult and to activate profiling only when they understand how their personal data will be used. Make privacy settings easy for children to change.
• ‘Stealth mode’ - give parents controls such as ‘real time alerts’ when children access ‘riskier’ features.
• Enhance transparency of privacy information by carrying out age group testing.
• Avoid so-called ‘nudge techniques’ that encourage children to reduce their privacy settings – assess the risks of marketing time-limited/one-time only offers on items targeted at children and be mindful when running competitions and discourage children from creating social media accounts for fear of missing out on rewards. 

Are you compliant with the Children’s Code? Many online services collect personal data without a clear and comprehensive section on children’s data protection within their privacy policy. According to Comparitech, nearly 1 in 4 children’s Google Play Apps breach the Code. Companies should consider these ‘top tips’ and assess if any change is needed to the way they design, market and monetise their products.

On the ICO’s website, these ‘top tips’ are linked to resources and more detailed guidance. The ICO is also adopting a collaborative approach with the games sector and is openly encouraging games companies to volunteer for a free audit to obtain an independent assessment of their conformance with the Code. There is also a Self-Assessment Risk Tool which helps you assess how both the UK GDPR and the Code applies in the context of your digital service and gives you practical steps for you to apply a proportionate and risk-based approach to ensuring children’s protection and privacy.

‘The Children’s Code makes clear that children are not like adults online, and their data needs greater protections. We want children to be online, learning, playing and experiencing the world, but with the right protections in place to do so.’ (Leanne Doherty, Group Manager, ICO)