February 21, 2023
On 16 February 2023, the ICO published a series of top tips for games designers around Children’s Code compliance. This follows on from a series of voluntary audits the games industry has undertaken with the ICO – many of which we’ve advised on. In this article, we consider how these tips align with our experience of assisting games studios with the Code and outline some top tips of our own to help games designers streamline the compliance process.
It’s important for anyone reading the ICO’s top tips to remember that whilst the Children’s Code is binding, these tips are not and would be best described as a ‘summary’ and ‘best practice.’ Where the tips don’t fully align with the Children’s Code standards, the Children’s Code should prevail. The use of ‘you should’ versus ‘you could’ by the ICO highlights where different standards have potential differing levels of flexibility.
Risk assessments (“you should”)
The first tip covers the assessment and documentation of whether a game may appeal to children and what risks the game may represent. This includes consulting with external stakeholders, including children. The Children’s Code is less prescriptive on this point, stating that the need to consult with children and parents will depend on the “size of your organisation, resources and the risks you have identified.”
The key challenge here – particularly for smaller studios – will be obtaining these external views. Many games companies do not hold player contact information so the potential to reach out to the player base to initiate any line of questioning can be heavily limited. Using external agencies that specialise in market research can be costly, and often does not provide the granularity of data on demographics, game genre or location to be meaningful. Where games studios don’t have direct access to player data, it’s worth considering other potential channels of communication to get an indication of your potential player base (for example, a questionnaire via your studio’s newsletter or polling your official social media channels).
Like many of the standards in the Children’s Code, retroactively applying it to legacy games often heightens these challenges due to player expectation.
We would advise that as a first step, you should identify the risks any game poses to children. The greater the risk, the greater the need to carry out consultation.
Age assurance (“you should”)
Although age assurance continues to be a moving feast, this tip implies growing expectations for games studios in this space. Although self-declaration age gates have not been discounted entirely, the ICO has suggested ways in which these types of age gates can be made more robust, such as:
- Determining the actual age of the user, rather than simply asking the user to confirm (for example) if they’re 18 years old or over; and
- Implementing methods (e.g. dropping a cookie) that stops users re-entering a new age immediately if they are rejected by the age gate.
The mention of the ‘data-free core’ is likely a nod to Epic Games’ recently introduced cabined accounts, which is aimed at creating a safe and inclusive gameplay environment for younger players.
The structure of self-declaration age gates is not mentioned. During many audits, there appeared to be a growing preference towards free-text age gates which meant users had to make a specific decision to type in their date of birth rather than simply select a date of birth from a drop-down list (which – anecdotally – resulted in users picking the first age in the drop-down and therefore suggesting a huge percentage of players were often either one year old or 100 years old!).
Transparency (“you could”)
The transparency standard relates to making sure players understand how their data is processed. Here, the key hurdle some studios came across was making sure that privacy information was understandable for their audience and flagged to all users.
The mention of “mission-style storylines” as a way of communicating privacy information is possibly a reference to King’s award-winning Privacy Saga.
We should also flag that the ICO’s preference here is that companies have ‘product specific privacy notices’ in place rather than a single privacy notice which attempts to cover all games.
Detrimental use of data (“you should”)
Although the ICO makes a point of highlighting “valid consent” for under 13s for optional use of data, it’s our experience that the ICO appreciates that in some cases optional processing can be done on different bases of processing (e.g. legitimate interest). For example, many games companies will monitor players for possible cheating – whether due to glitches or the use of external software. It’s arguable that this monitoring is optional but that consent is not an applicable ground for processing as it will be carried out across all players.
However, the examples the ICO gives (marketing and content recommendations) should certainly be read in conjunction with the ‘profiling’ standard (see more below).
The tip which relates to implementing measures on community servers to monitor product placements or advertising is a unique challenge. Often these server owners are data controllers in their own right, which reduces the available level of oversight and control.
Default privacy settings (“you could”)
Across several audits, the ICO (in combination with the ‘nudge techniques’ standard) highlighted the benefits around the implementation of positive nudge techniques which encouraged users to keep high privacy settings on, or at least warned users of any risks around lowering said setting.
The suggestion of allowing players to hide their account name – in some circumstances – may not be possible (e.g. if it means that other players are not able to identify and report that player for cheating, or bad behaviour).
Finally, the suggestion that voice chat should be off by default for children is unsurprising given the current technological limitations around moderating voice chat (e.g. getting accurate and quick voice-to-text transcription, the inherent privacy risks and the high costs) particularly when compared to text chat.
Profiling (“you should”)
The profiling piece has become an increasingly hot topic both in and out of the Children’s Code. Here, the focus is very much on ensuring that there is express, separate consent to any marketing (which for under 13s, should be provided by a parent or guardian). Contextual advertising is becoming an increasingly popular option – with some games companies taking a more conservative approach of only serving such advertising to under 18s (or under 16s, on the basis of annexe B).
Not mentioned here are other types of profiling – most notably for in-game monetisation – which the ICO views through a similar lens.
Nudge techniques (“you should”)
The final tip comes back to ‘nudge techniques’.
Many of the points included in this section skirt much closer to the line of consumer protection than many of the other standards (e.g. the presentation of payment flows). From the ICO’s perspective, the motivation for these inclusions is that negative nudge techniques around monetisation could result in children providing additional data (i.e. payment data) that they may not have otherwise provided.
The one reference to positive nudge techniques expressly revolves around data. In the original Code, the use of positive nudge techniques is coached in a much more optional fashion (and comes more highly recommended for younger players) but is increasingly coming as a recommendation from the ICO regardless of the age profile of players – particularly when turning off a ‘high privacy default setting’ (i.e. allowing voice chat).
Our additional top tips for game designers
While there’s no doubt that these tips lay a useful foundation towards best-practice, it’s clear there’s no “one-size-fits-all” route to compliance with the Children’s Code. In our experience, making sure you follow the steps set out below will set you in the best possible stead for ensuring your game complies:
- Start by conducting a DPIA about your game, which will flush out a lot of the information you’re going to need to assess any issues. The ICO has a template here.
- You could then take a look at the ‘practical steps’ in the self assessment risk tool to see where you might have gaps in your Children’s Code (and general GDPR) compliance – many of the steps mentioned speak to the topics that are covered off in an ICO audit.
- On the back of better understanding the risks, it’s worth considering how you can obtain information about the demographic (or potential demographic) for your game.
- As mentioned in our previous articles on the Code, accountability is key. Therefore, to the extent you’re doing (and re-doing) any assessments or checks on the topics above or are setting out justifications on why you’ve taken a certain approach – it’s important to document it in writing.