This is a guest post produced by the Information Commissioner's Office (ICO). For more information on the ICO, please visit their website.
The Children’s code (known formally as the Age-appropriate design code) came into force on 2 September 2021. We have produced these best practice recommendations, which give game developers examples of practical ways they can meet the code’s standards.
Understand what personal data your game is collecting and how it is processed
Standard two requires organisations to complete a DPIA to identify and minimise the data protection risks of their service. We suggest you should make a data map to inform your DPIA. Together, these help you to minimise the processing of personal data (standard eight).
Your data map and DPIA could highlight where session user IDs can minimise the personal data you collect. This ensures you could not identify users across sessions or datasets, provided there is no other permanent identifier. Similarly, when undertaking segment or cohort analysis, best practice is to do this on average rather than individual behaviour. This provides sufficient detail for analysis without needing to analyse data on an individual level.
Assess the level of risk your game poses to children
The best interests of the child should be a primary consideration when you design and develop games likely to be accessed by a child. You need to assess the level of risk your game poses to children. When processing their personal data, consider the needs of child users and then support those needs in the game’s design. For example, your game’s monetisation model needs to be transparent and consistent, allowing children or parents to make an informed purchase.
The ICO has best interests guidance and a best interests framework to help you. You should also consult with children and parents. If this isn’t feasible, consult child advocates, schools or previous research on children’s views.
You should not use children’s personal data in ways that are detrimental to their wellbeing. Detrimental use could include using personal data to drive the game. This includes acquisition, monetisation, retention or nudges to extend gameplay. You should not allow organisations to access personal data in ways that could enable bullying or abusive behaviour. This could include:
· unwanted contact online;
· trolling;
· pretending to be someone else; or
· providing access to age inappropriate content or products.
Use appropriate age ratings and stick to policies and community guidelines
Publish your terms and conditions and policies and, importantly, adhere to these (standard six). Best practice is for these to cover age ratings or restrictions and behaviour and content policies. These should be available to users and non-users. You should also adhere to any PEGI rating and industry code of practice.
You should not offer adult accounts to under-18s if this would result in your service failing to conform to the code. You need to take a risk-based approach to recognising the age of your users. You can either establish age to a reasonable level of certainty or apply the standards to all users (standard three).
Best practice includes allowing users to play your game for a limited time without collecting personal data or requiring them to accept any terms. This helps children understand what the game is and make a more informed choice about the processing of their personal data.
All settings must be ‘high privacy’ by default, unless you can demonstrate a reason not to
You should disable social features that fall under the Children’s code prior to opt-in. The features must also have appropriate moderation. We suggest having very limited social features for under 13s, unless you have a compelling reason. For example, we recommend avoiding free text messaging unless strictly necessary for a beneficial purpose.
Profiling should be ‘off’ by default. You should only use profiling if you have measures in place to protect children from harmful effects or content that is detrimental to their health and wellbeing. You must be able to demonstrate that the profiling is required for the game to work.
You should not use profiling for advertising unless the child opts to adjust the profile setting. We do not consider advertising to be an essential purpose. For children under 13, this requires parental approval. If advertisements are important for the game’s monetisation and sustainability strategy, consider using contextual advertising that does not rely on behavioural data profiling. You should refer to the Committee of Advertising Practice for further guidance on advertising in-game purchases.
Don’t use nudge techniques to encourage children to provide unnecessary personal data or to lower or turn off their privacy protections
This ensures you conform with standard 13 of the code. Nudge techniques include:
· preventing users from saving their game until they reach a certain level; or
· nudging users to set up profiles which include personal data.
Best practice is to encourage children to leave the game regularly through natural breaks in gameplay. You should consider what constitutes reasonable timeframes for breaks between and within sessions and ways to explicitly provide break opportunities.
A best practice recommendation for creating profiles is to limit this to first names or use pre-generated usernames. You can also use a cartoon or animation rather than a personal picture or avatar.
Clearly define and understand what role each organisation involved in the creation, distribution and running of the game has and what data they should have
This is crucial to conform with the data sharing standard. Your DPIA should help you to identify the various relationships.
Do not share children’s personal data unless necessary for a specific purpose, considering their best interests. Examples of necessary sharing include with the third parties who deliver services in your game. This applies provided these third parties are a core part of delivery and they require the personal data to deliver the services. Third-party platforms may collect personal data to provide their element of your service, such as payment. They shouldn’t share the data with you unless it is necessary for a specific purpose.
Best practice includes using responsible ad providers that use age appropriate content and mechanisms. This means they:
· do not profile to target ads to children;
· do not have direct calls for action from their ads; and
· clearly differentiate their content as an ad within your game to ensure transparency.
Ensure your users know what personal data you’re collecting and how you’re using it
Give children age-appropriate information, including about parental controls. If your game allows parental monitoring, make it obvious to the child when this is happening. This is fundamental to meeting standard four (transparency) and standard 11 (parental controls). Ensure users understand personal data is collected from device sensors and areas of the game, for example their microphone, gyroscope and live chat functionality. Best practice is to give children separate choices over which elements of your game they wish to activate. Providing additional explanations at points where you use their personal data is also best practice.
Be transparent with who you share children’s data with, and why - for example, third-party log-in services. Avoid entering data sharing arrangements where third parties share personal data with their own partners if children may not reasonably know who is processing their personal data. If using third-party log-ins, best practice is to provide a log in that does not require a social media account.
Our right to be informed guidance provides further information on how you can provide privacy information.
Allow anyone to report concerns
Best practice for standard 15 includes providing prominent and simple tools to help children understand and exercise their data protection rights and report concerns. It is also best practice to allow users and non-users to report concerns. Ensure you can respond to user reports quickly, and moderate any rules written in your community standards policies.
In summary
1. Take responsibility for the personal data collected by all the systems supporting your game. Be transparent about what personal data you collect and who you share the data with.
2. Understand that personal data means anything attributable in any way to a user, even indirectly.
3. Only collect personal data you actually need. If using consent as your lawful basis, ensure you have the appropriate consent, considering that children under 13 require parental consent.
4. Use appropriate age rating systems and abide by the rules set by your age rating system and community guidelines.
Design games with the best interest of the child in mind where under 18s are likely to access the service. Consider how your game conforms with all relevant standards of the Children’s code and be transparent about how you use and share children’s personal data. This helps you conform with the code and increases your users’ confidence in your service
Need help producing a data impact assessment (DPIA) for your games business? Access a sample DPIA that the ICO produced with Ukie member Fundamentally Games here.