One Year On: Key Takeaways from the Children's Code

The Age Appropriate Design Code, also known as the Children's Code, is a set of regulations that outlines principles for online services that are likely to be used by children. These principles are built upon the UK's General Data Protection Regulation (GDPR), with a focus on making online services safer for children. We previously created a guide for the GamesIndustry.biz Academy that provides an overview of the code. Since its implementation on September 2, 2021, the UK's data protection authority, the Information Commissioner's Office (ICO), has been engaging with companies that provide streaming platforms, social media services, and video games. The ICO has been conducting voluntary audits and comprehensive questionnaires to understand how the industry is complying with the Children's Code. One of the key takeaways from these engagements is that understanding the age of players is crucial for complying with the code's principles, such as implementing appropriate privacy controls. The Children's Code states that if player ages are unknown, games that are likely to be accessed by children should assume all players are children. This approach poses a challenge for many game companies, as they have built their services around the GDPR principle of data minimization. The Information Commissioner is expected to release an opinion on age verification, which may provide further guidance on the expectations for online companies. The conversation around age verification is not limited to the Children's Code, but also impacts other initiatives, such as the Online Safety Bill and the digital ID framework. Game companies often have a single, overarching privacy policy that covers all their data processing activities. However, the Children's Code prefers a "per product" approach, where each game has its own privacy policy, or clearly outlines which processing applies to specific products. The issue of excessive screen time has also been addressed. Rather than requiring game companies to limit screen time, the ICO encourages them to add messaging to users about taking regular breaks, particularly for younger players. For games without natural breaks, such as MMOs or survival games, this is even more important. Parental controls around screen time should also be considered, with best practices including offering users the ability to apply screen time limits themselves. Data Protection Impact Assessments (DPIAs) should be conducted for each game to assess the risks posed and mitigate them accordingly. The DPIA standard sets out the various harms to children that the risks should be measured against. If there are changes to the game's features or functionalities, the DPIA should be revisited and adjusted. The ICO has also encouraged periodic reviews of DPIAs to ensure they remain up-to-date. Nudge techniques have been criticized in recent years, and there is little room for negative nudge techniques under the Children's Code. The ICO has suggested that gameplay and monetization patterns should be tested and assessed to ensure negative nudge techniques have not been unwittingly deployed. On the other hand, game companies are being encouraged to deploy positive nudge techniques, which encourage users to make positive steps, such as directing users to support or wellbeing resources. Most social media platforms are aimed at users who are at least 13 years old. For games with an audience under 13, the ICO has pointed out that care is needed when running giveaways or prize promotions on social media platforms. The ICO is concerned that game companies could be unintentionally encouraging child users to set up social media accounts when they are underage. Studios should consider running prize promotions on platforms suitable for different age brackets or permitting entries via methods suitable for all ages. A common challenge, particularly for indie studios, is the lack of internal documentation logging decisions made about data processing. Indie studios often have studio-wide policies on data minimization or privacy-by-design, but these are often not written down. Consider creating a document that solidifies your studio's position on the Children's Code and data protection more generally, including the studio's approach to risk, who is responsible for data protection, and when a DPIA should be undertaken. Having data protection concerns as a standing item on weekly or monthly director meetings and keeping a note of discussions or decisions can also be helpful. This documentation will make it easier to discuss data protection with regulators or others in the future.