ICO News

New ICO Guidance On Children's Data – Privacy Protection – Ireland – Mondaq News Alerts



To print this article, all you need is to be registered or login on Mondaq.com.

The Information Commissioner’s Office (the
ICO“) in the UK has released guidance
for video game companies setting out the steps companies can take
to comply with the Age Appropriate Design Code (the
Code“). The guidance is also useful for
the processing of children’s more data generally.

The Code is a data protection code of practice for online
services likely to be accessed by children. See our article
comparing the Code and the Data Protection Commission’s
Fundamentals for a Child-Oriented Approach to Data Processing (the
Fundamentals“) here and our article on the Fundamentals here.

The video games guidance was developed following an ICO audit of
the sector and includes the below key points.

1. Risk assessments: Companies should have a
defined process to help identify and minimise data protection
risks. The ICO recommends that companies consult with external
stakeholders, including children, to assess and document new and
legacy games’ appeal to children. This will help determine the
most appropriate age assurance measures to put in place. Companies
should also regularly review those risk assessments after a game
goes live. If unexpected age groups are playing the game, companies
should make necessary adjustments.

2. Age assurance: The ICO states that the age
range of players and the different needs of children at different
ages and stages of development “should be at the heart of
how [companies] design games and apply the Code
.”

Readers Also Like:  ¿La ICO de BNB fue manipulada? Nuevas acusaciones contra Binance generan controversia - Cryptocity

Companies should assess and document how they will identify if
players are under 18, investigate and implement age assurance
solutions and implement measures to discourage or prevent players
from giving false age declarations. For example, a cooldown
mechanism that prevents players from returning to a previous page
to provide a different date of birth within a fixed time
period.

3. Be transparent: Companies should conduct
user research to trial child friendly privacy information with
different age groups. They should display transparency information
based on ability, rather than age (e.g. at beginner, intermediate
and expert levels) and design different ways to communicate privacy
information which may be more appropriate for children. This could
include age-appropriate videos and graphics in ‘bite sized’
chunks, using storylines or deploying in-game pop-ups or
messages.

4. Prevent the detrimental use of children’s
data
: The ICO emphasises that it is important to only
process children’s personal data in ways that is not
detrimental to their health or wellbeing.

Companies should ensure that all optional uses of personal data
are off by default and only activated after valid consent is
obtained from the player or their parent or guardian if the player
is under the age of 13 (the age of digital consent in the UK is 13,
while in Ireland it is 16). Companies should also introduce
checkpoints or natural breaks into the game design, and include
age-appropriate prompts to encourage players to take breaks. They
should also implement measures to control or monitor product
placement, advertising of sponsorship arrangements within community
servers, in cases where children can access community servers from
within the game.

Readers Also Like:  Top 10 Countries Embracing Cryptocurrency Adoption - Blockchain Magazine

5. High privacy settings and parental controls:
The ICO note “[d]esigning your games to promote meaningful
parent or guardian-child interactions, while setting a high level
of privacy by default and providing a range of appropriate parental
controls is key
.”

The ICO state that companies could provide parents or guardian
with real time alerts about their child’s activity, where it is
in the child’s best interest (e.g. a notification if the child
tries to change a privacy setting or is exposed to inappropriate
content). The ICO note that if parents or guardians opt-in to
receive real time alerts, children should be given age-appropriate
information about this.

The ICO state that companies could also give players age
appropriate explanations and prompts at the point they try to
change their privacy settings. Companies could also assess whether
it is possible to introduce settings that allow children to control
what personal data is visible to other players and introduce
measures regarding child players’ interaction with others such
as changing the default ‘receiving friend requests’ setting
to ‘no-one’.

6. Profiling responsibly: Companies should
offer control to children over whether and how companies use their
personal data. The ICO notes that companies should check any
third-party advertising provider is displaying age-appropriate
content to children in-game and that default profiling for
marketing is turned off for children. Another option is to consider
restricting marketing to contextual advertising that doesn’t
process children’s data.

7. Positive nudge techniques: Companies should
assess and document the risks of introducing time-limited or one
time only offers on items targeted at children and implement
positive nudge techniques to promote the best interests of children
such as encouraging children to high privacy options and sensible
purchasing of in-game items.

Readers Also Like:  24% of tokens created in 2022 were scams — Report - Punch Newspapers

This article contains a general summary of developments and
is not a complete or definitive statement of the law. Specific
legal advice should be obtained where appropriate.

POPULAR ARTICLES ON: Privacy from Ireland

UK Data Protection Overview 2023

Bindmans LLP

Monika’s piece covers the UK’s current legislative framework, providing an in-depth summary of everything from the law that applies and data subject rights…

Transfer Impact Assessment

Destek Patent

While prior to the entry into force of the GDPR the transfer of personal data to third countries through so-called SCCs under Directive 95/46 was handled differently within the Union, the GDPR has largely harmonized this mechanism.

Do We Need Data To Promote Diversity And Equality?

Castren & Snellman Attorneys

Diversity and equality in work communities enrich working life and enable companies to grow and innovate. Many employers have undertaken to promote equality, which is after all their legal responsibility.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.