New ICO Guidance On Children's Data – Privacy Protection – Ireland – Mondaq News Alerts

The Information Commissioner’s Office (the
“ICO“) in the UK has released guidance
for video game companies setting out the steps companies can take
to comply with the Age Appropriate Design Code (the
“Code“). The guidance is also useful for
the processing of children’s more data generally.

The Code is a data protection code of practice for online
services likely to be accessed by children. See our article
comparing the Code and the Data Protection Commission’s
Fundamentals for a Child-Oriented Approach to Data Processing (the
“Fundamentals“) here and our article on the Fundamentals here.

The video games guidance was developed following an ICO audit of
the sector and includes the below key points.

1. Risk assessments: Companies should have a
defined process to help identify and minimise data protection
risks. The ICO recommends that companies consult with external
stakeholders, including children, to assess and document new and
legacy games’ appeal to children. This will help determine the
most appropriate age assurance measures to put in place. Companies
should also regularly review those risk assessments after a game
goes live. If unexpected age groups are playing the game, companies
should make necessary adjustments.

2. Age assurance: The ICO states that the age
range of players and the different needs of children at different
ages and stages of development “should be at the heart of
how [companies] design games and apply the Code.”

Companies should assess and document how they will identify if
players are under 18, investigate and implement age assurance
solutions and implement measures to discourage or prevent players
from giving false age declarations. For example, a cooldown
mechanism that prevents players from returning to a previous page
to provide a different date of birth within a fixed time
period.

3. Be transparent: Companies should conduct
user research to trial child friendly privacy information with
different age groups. They should display transparency information
based on ability, rather than age (e.g. at beginner, intermediate
and expert levels) and design different ways to communicate privacy
information which may be more appropriate for children. This could
include age-appropriate videos and graphics in ‘bite sized’
chunks, using storylines or deploying in-game pop-ups or
messages.

4. Prevent the detrimental use of children’s
data: The ICO emphasises that it is important to only
process children’s personal data in ways that is not
detrimental to their health or wellbeing.

Companies should ensure that all optional uses of personal data
are off by default and only activated after valid consent is
obtained from the player or their parent or guardian if the player
is under the age of 13 (the age of digital consent in the UK is 13,
while in Ireland it is 16). Companies should also introduce
checkpoints or natural breaks into the game design, and include
age-appropriate prompts to encourage players to take breaks. They
should also implement measures to control or monitor product
placement, advertising of sponsorship arrangements within community
servers, in cases where children can access community servers from
within the game.

5. High privacy settings and parental controls:
The ICO note “[d]esigning your games to promote meaningful
parent or guardian-child interactions, while setting a high level
of privacy by default and providing a range of appropriate parental
controls is key.”

The ICO state that companies could provide parents or guardian
with real time alerts about their child’s activity, where it is
in the child’s best interest (e.g. a notification if the child
tries to change a privacy setting or is exposed to inappropriate
content). The ICO note that if parents or guardians opt-in to
receive real time alerts, children should be given age-appropriate
information about this.

The ICO state that companies could also give players age
appropriate explanations and prompts at the point they try to
change their privacy settings. Companies could also assess whether
it is possible to introduce settings that allow children to control
what personal data is visible to other players and introduce
measures regarding child players’ interaction with others such
as changing the default ‘receiving friend requests’ setting
to ‘no-one’.

6. Profiling responsibly: Companies should
offer control to children over whether and how companies use their
personal data. The ICO notes that companies should check any
third-party advertising provider is displaying age-appropriate
content to children in-game and that default profiling for
marketing is turned off for children. Another option is to consider
restricting marketing to contextual advertising that doesn’t
process children’s data.

7. Positive nudge techniques: Companies should
assess and document the risks of introducing time-limited or one
time only offers on items targeted at children and implement
positive nudge techniques to promote the best interests of children
such as encouraging children to high privacy options and sensible
purchasing of in-game items.

This article contains a general summary of developments and
is not a complete or definitive statement of the law. Specific
legal advice should be obtained where appropriate.