What is the Guidance?
To assist developers, the ICO separates its suggestions into those that game developers "should" follow and those that they "could" follow.
The guidance suggests that developers "should":
- Risk Assess: Developers are encouraged to put in place processes to help them identify and minimise data protection risks within games. Early in the process this may involve consulting with external stakeholders, including children, to carry out risk assessments. Where games are to involve randomised rewards, such as loot boxes, these rewards should be risk assessed against the Children's Code at an early stage.
- Know their Players: developers should take steps to consider and document how they can assess the ages of their players with sufficient certainty. While the guidance stops short of suggesting age assurance measures ought to be used, it does suggest that measures should be implemented to discourage or prevent players from giving false declarations of age, such as using cooldown mechanisms that prevent players from inputting an alternative age within a set period of time.
- Prevent detrimental use of children’s data: Developers should ensure that all optional uses of personal data are off by default and only activated after valid consent is obtained from the player (or their parent/guardian) and should ensure that there are measures to control or monitor product placement, advertising or sponsorship.
- Consider Behavioural Profiling: Developers are advised to have behavioural profiling for marketing purposes turned off by default. Where a child opts in to receiving advertisements, measures should be put in place to control and monitor the use of product placement and to ensure that any third-party advertisers are displaying age-appropriate content.
- Limit the Fear of Missing Out: The ICO suggests that developers introduce mechanisms within their games designed to discourage unhealthy tendencies. Mechanisms such as checkpoints, automatic saving and natural breaks in play are all recommended by the ICO to encourage players to engage with games in a way which is not detrimental to their health or wellbeing.
Additionally, it is suggested that positive nudge techniques are implemented both to encourage users to select high privacy options and to take breaks from play.
Further to these suggestions the guidance recommends that developers could:
- Increase Transparency: The ICO recommends that developers consider the way that privacy information is displayed and trial child friendly methods for conveying this information. For example, developers are encouraged to consider adjusting the way transparency information is displayed by tying this to ability rather than age.
- Set High Privacy Settings: The guidance recommends that developers set high privacy settings as a default and put in place safeguards to limit the risk of children lowering these, either deliberately or accidentally. It is suggested that this might include providing real time alerts to parents whenever privacy settings are changed, and modifying the way that privacy settings are displayed to children.
While not legally binding, the guidance provides developers with a list of best practice principles for designing games that are compliant with the terms of the Children's Code. The distinction within the guidance between what developers "should" do and what they "could" do suggests that the ICO views some of these suggestions as being of greater importance for continued compliance with the Children's Code than others.
The ICO continues to emphasise that it wishes to work with developers to embed compliance with the Children’s Code in all video games. Given the intense focus of other regulatory authorities on privacy practices within the games industry, the ICO’s offer to assist should be viewed as welcome collaboration.
If you have any questions regarding any of the above, please do not hesitate to contact Joe Fitzgibbon.