The transition period for the Children’s Code ends on 2 September 2021, and all games or online businesses that are likely to be accessed by children under 18 are required to comply. Websites, games and apps affected by the code need to provide additional protection for any personal data of users under 18 years of age. This might require game and app developers and publishers to restrict or remove features from their websites, apps or games.
Want to know more? Then read on…
What the heck is the Children’s Code?
Following the introduction of the GDPR and the UK Data Protection Act 2018 (“DPA”) the Information Commissioners Office (“ICO”) has produced a code of practice on the standards of age appropriate design for various online services – including website, apps and games – in order to ensure that those online services appropriately safeguard children’s personal data.
When is it in force?
It already is! The Children’s Code (formerly known as the Age Appropriate Design Code) actually came into force in September 2020, but a 12 month transition period has meant that game developers and publishers still have a few months before those rules are enforced. The Children’s Code is likely to be just as significant to games businesses than the introduction of the GDPR and DPA, because it changes the standards of data protection for children.
The transition period formally ends on 2 September 2021 so all businesses will need to be in compliance by then.
What does the Children’s Code say?
In short – the code explains how online services (read: games and app businesses) must ensure that their services appropriately safeguard children’s personal data. The code sets out 15 standards of age appropriate design that games businesses will need to put in place including data minimisation and acting in “the best interests of the child”.
All games businesses will need to consider the code if children are likely to access their service. That could mean giving children who play your app or game a high level of privacy by default, such as switching off targeting advertising and limiting geolocation features.
My game/app states that it is not suitable for children. I’m good, right?
Age ratings, while instructive, do not necessarily mean that children will not access your service. The code should be considered even if children are not your target audience but are still likely to access your game.
We comply with the GDPR and don’t process personal data of children under 13. Do I need to do anything?
In the code “child” refers to any individual under the age of 18. This is a higher age than that used by the GDPR/UK GDPR and DPA when instituting specific protections for young people, like the age at which a person can give valid consent. So, yes, you may still need to ensure that you are compliant with the code and processing children’s data in accordance with it.
We don’t know the ages of our users or players. Do we still need to comply?
Probably (depending on what you are doing with user data). If you are processing personal data in a way that would not comply with the code then you need to be able to separate out children’s data from that of any adults that use your app or play your game.
To do this you may need to ask for user's to provide their age, carry out some age checks, or provide a high level of privacy to all users by default. Generally speaking, if you are carrying out high-risk data processing activity then the more sure you need to be that you are not processing children’s data unfairly.
I’m a developer / publisher based outside of the UK. Do I need to do anything?
Yes, you do. The code applies to UK games businesses and in lots of cases non-UK games businesses who process children’s personal data, even if they have no physical presence in the UK. Lots of games businesses that make their websites, apps and games available to users in the UK will need to ensure that they comply with the code.
What are the consequences of non-compliance with the code?
Non-compliance with the Children’s Code is likely to be seen by the ICO as non-compliance under the GDPR/UK GDPR. Games businesses that process children’s personal data in breach of the GDPR/UK GDPR or the Privacy and Electronic Communications Regulations (“PECR”) can be subject to fines of up to £17.5 million or 4% of annual worldwide turnover for the worst breaches, whichever is higher.
I’m a Game / App Developer: What should I do before the transition period ends?
- Understand where you process and collect personal data. It might be via your website, social media channels or even via analytics tools built into your game or app.
- Know what personal data you are processing, and why you are processing it. Don't collect or process personal data that you don't use or need.
- Games and apps are services that are likely to be accessed by children. Map out the user journey to show where and how personal data is used. This might help you implement appropriate safeguards at various stages of the user journey that better protect children.
- Carry out a "data privacy impact assessment" ("DPIA") if you undertake more involved data processing. This will help you identify and minimise the data protection risk, and will highlight any specific data privacy risks to children that are likely to access your game or app.
- If you have a publisher then your publishing contract will likely require you to "comply with all laws, rules and regulations" so non-compliance could put you in breach of your publishing contract.
- Update your consumer facing documents to show your compliance with the code. Your privacy notices should accurately reflect how you collect and process personal data, and set out the reasons why you do this.
- Get in touch with Sheridans. We are working with studios to guide them through the DPIA process, and can give you guidance on the code.
We’re a Game / App Publisher: What should we do before the transition period ends?
Publishers are responsible for distributing and selling games to end-users so are more likely to receive and process personal data from players/user. Due to their consumer facing nature, Publishers are more likely to be considered a “data controller" under the GDPR/UK GDPR and DPA.
- Understand where you process and collect personal data. It might be via your website, social media channels or even via analytics tools built into the games or apps you are selling.
- Work with your developers to understand what analytics and tools are used in the game or app to process or collect personal data.
- Carry out a DPIA for your own business if you undertake more involved data processing, and maybe for each game (working with your developers as set out above). This will help you identify and minimise the data protection risk, and will highlight any specific data privacy risks to children.
- Update your consumer facing documents relating to the games you are publishing to show your compliance with the code. All privacy notices should accurately reflect how you collect and process personal data in the applicable game or app, and should set out the reasons why you do this.
- Get in touch with Sheridans. We are working with other publishers to guide them through the DPIA process, and can give you guidance on the code.
I am always happy to help or to answer questions. Please feel free to contact me via email at [email protected], or DM on Twitter / LinkedIn (see my Gamasutra profile for details).
Thanks to my colleague and friend Eitan Jankelewitz aka The Bitcoin Barrister for his advice in writing this blog post.