Age assurance is becoming a central compliance issue for games businesses in the UK. With overlapping regulatory regimes, active enforcement, and further reforms under consideration, companies need to understand when age assurance is required, what “effective” measures look like, and how to respond in a proportionate way.

Two principal legal frameworks drive age assurance obligations for games businesses in the UK: the UK GDPR and the Age Appropriate Design Code (UK GDPR and Children’s Code) and the Online Safety Act 2023 (OSA).

UK GDPR and the Children’s Code

Under the UK GDPR and the Children’s Code, the focus is on how children’s personal data is processed and to prevent harmful processing. A considerable focus of the UK GDPR and Children’s Code is around targeted advertising, location sharing, and commercial activities derived from profiling children. These three activities clearly involve personal data of children being processed. However, the ICO is also looking more closely at online services whose features could be harmful to children – including where children are exposed to harmful content and/or abusive behaviour online.

The ICO requires video games which are likely to be accessed by children to undertake a data protection impact assessment (DPIA). The DPIA should examine the game, the various standards set out in the Children’s Code, the possible harm to children, and whether any measures are required to help protect children. Of course, you cannot implement child-specific measures without knowing the age of the child, which is where age assurance comes into play.

The ICO has stated that services must “establish age with a level of certainty that is appropriate to the risks” or else apply child-appropriate standards to all users by default. In practice, games companies will need age assurance unless they can show one of three things: the game is unlikely to be accessed by children; the risks do not justify it; or they treat all players as if they were children.

The Online Safety Act

The OSA approaches child safety differently, but many of the practical issues overlap.

The OSA designates Ofcom as the regulator for online safety and imposes a range of duties on providers of user-to-user services and search services. A central question for any games business is whether its games, or games services, fall within the scope of the OSA. Games with user-generated content and social features (such as in-game chat) are likely to be captured. Although it’s important to note that the OSA will only regulate the user-to-user sections and content within the game – not the entire game. Regulated services that are likely to be accessed by children face enhanced child safety duties, including obligations to assess and mitigate the risk of children encountering harmful content on the service. Ofcom has published Codes of Practice and accompanying guidance setting out the measures it expects services to take in order to comply with these duties.

The OSA categorises harmful content to children into three tiers of user-to-user content: “priority content”, “primary priority content”, and “non-designated content”. Services that allow “primary priority content” harmful to children, such as pornography, self-harm, suicide, or eating disorder material, must use “Highly Effective Age Assurance” (HEAA) to prevent children from encountering such content. Ofcom defines HEAA as age assurance that is highly effective at correctly determining whether or not a user is a child. In practical terms, this means age verification or age estimation methods that go well beyond self-declaration. For other categories of harmful content, services must take proportionate steps to prevent children from encountering such material, and age assurance measures may form an effective part of a service’s compliance toolkit.

It is important to note that the OSA’s child safety duties apply not only to user-to-user content but also to certain functionalities and features of a service. For example, services must consider how their design choices, such as recommender algorithms, messaging systems, or mechanisms that facilitate contact between adults and children, could expose children to harm. Services must conduct a children’s access assessments and children’s risk assessments to identify potential harms and determine appropriate mitigations. Age assurance measures may therefore be relevant to gating access to specific parts or functionality within a game.

A shared regulatory position

Overall, both regulators agree that where age-assurance is required, self-declaration alone is not effective, and that without HEAA, organisations may find themselves in tricky waters.

So where does that leave game companies? One regime requires age assurance to prevent unlawful or harmful data processing, the other requires it to prevent children from encountering harmful content. Neither requires a game to be age-gated in its entirety, but finding a holistic solution is challenging and the cost of getting it wrong can be high.

The risks of not complying with the OSA and UK GDPR and Children’s Code are real.

The ICO has imposed significant fines on Reddit (£14.47 million) and TikTok (£12.7 million) for failures relating to children’s data, particularly where platforms set minimum age requirements but lacked effective age assurance to enforce them. The message is clear: you cannot simply rely on terms and conditions to contract out of your obligations to children.

On the Ofcom side, 4chan was fined £520,000 and Kick £800,000 for failing to have effective age assurance in place and allowing children to access pornographic material. While these figures are lower than the ICO’s penalties, this reflects the early stage of Ofcom’s enforcement activity and the smaller scale of the services involved rather than any lesser seriousness. Ofcom’s maximum penalty — up to £18 million or 10% of qualifying worldwide revenue — is comparable to the ICO’s, and the regulator has signalled a graduated, escalatory approach.

It is also worth noting that the fines for each of Reddit, TikTok and 4Chan were partly for failing to conduct DPIAs / risk assessment as required by the relevant regime.

The overarching takeaway is that the best line of defence is the ability to demonstrate you have genuinely thought about children in advance.

1. Review your existing documentation

Examine your risk assessments, terms of service, privacy notices, and other consumer-facing documents. These are back in the regulatory firing line and serve as the foundation for determining what age assurance measures you may need. And if your game has a minimum age requirement set out in your terms, investigate why this has been set and if it is necessary (because it won’t protect you from regulators).

2. Assess the risk to your game and your business

Identify whether your game involves harmful content, user-to-user functionality (such as messaging or user-generated content), targeted advertising, recommender systems, or monetisation methods that could pose risks to children. Determine whether children are actually using your game, and if you lack reliable data on this, consider commissioning your own market research. Record that assessment in a DPIA or other risk assessment.

3. Implement new measures, follow-up on recommendations, and document everything

Act on the findings of your risk assessments and address any identified gaps. Crucially, document what you have decided to do and what you have decided not to do, and why. Internal policies on reporting, moderation, and escalation can go a long way towards demonstrating to a regulator that you have taken child safety seriously, even where your documentation does not follow a prescribed format. Compliance is an ongoing exercise, not a one-off task – especially where games are concerned.

4. Have your say

The games industry should not be purely reactive. Engage with governmental and regulatory consultations, participate in policy initiatives, and take opportunities to educate regulators about the realities of game development and the balancing act between creating enjoyable, profitable games and meeting regulatory obligations. This can be done directly, with legal support, through Flux Digital Policy, or through trade bodies such as UKIE, TIGA, and VGE.

The UK government has made clear that some form of online age restrictions for under-16s is coming, even though the detail is still being worked through as part of the “Growing Up in the Online World” consultation. With the consultation focusing on issues closely connected to video games, including addictive design and stranger pairing (i.e., multiplayer match making), the number of businesses required to deploy age assurance is expected to grow.

There may be scope for lower-risk features to be subject to less onerous age checks, but that outcome is far from guaranteed and would need to be actively advocated for.

Age assurance is a fast-moving area, and the regulatory landscape is only set to become more demanding. What compliance looks like will depend on your game and your business, especially because these laws were designed largely with social media in mind, not games. We take a holistic approach to advising on regulatory compliance and we can help you navigate what legal, commercial and practical solutions are best suited to you.

If you would like to discuss how these developments affect your business, or if you need support with risk assessments, regulatory engagement, or implementing age assurance solutions, please do not hesitate to contact us.

This article is based on themes discussed in our recent webinar on age assurance in games, featuring contributions from Robin Hopkins KC and Rita Dias from 11KBW, and Dr Celia Pontin from Flux Digital Policy alongside the authors listed. It is for informational purposes only and not intended as legal advice.