The Information Commissioner’s Office (“ICO”) Age Appropriate Design Code (“AADC”), produced pursuant to s.123(1) Data Protection Act 2018 (“DPA”), came into force on 2 September 2021. The AADC applies to “relevant information society services which are likely to be accessed by children” in the UK. This includes many apps, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children. The AADC sets out 15 headline standards of age appropriate design that companies need to implement to ensure their services appropriately safeguard children’s personal data and process children’s personal data fairly.

Section 129 of the DPA allows the ICO to carry out consensual audits, the purpose of which is to provide the ICO and the audited business with an independent assurance of the extent to which the business, within the scope of the agreed audit, is complying with data protection legislation. Audits are conducted following the ICO’s data protection audit methodology which results in an overall assurance rating (high assurance, reasonable assurance, limited assurance or very limited assurance) and recommendations.

In February 2024, the ICO announced that it had carried out an AADC audit of Gameforge 4D GmbH with its consent. Based in Germany, Gameforge publishes online games for PC that can be accessed globally via the Gameforge launcher or third party platforms. The games are rated under the German games age rating system (USK) as suitable for children 0-12 years, although Gameforge has assessed that its games are unlikely to appeal to younger children due to the complex gameplay mechanics. Gameforge does not collect age data and has consequently chosen to apply high data protection safeguards to all users by implementing pseudonymisation of all user data, and not engaging in higher risk processing such as location tracking or profiling.

The areas covered by the audit were determined following a risk-based analysis of Gameforge’s processing of UK children’s personal data, considering any data protection issues or risks which were specific to Gameforge, identified from ICO intelligence or Gameforge’s own concerns, and/or any data protection issues or risks which affect their specific sector or organisations more widely. The ICO also considered the organisational structure of Gameforge and the nature and extent of Gameforge’s processing of UK children’s personal data (making the scope of the audit unique to Gameforge). The audit consisted of a desk-based review of selected policies and procedures and interviews with key staff.

The audit found a “reasonable level” of assurance that Gameforge complies with the AADC. It appears that there is only one area that Gameforge “must” to ensure compliance: the need for privacy information to include sufficient detailed information about specific instances of processing, their purpose and lawful basis, and retention arrangements. Other recommended actions were those that Gameforge “should” implement (i.e. actions not required by law but which the ICO expects the audited business to do to comply effectively with the law). These include, amongst other things, an assessment to consider and document the potential ages of users, which can be achieved non-intrusively by using anonymous or aggregated data such as market research, indicative analytics from social media/streaming platforms, or optional in-game surveys.

Examples of Gameforge’s good practice include having five members of the legal team with DPO certification, an external DPO (to minimise blind spots and who is accessible to users and parents), two DPOs being signatories to company accounts and new/changed contracts (to ensure that any changes to processing by the business have to be reviewed by a certified DPO), not using personal data to promote third party products, including prompts to encourage players to take breaks from playing and automatically disconnecting a user after 24 hours of continuous play, and processing geolocation only to country level using the user IP address which after a period of seven days is permanently redacted and hashed.

For more information, click here.