September 28, 2020
The ICO’s Children’s Code came into force on 2 September 2020. It is statutory in nature and requires organisations to provide better online privacy protections for children. The Code sets out 15 standards for designers of online services and products and how they should comply with data protection law. Essentially, the Code requires digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
Ukie notes that, until now, games businesses have had a responsibility to consider what is age appropriate design through a number of different lenses. This included, but was not limited to, submitting games for age rating, creating in-game tools to help create age appropriate environments (e.g. screening for toxic messages) and, broadly, having a sense of responsibility for players.
Online games businesses that have children within their player bases are now subject to the Code. This means that within a year, companies who fall under it must be compliant or face enforcement action under the ICO, including compulsory audits, orders to stop processing and fines. Ukie says that preparing for the code will take a little bit of time but, fortunately, there are already some good tips out there on how to do so.
The ICO has supplemented the Code with a simple guide that distils 15 points into five easy to handle guiding thoughts:
- put the child first by thinking about the ages of people who use the service, asking how much data you need to gather, how much has to be shared and whether sharing data/processing it could be detrimental;
- give children a high privacy level by default by turning privacy settings on as “high” as possible by default, while looking to “switch off” uses of data that do not (e.g. optional data sharing);
- aim to give children an age-appropriate service even if those higher privacy default settings are turned off by the child;
- provide age-appropriate communications so children using your game can understand what is going on (and whether it is time to involve a parent/carer); and
- provide tools that help children with their data when they need it so, for example, they can download or delete it if they choose to.
The ICO also recommends attempting to ascertain the age of players where possible by asking them, introducing age checks or providing a high-privacy service by default, and to do so while still considering what impact gathering that data could have on a child. To read Ukie’s advice in full and for links to further support, click here.