Road blocks to Roblox? New data protection guidance for game developers

27 February 2023

Last week, the Information Commissioner’s Office (the ICO) published new guidance for video game developers on protecting children. This follows an audit of game design companies, which aimed to identify steps that developers can take to comply with the Children’s Code. According to the ICO, 93% of children in the UK now play video games, with younger children playing on average for two to three hours a day and older children averaging over three hours a day. The aim of the guidance is to help developers ensure that games are being developed in accordance with the Children’s Code (which we have previously covered here) and data protection laws more generally.

The key themes from the guidance are as follows:

  • age verification: identify whether players are under 18 years of age with a reasonable level of certainty, investigate and incorporate age assurance solutions and discourage false declarations of age;
  • acting transparently: research and trial child friendly privacy information with different age groups, provide age or ability appropriate privacy information for children and design different ways of communicating privacy information (e.g. simple videos or graphics, in-game pop up messages etc);
    avoiding detrimental use of children’s personal data: 
    • review the game’s potential appeal to children at every stage of the design process and ensure that the game is not going to be detrimental to the health and well being of children (e.g. developers should consider things like check points, automatic saving or rest points to encourage children to take breaks after extended play); and
    • ensure that all optional uses of personal data are turned off by default, introduce high privacy settings and parental controls (e.g. developers could send alerts to parents if a children is accessing inappropriate content), and ensure that all behavioural marketing and profiling is turned off; and
  • don’t push FOMO: avoid “nudge” techniques which prompt children to make poor privacy decisions (e.g. time-limited offers, “one-time-only” offers and communications via social media which might encourage young children to set up a social media account). Instead, ensure nudge techniques are designed to benefit children – for example, by encouraging high privacy settings.

The above reflects the desire for the ICO to prevent children from being pressured to supply too much personal data and to prevent game developers from using children’s personal data in a detrimental manner. Leanne Doherty of the ICO has acknowledged that “Gaming plays a central part in so many young people’s lives, and the community and interaction around games can be a child’s first steps into the digital world…The Children’s Code makes clear that children are not like adults online, and their data needs greater protection.

The ICO is offering developers an opportunity to volunteer for an audit to assess their privacy practices and compliance with the guidance, which has been well received in other sectors in the past (e.g. the charity sector).

The new guidance is a reminder for video game developers of the particular considerations that apply when developing not only games that are specifically designed for and marketed to children but all games which might appeal to children. Developers should consider whether their approach to the design, monetisation and promotion of games would benefit from any changes in light of the latest guidance.