Triangular chairs with a gleam of sun rays shining through.

ICO publishes guidance on compliance of game design with the Children’s Code

Published on 31 March 2023

The question

What steps can game designers take to ensure their games comply with the Children’s Code?

The key takeaway

You must regularly assess whether under-18s are likely to play your games and be sufficiently certain on the range of players’ ages. If children are likely to play, even if the game is not targeted to them, you should consider whether your data processing and privacy settings can sufficiently safeguard their interests.

The background

The Data Protection Act 2018 included provisions to protect and safeguard children when they use the internet. The Information Commissioner’s Office (ICO), as the regulator, was tasked with producing guidance for organisations offering online services that children may be likely to access to set the standards for digital privacy and data processing.

The Children’s Code (previously called the Age Appropriate Design Code) (the Code) fulfils this mandate. It establishes 15 standards of “age-appropriate design” with the aim of creating an open, transparent and safe online experience for young users. The Code entered into full force on 2 September 2021.

The Code applies to “information society services likely to be accessed by children”. In practice, this means the Code extends to search engines, social media platforms, online marketplaces, online games and most other for-profit online services that are used by under-18s.

The development

The ICO conducted a focused audit of the gaming sector to assess how the Code is being applied. Following this exercise, the ICO has published the following recommendations for game designers to ensure the Code is complied with:

1.    Understand the risks for your games

  • Assess and document the potential for games that you design to appeal to under-18s. The ICO warns that even if a game is not intended for children, this does not mean they will not play it.
  • Continue to conduct risk assessments after the game has been published. It should be an ongoing process to detect new risks or unexpected age groups of players once a game has launched.
  • Engage with external stakeholders, including children, when conducting risk assessments. You could consult existing players and relevant children’s rights groups, or launch a public consultation.
  • Randomised rewards, such as loot boxes, should be a particular focus in assessments. In July 2022, the UK Government’s call for evidence found “robust evidence” for a potential association between loot boxes and problem gambling behaviours.
  • Once you are clear on the risks, consider if you need to tailor in-game content or data processing.


2.    Ascertain and be assured of players’ ages


  • Consider how to identify under 18’s and determine their age with sufficient certainty.
  • Informed by your risk assessments, implement suitable age assurance tools across your full portfolio of games, stores or platforms. The ICO says this should be done as quickly as possible.
  • Discourage and prevent players from lying about their age. The ICO suggests one method of allowing access to a data-free core of the game until parental consent is confirmed. Alternatively, the game could have a cooldown period to prevent players returning to provide a different birthdate in a specified time frame.


3.    Be transparent with players’ data privacy


  • Communicate privacy information in ways that are appropriate for different player age ranges. The ICO suggests having age-appropriate video explanations, “mission-style” storylines or in-game messages.
  • The ICO also suggests potentially displaying the information according to gaming ability (eg novice, intermediate and expert), rather than age.


4.    Take care with data processing and profiling


  • The default option for all optional uses of personal data must be turned off unless and until valid consent is obtained from the player (or their parent or guardian for players under 13). This includes personalised product recommendations and offers.
  • Clearly separate the opt-in consent for marketing from accepting the Terms of Service and Privacy Policy. Otherwise players may think they have no choice but to consent to marketing, which would breach the transparency principle.
  • Encourage children to ask a trusted adult for help and only accept profiling if they understand how it uses their personal data. Profiling for marketing purposes must be turned off by default.
  • Ensure any third-party advertising in-game is only showing age-appropriate content. If the game has community servers, control and monitor product placement and advertisements within those servers.


5. Consider utilising parental controls and high privacy settings


  • Consider the option for real-time alerts for parents or guardians. For example, if their child tries to access “riskier” in-game content or if they encounter something inappropriate. If such tools are used, the child should be notified in an age-appropriate way.
  • Allow players to control who contacts them. Turn off voice chat functionality by default for young users. Allow them to permanently turn on “do not disturb” mode and prevent communications from all other players. Communications could also be limited to only come from other young users, combined with measures to scope out adult players posing as under-18s.
  • Allow players to control what personal data is visible to others. The ICO gives the example of allowing players to hide their username so they cannot be searched for.
  • When players try to alter privacy settings, have age-appropriate messaging before allowing the change to take effect. Settings could also be “gamified” to match the in-game theme to maximise young player engagement. The ICO says the messaging should be specific to each individual privacy setting and informative of the risks associated with lowering that particular setting.


6.    Use nudges to support your compliance


  • Use positive nudges to promote children’s best interests. The ICO recommends defaulting and nudging towards high privacy settings, use of parental controls and taking regular breaks by including checkpoints or natural breaks in gameplay.
  • The ICO strongly warns against using nudges to encourage poor decision making. There should be risk assessments for the use of time-limited offers on items which are targeted at young players. Instead, use neutral designs for “purchase” buttons so players feel able to change their minds before proceeding. Consider allowing reasonable cooling-off periods for refunds.
  • Monitor player behaviours and click-throughs to spot any unintended nudging effects, especially in relation to privacy settings.
  • Be careful with social media marketing and promotions which may require children to create social media accounts to unlock rewards. Be mindful of the age restrictions of such social media platforms relative to your players’ ages.

Why is this important?

The ICO can take enforcement action against organisations that do not comply with the Code. It has tools such as assessment notices, warnings and orders to stop processing data. For the most serious of breaches, the ICO can impose fines of up to £17.5m or 4% of an organisation’s annual worldwide turnover, whichever is greater.

The Online Safety Bill, a new legislative regime to protect children and adults online, is currently being debated in Parliament. The strength of safeguards for children accessing the internet is a hot topic and will be at the forefront of the ICO’s mind.

Any practical tips?

Following the ICO’s guidance, we recommend that game designers:

  • Clearly and comprehensively document the process and outcome of risk assessments, engagement with stakeholders and processing and privacy decisions. A data protection impact assessment should set out your assessment of whether children are likely to access the games, such players’ ages and steps taken to comply with the Code.
  • Consult the ICO’s age-appropriate design resources which contains worked examples of age-appropriate messaging.
  • Evaluate your existing age-assurance tools across all services. Consider if they can ascertain age with sufficient certainty and discourage false declarations of birthdates. If you do not already have these tools in place, they should be implemented as a priority.
  • Consider running player research or consulting with children’s rights groups to identify communication styles and tones that are most effective at communicating privacy and data protection issues to different age ranges.
  • Survey how many young users are engaging with your higher privacy settings. Think about “gamifying” or aligning these settings with the in-game theme to maximise their appeal.

Spring 2023