31 July 2020
Download - August 2020 – 3 of 6 Insights
After a few months of delay, the Age Appropriate Design Code (AADC) has effectively been approved by Parliament. The AADC contains guidance on standards of age-appropriate design for information society services likely to be accessed by children. As such, it impacts video games which are played over or downloaded from the internet (where data such as user scores are relayed back) and, therefore, on games developers, publishers and online gaming platform operators.
There will be a 12-month implementation period after which the UK's data protection regulator, the Information Commissioner's Office (ICO), will start to consider the AADC when enforcing the GDPR in relevant matters involving children's data.
For many organisations, a year will be easily sufficient to enable them to consider and respond to the AADCs requirements, but for others it will be a significant challenge – particularly those who offer services that are not designed for children but are still likely to be accessed by them. Digital gaming products are often designed to appeal to under-18s and, of those games designed for an older customer base, most will still have some appeal to older children.
The AADC contains 15 interconnecting provisions that set out the requirements online services must meet to make their services suitable for children. Topics range from data minimisation to connected toys. When in force, the AADC will sit alongside the GDPR and the Data Protection Act 2018 (DPA18), to provide structure and detailed guidance to service data privacy compliance efforts, as well as standards for the regulator to consider when determining the fairness or otherwise of processing activities. The guidance provides standards of age-appropriate design for digital services likely to be accessed by children, not just sites actively targeting children.
Games developers, publishers and platform operators will need to work out what age range to pitch to. This impacts not only the policies and privacy notices but also the design and functionality of whole platforms, sites, apps and games. Structuring sites so that different age groups have a different experience is an option, but one only available as a result of significant profiling and additional data processing, which causes its own privacy challenges. If a one size fits all approach is preferred, the needs of younger users will have to take precedence. Many businesses may risk non-compliance rather than aiming to meet the needs of the youngest users.
The AADC refers to services "likely to be accessed by children" and "likely to be used by under-18's". The ICO says that "likely" means the possibility of access by children is "more probable than not" but does the AADC apply if it's more probable than not that an occasional child may access the service, or where a very small proportion of a site's users are under 18 but the site has millions of users? Even in these situations, it is likely that the site will be caught by the requirements of the AADC. When it comes to online gaming, the assumption should be that, other than those games that are actively restricted to over-18s (for which age-verification tools are essential), any game is likely to be accessed by older teenagers; only very clear demographic evidence to the contrary should be accepted to avoid the impact of the AADC
In some respects, the AADC arguably goes beyond the remit that was set for it in the DPA18. It asks service providers to consider issues such as the need for screen breaks and general user welfare (avoidance of online grooming, sticky or nudge techniques and peer pressure) that are not directly related to privacy – eg not necessarily just encouraging users to share data or lower privacy standards but encouraging longer gameplay from users. For businesses of all types this will be a largely unwelcome development, but for many in the games sector it represents a fundamental attack on the business model which encourages users to make a significant time commitment as part of gameplay. Rewarding users for playing for longer will become unacceptable under the AADC, even if it is not accompanied by a direct impact on user privacy.
The AADC attempts to balance the interests of children with the need to protect them but in practice this can be a big challenge. The AADC recognises the importance of parental support and supervision but those trying to implement it are also bound to respect the privacy rights that children have against their parents. It is also important to remember that as many children are spending significant periods of time online, they may well be far more technologically and indeed privacy aware than their parents, even from a relatively young age.
This challenge must be met with careful planning and thorough impact assessments. If parental controls are deployed, there should not be an automatic assumption that all content will be made available, particularly where children's data is inextricably linked with that of a third party. Chat content in multiplayer games is often rich in personal data and young people often use online games as a forum to discuss personal issues. Children, and particularly older children, have a right to expect that such chat will not be shared with anyone (other than with the authorities in serious safeguarding cases). Any degree of parental oversight permitted should be very clearly flagged to users – they must always know if they are being monitored.
As the AADC encourages verification of the ages of younger users, operators may find that their new or revised processes around age verification can lead to further privacy risks. The need to treat all users as if they were children by default is likely to lead to some services restricting access which will impede the freedom of assembly and communication of children in unanticipated ways. It is also likely that we will see a growth in the use of age verification techniques, many of which require the collection of additional personal data to determine a user's age in a way that runs counter to data minimisation goals and inevitably leads to larger and more detailed volumes of information being processed and at risk from cyberattack. Even if a data privacy impact assessment has previously been conducted, the implementation of the AADC presents a good opportunity for an operator to refresh its work in this area.
The most basic and overarching requirement of the AADC is the first of the 15 standards: the requirement to always act in the best interests of the child. At first glance this seems innocuous. Most organisations would argue that they are not acting against the interests of their customers, in the case of the games sector, the interest that the user has in enjoying a game is aligned with the publisher or operator's profit motive. However, the requirement to act in a user's best interest goes much further than an obligation not to do them harm; it creates a requirement to second guess a user's choices and wishes, even if not obviously harmful and even where that conflicts with commercial interests. Such requirements are not without precedent, gambling companies have long been required to take action to protect users with suspected addiction problems but an obligation to put the interests of the user first in every respect goes much further.
The implications of the best interests requirement will only be known once the ICO's further guidance is published and enforcement actions begin. In the meantime, developers, publishers and platform operators conducting risk assessments and reviewing their privacy operations in light of the AADC should treat it as a mantra; whatever the issue, the interests of the child must always take precedence.
by Jo Joyce