23 November 2020
TW Play – 2 of 9 Insights
When the UK Data Protection Act was passed by Parliament in 2018, it included requirements for the UK data regulator, the Information Commissioner's Office (ICO), to prepare a series of Codes to help organisations better understand their privacy obligations in certain complex areas.
In September 2020 one of those statutory codes, governing the use of children's data by digital service providers in certain contexts, was approved by Parliament. The Age Appropriate Design Code, known as the Children's Code will have a 12-month implementation period. From 2 September 2021, the ICO and the Courts will consider the Children's Code when determining whether an organisation has breached its obligations under the UK privacy law (including the UK GDPR).
The Children's Code provides standards of age-appropriate design for digital services likely to be accessed by children, not just sites actively targeting children. It contains 15 interconnecting provisions that set out the requirements online services must meet to make their services suitable for children. The Code applies to the processing of personal data belonging to individuals under 18 in the context of information society services. When in force, the Children's Code will provide structure and detailed guidance to service operators' data privacy compliance efforts, as well as standards for the regulator to consider when determining the fairness or otherwise of processing activities.
The restriction of the application of the Children's Code to information society services is particularly important for the games industry, because it will apply to some but not all forms of gaming. Information society services are those normally provided for remuneration at a distance by electronic means at the individual request of the recipient of the services. This means that the scope of the Children's Code extends to online and connected gaming but not generally offline games using consoles at home and downloaded games where no internet connection is required to play.
For many businesses the efforts required meet the Code's requirements will be minimal but for others it will be a significant challenge – particularly for those which offer services that are not designed for children but are still likely to be accessed by them. Online gaming products are often designed to appeal to under-18s and, of those games designed for an older customer base, most will still have some appeal to older children.
Games providers with online services who do not, or cannot, adopt a zero data approach, will need to work out what age range to pitch to. This impacts not only the policies and privacy notices but also the design and functionality of whole platforms, sites, apps and games. Structuring sites so that different age groups have a different experience is an option, but one only available as a result of significant profiling and additional data processing, which causes its own privacy challenges. If a one-size all approach is preferred, the needs of younger users will have to take precedence. Some operators may prefer non-compliance rather than aiming to meet the needs of the youngest users but this is a high risk approach.
The Children's Code refers to services "likely to be accessed by children" and "likely to be used by under-18s". The ICO says that "likely" means the possibility of access by children is "more probable than not" but it has not yet confirmed whether the Code will apply if an occasional child may access the service or where a very small proportion of a site's users are under 18 Even in these situations, it is likely that the site will be caught by the requirements of the Code. When it comes to gaming, the assumption should be that, other than those games that are actively restricted to over 18s (for which age-verification tools are essential), any game is likely to be accessed by older teenagers; only very clear demographic evidence to the contrary should be accepted to avoid the impact of the Code.
In some respects the Code arguably goes beyond the remit that was set for it by Parliament. It asks service providers to consider issues such as the need for screen breaks and general user welfare (avoidance of online grooming, sticky or nudge techniques and peer pressure) that are not directly related to privacy eg not necessarily encouraging users to share data or lower privacy standards but encouraging longer gameplay from users. For businesses of all types this will be a largely unwelcome development but for many operators in the gaming sector it represents a fundamental attack on the business model which encourages users to make a significant time commitment as part of gameplay. Rewarding online users for playing for longer may become unacceptable under the Code, even if it is not accompanied by a direct impact on user privacy.
The Code attempts to balance the interests of children with the need to protect them but in practice this can be a big challenge. The Code recognises the importance of parental support and supervision but those trying to implement it are also bound to respect the privacy rights that children have against their parents. It is also important to remember that as many children are spending significant periods of time online they may well be far more technologically and indeed privacy aware than their parents, even from a relatively young age.
For games operators this challenge must be met with careful planning and thorough impact assessments. If parental controls are deployed there should not be an automatic assumption that all content will be made available to them, particularly where children's data is inextricably linked with that of a third party. Chat content in multiplayer games is often rich in personal data and young people often use online gaming as a forum to discuss personal issues. Children and particularly older children, have a right to expect that such chat will not be shared with anyone by the games operator (other than with the authorities in serious safeguarding cases). Any degree of parental oversight permitted should be very clearly flagged to users – they must always know if they are being monitored.
Unlike many sectors, the games industry is experienced in managing age verification processes but as the Code encourages verification of the ages of younger users, operators may find that their new or revised processes around age verification can lead to further privacy risks. The need to treat all users as if they were children by default is likely to lead to some services restricting access which will impede the freedom of assembly and communication of children in unanticipated ways. It is also likely that we will see a growth in the use of data verification techniques, many of which require the collection of additional personal data to determine a user's age in a way that runs counter to data minimisation goals and inevitably leads to larger and more detailed volumes of information being processed and at risk from cyberattack. Even if a data privacy impact assessment has previously been conducted, the implementation of the Code presents a good opportunity for an operator to refresh its work in this area.
The most basic and overarching requirement of the Code is the first of the fifteen standards – the requirement to always act in the best interests of the child. At first glance this seems fairly innocuous. Most organisations would argue that they are not acting against the interests of their customers and, in the case of the gaming sector, the interest that the user has in enjoying a game is aligned with the operator's profit motive. However, the requirement to act in a user's best interest goes much further than an obligation not to do them harm; it creates a requirement to second guess a user's choices and wishes, even if not obviously harmful and even where that conflicts with the commercial interests of the operator. Such requirements are not without precedent, gambling companies have long been required to take action to protect users with suspected addiction problems, but an obligation to put the interests of the user first in every respect goes much further.
The implications of the best interests requirement will only be known once the ICO's further guidance is published and enforcement actions begin. In the meantime, operators conducting risk assessments and reviewing their privacy operations in light of the Children's Code should treat it as a mantra: whatever the issue, the interests of the child must always take precedence.
It is important to view the Children's Code as merely one element of the current trend to protect consumers of all ages from online harm. The Code addresses specific issues relating to a limited age group but it sits in the context of broader EU and UK attempts to address online safety. Both the European Union and the UK government have been actively planning greater regulation to protect individuals from violent, offensive, and otherwise problematic online content. These plans are likely to put greater pressure on platforms and digital operators in general but will include specific requirements in respect of child safety that will supplement and complement the initial step that is the Children's Code.
by Jo Joyce
by Graham Hann