Children now spend a lot of time playing games online, but the gaming industry has received less scrutiny than social media or streaming platforms over privacy concerns. As gaming grows, the scale of user vulnerability increases as well. Many young people do not understand the data risks posed by online games. Luckily, privacy regulators are increasingly focusing efforts toward protecting children’s safety and autonomy online.
Young people enjoy online games because they allow for play, learning and socialization. Parents express concerns about the amount of time spent gaming, but research is only just emerging about the impacts. A recent study from the Oxford Internet Institute on gamers 18 and older found that time spent playing video games had “little to no” effect on well-being. Its authors pointed to the need for further research, which would presumably include investigations into mental health outcomes for gamers younger than 18.
The gaming experience often encourages children to unknowingly exchange personal information for “free” access to benefits. Minors who play mobile application games face different data risks from peers who play personal computer or console games. The PC and console side of the gaming industry is dominated by large and long-standing companies. Industry leaders such as Sony, Microsoft and Nintendo have established privacy programs and understand the risks that attend abuses of personal data. The mobile gaming sector has many new and small companies that lack internal privacy resources and may not follow data protection principles. As a result, regulators have turned their attention to online gaming, a quickly growing sector that frequently markets digital products to young people. The discussion below addresses some key privacy issues with children gaming online as well as emergent policy solutions.
Risks for game developers and children
Gaming companies will face significant legal and business risks if they treat all players in the same way. Age-assurance processes help them manage the risks posed to children and their personal information in the online gaming environment. Many jurisdictions, and the UN Convention on the Rights of the Child, define a child as anyone under the age of 18. That segment of the population has unique vulnerabilities and, therefore, deserves special accommodations and enhanced protections.
Age assurance should not be seen as a silver bullet or as a sufficient protection unto itself. It will only work effectively as part of a wider privacy-by-design approach. Age assurance has the strength of flexibility compared with the related process of age verification. The former gives a greater choice of solutions for risk mitigation; the latter sometimes imposes disproportionate measures. Age-assurance processes include age verification or self-declaration. If the data protection risk profile for children is low in certain situations, then age-assurance requirements can become less than onerous, even unnecessary. When risks for children are high, companies must implement effective risk mitigation around personal data use in online gaming.
No standard process for identifying adult versus child users has emerged. Debates continue over whether such measures would provide reliable protections or adversely impact privacy. In some circumstances, the collection of additional personal information could add to children’s risk of online harms. Some youth advocates worry that “flagging” an underaged user may draw the attention of predatory actors just as reliably as it would trigger protective controls.
We believe that proportionate and risk-based requirements for age assurance are necessary and inevitable, despite challenges. Policy reality and government intentions point in that direction. Before the internet can become a safe place for children, systems and services will have to demonstrate how they provide an age-appropriate environment for child gamers. Knowing the age of users is a key component in creating a safe online experience. Age-assurance processes should support fun, exploration, and socialization while establishing high-privacy settings by default. The aim should not be to keep children away from online gaming; instead, we must work to ensure they remain safe and feel empowered.
Age-assurance requirements now appear in international standards, in legislation, and in regulatory codes and guidance. For example:
The U.K. Information Commissioner’s Office Age Appropriate Design Code demands a risk-based approach to assessing the age of individual users. Companies must ensure that their online services effectively apply the standards in this code to child users. It gives a choice: either establish age with a level of certainty proportionate to the risks that arise from processing children’s data or apply the code’s standards to all users.
• The OECD Recommendation on Children in the Digital Environment was adopted in 2021, and the accompanying Digital Service Provider Guidelines also focus on this issue. They require service providers to “regularly take steps necessary to prevent children from accessing services and content that should not be accessible to them, and that could be detrimental to their health and well-being or undermine any of their rights.”
• The EU Digital Services Act, agreed to in April 2022, requires providers of online platforms that are accessible to minors to put in place appropriate measures for ensuring a high level of privacy, safety and security for minors accessing their services.
• Currently before the U.K.’s House of Commons, the Online Safety Bill proposes a safety duty that will require proportionate systems and processes designed to prevent children of any age from encountering content that is harmful to children.
European currents that move toward comprehensive protections for children online have now washed up on the United States’ shores. The U.S.’s most populous state recently passed the California Age-Appropriate Design Code Act, which follows in the wake of similar guardrails and requirements now enshrined in British law. An August 2022 article in The New York Times speculated the legislation “could herald a shift in the way lawmakers regulate the tech industry” more broadly. The article reflects the fact that regional and national laws tend to affect the way major tech companies operate across the board, in part because of the amount of effort required to implement different treatments of users based on geographic location or age.
A privacy-by-design approach to game development will have to consider many issues beyond age assurance. Once a gaming company has identified a young user, how will it inform that person of their privacy rights? How can children easily understand how their data is used? What controls or settings will be presented? Online games often hide privacy settings, making it difficult for even relatively sophisticated users to exercise control over their personal information.
Game developers may feel that presenting boilerplate privacy declarations will spoil all the fun. But when they do not provide age-appropriate and timely information about data collection, developers place themselves in an asymmetrical relationship to gamers. Users of any age deserve to know whether personal information will be shared with third parties and how one service links up with other digital platforms — via sign-in partners like Google or Facebook, for example. Understanding data collection enacted by mobile gaming companies seems especially important, because they often record sensitive information including geolocation and close contacts from the mobile device. Policymakers and game developers must struggle with a challenging question: Can an underaged player consent to broad uses of their data?
Gameplay itself sometimes leads to unfair use of personal information. Many games follow users’ behaviors and give them nudges that encourage prolonged engagement with the digital environment. Personal information collected can be used to curate highly targeted in-game advertisements. Further, companies sometimes use personal information to foster offline connections between players. And that can lead to contact risks for young people. Gamers who reveal behavioral patterns and personal data may be manipulated into making particular social connections or purchases that stock their avatars’ “loot boxes” with attractive, in-game features.
In that regard, policy experts have debated the gray area where gaming and gambling overlap. Online games allow young users to compile assets, then spend digital tokens or actual currency. Such activities can be addictive, so regulations must play a role in managing the relationship between developers and gamers. Some of these issues stretch beyond data protection but must not fall into a regulatory gap.
Regulatory solutions
The regulatory environment for online gaming companies places them squarely in the crosshairs of data protection authorities. The U.K. ICO has issued statutory guidance in its Age Appropriate Design Code. That landmark guidance will enable companies to take practical steps toward protecting children’s privacy. It also helps them prepare for future online safety legislation. And the ICO has recently engaged widely across the online gaming sector with respect to Children’s Code conformance. Emergent principles and best practices that will need to work with future gaming innovations include data minimization, privacy by design, responsible governance and risk-based treatment of young users.
Game developers already have expertise in crafting user experiences that make their products intuitive, interactive and exciting for kids. The industry must now apply that expertise to work for privacy. In the U.K., the ICO will demand evidence of effective and principled design. To prepare for possible investigations, game developers must document their decisions in that regard. Companies must show that concerns over children’s privacy are understood and acted upon. Regulators will place the onus for responsible uses of data on service providers rather than users. To that end, default settings should set a high bar for privacy.
Regulatory authorities seem to be catching up to the online gaming industry, which has largely avoided the intense scrutiny social media platforms receive. But the gaming sector represents a moving target. We already see what gamers might call “boss-level” challenges on the horizon. Advances in Virtual Reality and the emergence of the metaverse make games increasingly immersive. Immersive play exposes unprecedented volumes of information about gamers, their connections and their vulnerabilities to manipulation. Data protection principles still guide the regulation of new online gaming services, although further guidance will be needed in light of developments such as the metaverse. An excellent article by Notarize Data Protection Officer Gary Weingarden, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, and Deutsche Bank Senior Counsel Matthias Artzt, CIPP/E, sets out how data protection will apply in this virtual context.
The rate of change in online gaming is frenetic and has, to date, largely outpaced enforcement. And yet, across the board, regulators’ postures and signals from governments indicate that present and future laws will place an increasingly rigorous set of risk-based requirements on companies that gather and exploit children’s personal information. These requirements must be practical, and take account of all the benefits and risks related to online gaming. And they must grow from trustworthy evidence about how we can effectively protect and enable safe exploration in the realm of online gaming. Let the children play — safely.