Control measure: Children are not led or encouraged to provide unnecessary personal information or turn off privacy protections.
Risk: Using techniques based on the exploitation of human psychological bias in this way goes against the ‘fairness’ and ‘transparency’ provisions of the UK GDPR, as well as the child-specific considerations set out in recital 38. This may breach article 5(1)(a) and recital 38 of the UK GDPR.
Ways to meet our expectations:
- Ensure design features do not lead or encourage children to follow your designer’s preferred paths, prompt them to disclose additional personal information, or turn off privacy settings.
- Ensure the language you use to explain the outcomes of two alternatives is not framed more positively for one alternative than for the other.
- Check that the online service does not make one option much less cumbersome or time consuming than the alternative, therefore encouraging children to just take the easy option.
- Avoid exploiting unconscious psychological processes (eg associations between certain colours or imagery and positive outcomes, or human affirmation needs).
Options to consider:
- Review the user journey of your online service to ensure children aren’t accidentally nudged to follow a particular design path or lower privacy protections.
- Complete user testing or monitor user activity to check children aren’t accidentally presented with a preferred option or follow a particular pattern.
Control measure: There is evidence that positive nudge techniques are deployed towards high privacy options, wellbeing enhancing behaviours and parental controls.
Risk: Without the use of positive nudge techniques, there is a risk that children may not be encouraged to make positive choices or feel supported to retain high privacy settings when using the service. This may breach article 5(1)(a) and recital 38 of the UK GDPR.
Ways to meet our expectations:
- Implement techniques to positively nudge children towards supportive resources or provide tools (eg pause and save buttons).
- Conduct an independent assessment or user testing to confirm that your service does not accidentally nudge children down one path or route over another.
- Build clearly assigned points into your service where children are actively encouraged to speak to or seek the consent from their parents (or a responsible adult).
- Include signposted or displayed encouragements for children to take a break from play or use.
Options to consider:
- Introduce positive nudges for key risk areas (eg to encourage children towards high privacy settings, sensible purchasing of in-service items, and pro-wellbeing behaviours).
- Use moderation warning messages and alerts to educate children by re-explaining community rules, informing them exactly how they violated rules, and suggesting more positive behaviours.
Control measure: There has been a consideration of the impact of using dark nudge technologies to encourage desired behaviour or actions from children within the service for commercial benefit (eg in-game purchases).
Risk: If there has been no consideration of these techniques, there is a higher risk of exploitation of human psychological bias which goes against the fairness and transparency provisions of the UK GDPR. This may breach article 5(1)(a) and recital 38 of the UK GDPR.
Ways to meet our expectations:
- Ensure children are not manipulated into making quick or rash decisions or purchases by being presented with a 'count down' offer or time expiring offer.
- Avoid presenting in-app purchases in a way that makes them appear as one-time-only offers or necessary purchases in order to progress in the game.
- Ensure product badges, smart notifications and product recommendations are appropriate for the age of the child and are not used in an excessive way on children using the service.
- Implement appropriate controls over any 'loot boxes' you use. Keep their use to a minimum and ensure they disclose the odds of receiving each type of item before purchase.
- Ensure behavioural and psychographic information on children that you collect as a result of dark nudge techniques is collected lawfully. Avoid repurposing the information in a way that will mentally or physically harm the child, or for a different purpose (eg marketing new unrelated products or services).
- Consider the risks to children for any nudge techniques within your service in all your design decisions and DPIAs.
- Give children and parents the option to turn off in-app purchases, or behavioural advertising within the service, or reserve these options for a designated area behind a parental gate.
Options to consider:
- Assess the risks of providing children with multiple or frequent entry points to paid features.
- Require a parent or guardian to enable loot boxes, if you are using them.
- Assess the risks of excessive advertising or over-commercialisation to children within your online service.
- Assess the risks of sending large volumes of push notifications that might encourage excessive engagement.