The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

A blog by Jacob Ohrvik-Stott, Principal Policy Adviser

24 May 2021

On 18 March 2021, the ICO’s Children’s Code team joined Square Enix – the international gaming company behind titles including Final Fantasy and Tomb Raider – for a hands-on workshop exploring the Children’s Code harms framework.

The framework is a flexible tool for identifying data-related risks to children that you need to consider under the Children’s Code. Its aim is to support online services to place children’s best interests at the heart of their services. It provides an important platform for organisations to complete their data protection impact assessment – a cornerstone of data protection compliance and obligatory for everyone that falls under the code.

This blog discusses Square Enix’s journey through the framework, to show how you can practically apply it and to bring it to life for others who are considering using it.

The following sections focus on one illustrative example of how online services can map children’s data, identify associated risks and consider their implications for children’s rights and freedoms.

Step one: Mapping children’s data journeys

You can’t reach a good understanding of risks without an even better understanding of data. You build the foundations for using the framework through a detailed mapping exercise that answers questions, including:

  • How, where and what children’s data do you process?
  • For what purpose are you using this data, and what is the legal basis for this?
  • What age ranges of child users should you consider?
  • What are the purposes and legal bases of using data in these ways?
  • Where are the key associated privacy choices and user experiences?

Workshop participants reflected on these questions to develop a hypothetical online service map, drawing inspiration from their own experiences of developing and commercialising games around the globe.

One breakout group’s hypothetical map covered common activities such as game piloting, in-game analytics, age assurance, member registration and in-game advertising.

It’s worth noting the importance of including data processing that some may class as “low-risk”. Activities that, at first glance, seem benign can carry higher risks upon further scrutiny when placed in context. Services falling under the code need to document all data processing to complete their data protection impact assessment in any case.

Step two: Reflecting on risks and children’s rights

Once you create a children's data map, the framework supports structured assessment and discussion on risks that are inherent across its features.

It does so by grouping together data-related harms relevant to the Children’s Code and connecting these harms to exemplar risky activities. These activities span common online service practices such as targeted advertising, content delivery, profiling and privacy policies.

Zooming in on the hypothetical example of in-game advertising, participants foresaw potential harms across a range of areas. In a scenario where the advertising “purchase funnel” leads users to other parts of the web beyond the gaming service, there is scope for organisations to use children’s data to target them with age-inappropriate products and content. The use of profiling based on purchase and in-game micro-transactions can create risks of financial loss, where children lack the economic literacy to understand the commercial relationships between their data, the service and profiled marketing. Participants highlighted how this loss could also extend to parents, if their credit cards fall into children’s hands without appropriate in-service checks.

The code states that online services must consider the impact of using data on children’s fundamental rights and freedoms, balancing risks with considerations of how these rights are positively supported. The Children’s Code harms framework supports online services to make this balancing assessment, and to ultimately ensure that they realise the code’s vision to place the best interests of children at the heart of online services.

Over the coming months we will be working to translate the framework into an interactive tool, and developing further guidance that supports you to act upon the framework’s outputs, gauge risk levels, and assess whether your online services use of children’s data is in their best interests.

For more information on the Children’s Code harms framework, or to discuss the code and associated industry support, email childrenscode@ico.org.uk.

Jacob Ohrvik-Stott is a Principal Policy Adviser at the ICO.