Describe the nature of the processing: how will you collect, use, store and delete data? What are the sources of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? Does your service involve any profiling, automated decision-making, or geolocation elements? What are your plans (if any) for age-assurance? What are your plans (if any) for parental controls?
Helpful hint: You may find it helpful to consult your privacy notice or Record of Processing Activities (ROPA) which may contain some of the information required for this section. You might also find it helpful to see the ICO’s guidance on ROPAs.
What data we collect and how
In the game, children act as ‘chefs’ and have to pull together ingredients from two conveyor belts. Each ingredient is assigned a number, and children have to select the ingredients that will make the value shown on the empty plate of the customer they are serving. For example, the customer’s plate says five and the player is told the function is addition, so they have to select two ingredients with values that add up to five (ie two and three). The numbers may be positive or negative and some ingredients can also be maths functions such as multipliers or dividers. If children miss ingredients they fall into the trash and too many lost ingredients trigger a fail condition.
Throughout the game, the player competes against a non-player character (NPC) rival. The NPC animation shows them working off-screen and gaining a score through those unseen actions. The NPC’s score is based on weighted average data from other players.
The theme of the restaurant will change every month. For example, dinosaur theme with characters, background and ingredients being dinosaur related; farm animal theme with the player as a farmer, the customers as pigs, cows etc.
Players build up scores per scheme based on accuracy, speed and numbers of orders fulfilled. When the gameplay ends, the player is shown:
- their score;
- comparison against the NPC score;
- highlighted information if they have beaten their previous score for that theme or across all themes; and
- their rewards which are the option to share their success with friends or achievement badges.
The app includes social features that allow players to share their progress; a three second animation of their gameplay; their score (against the NPC); achievement badge(s) unlocked; and emoticons. The emoticons that players can access are a fixed selection by the game but will include variations and unique options tied into each theme the player has access to.
This share will go out only to the player’s ‘family circle’, who are specific players that have been approved by the parents. This parental lock will use the device requirements. For example on iOS it will use Game Centre, where parents can lock controls so that only they can approve users for their child to interact with. Note that we do not collect personal data related to family circle. The app store will have personal data on the parent and the people that they accept linking to (this is the existing data they would have on any user on their platform, plus their standard parental controls). Therefore, we do not collect any specific or additional data.
Note: if the device does not have a similar system, then the social features will not be enabled in the game. Although in future we may look to build our own parental lock system within the game and then consider expanding social features within this.
Players have the option to opt-in to notifications which inform them regularly about daily challenges, events, promotions, new content and features and new themes. The controls for the notifications feature is within the platform level parent control function. This option is set as off-by-default when a user first starts using the app, and can be easily changed in the settings should the player choose to opt-in.
The game has been designed with the age of users in mind. We have been careful to employ privacy by design features when considering the use of personal data in the advertising and monetisation ecosystem for online gaming. For Cooking Numbers, we have selected appropriately controlled forms of monetisation that protect the personal data of the children using the game:
- Rewarded video ads
- Children have the option to watch ads to get temporary access to another theme (a theme which is not the theme of the current month).
- We use an ad provider that specialises in serving ads which are suitable for children.
- Ads are limited, so once a player has used an ad, they will not see another one for a fixed time period.
- Ads clearly differentiate end of play and start of advertising.
- Only ads and brands suitable for five to eight year olds are served.
- The ads shown request or require no direct action from the player.
- Ads are only served based on game-play. They are not contextual or triggered by specific user behaviour. The ad company knows the game where it is posting ads. The ads are not based on user behaviour, but are instead triggered by game-play data. Age appropriate ads are delivered in collaboration with SuperAwesome.
- In-app purchases
- In-app purchases are for one purpose only – to purchase permanent access to a theme. This enables the player to have permanent access to that theme, regardless of whether it is the current theme of the month.
- Each theme can be purchased for a one-time cost, which may vary per theme.
- At certain times, promotions will be offered to encourage purchases (eg 50% off, as a limited-time offer).
- A subscription option is available to enable subscribers access to new themes before other players and to allow access to all released themes permanently (whilst they continue to be subscribed).
- The subscription is a monthly fee.
Payments for subscriptions and in-app purchases are managed through the relevant app store payment system and are therefore subject to the parental controls of the relevant device being used.
We collect the following data from children’s use of the game:
- Performance or game-play data (eg when the app is launched or closed; time zone in which player located; when play starts or finishes; actions whilst playing; how or if ads are watched; how much of tutorials are watched, details of purchases from the shop; scores achieved; choices made within the game).
- Device data (eg device type, version number).
- Date and time of presentation of privacy pop-up notices clicked off by children.
- History of gameplay, including social interactions.
The above data is anonymised so that it is no longer personal data relating to the children players. Limited access to the anonymised data, and the limited nature of the game-play data, results in a very low risk of potential re-identification.
We process the following data relating to parents or guardians:
- Date and time of presentation of privacy and terms.
- Names and contact details, if parents contact us to ask questions or raise issues.
- Details of questions or concerns, if parents contact us.
Guidance: Data minimisation helps you protect your users by collecting only the minimum amount of personal data you need to provide your services. See Standard 8 of the code – Data minimisation for help in how to meet this standard and give children choices over which elements of their data they wish to activate.
How we use data
- To make available to parents or guardians the history of their child’s game play, including social interactions.
- Apart from the above point, all data generated from game play is anonymised. It is used for:
- the purposes of analytics;
- making changes to the game;
- making changes to the ads in the game;
- making changes to the types of ads served in the game (eg game-play data identifies when a level is achieved or failed to trigger the delivery of an ad); and
- improving the game and user experience.
- To administer and protect our business and app, eg system maintenance and support, fixing problems, hosting of data.
- To deliver app content.
Guidance: Data sharing usually means disclosing personal data to third parties outside your organisation. This DPIA outlines how children’s and parents’ data may be shared with external third parties. Standard 9 of the code – Data sharing advises:
“Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.”
The following third party providers are used:
- Storage and analytics provider – a third party platform is used to store performance data.
- Storage provider – a third party platform is used to store game data such as server-side held variables.
- Ad mediation provider – a third party service provider is used for user acquisition and advertising attribution. We have chosen an ad mediation partner that does not gather device ID data.
- AWS – hosts content from the game (eg character assets) that download into the game.
The above third parties act as processors of any personal data they process in their provision of their services to us. We have entered into Article 28(3) terms with these third parties. Third parties may also collect additional data that we do not have access to through the delivery of the service. For this data, the third-party organisations are also controllers of the personal data they collect.
Helpful hint: Indicate in your DPIA which third parties are also independent controllers. Insert a link to their privacy notices signposting readers to relevant further information.
You might find it helpful to review our guidance on controllers and processors.
We may also share data with our auditors and other professional advisors that act as independent controllers.
When users make in-app purchases or purchase subscriptions, this is handled by the relevant app store that will act as an independent controller. We do not share personal data with the app stores. Our privacy notice makes clear that the relevant app store (eg Google or Apple) is a separate data controller.
We do not carry out any profiling.
Parent overlay screen
On the first play of the game there will be a parent overlay screen that gives parents key information including:
- explaining that the game is gathering performance data for the purposes of making sure the game is working properly and to understand how users engage with the contextual advertising, and that this data is completely anonymised;
- explaining that the game doesn’t gather any other information on the player and that all billing, subscription information is held by the device platforms, not us;
- explaining the monetisation methods in the game and how they work;
- contact information to enable parents to contact us about any concerns or report any issues including accidental payments;
- easy access to device notifications;
- history of gameplay to date (importantly including social interactions).
The start screen of the game contains a ‘parent’ button which takes them to the Parent section, thereby encouraging children to involve parents in their use of the game. The information presented in the parent overlay screen is available in this section.
All payments are managed through the relevant app store payment system and are therefore subject to the parental controls of the relevant device being used.
Parents are able to control who children share their progress with in the game. The only social feature in the game is that players can share their progress (ie a three second animation of their gameplay, along with their score (against the NPC), achievement badge(s) unlocked and emoticons). Children can only share this with their family circle (ie specific players who have been approved by their parents). There is no opportunity for social interaction with user generated content.
The emoticons players can access are a fixed selection by the game but will include variations and unique options tied into each theme the player has access to.
The parental control and lock uses the device requirements. For example, on iOS it uses Game Centre, where parents can lock controls so that only they can approve users for their child to interact with. If the device does not have a similar system, then the social features will not be enabled in the game.
Sharing history for the family circle is stored and accessible to the parent.
Guidance: For the purposes of the Children’s code, Standard 11 refers to how you make it clear to the child if parental controls are in place and if they are being tracked or monitored:
“If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.”
Gaming companies might conform to Standard 11 by using child-friendly and age-appropriate avatars, symbols or pop-up messages (audio or written) to notify children when parental controls are monitoring their online behaviour.
We have taken the approach of applying standards for the target age group (five to eight) to all users. They will all receive basic protections in how their data is used by default. Therefore, we do not seek to determine the age of users or carry out any age assurance. This approach follows the principles outlined in the ICO’s Children’s code:
- provide high privacy settings for child users by default; and
- don’t serve children content deemed detrimental to their health and wellbeing.
Guidance: The Children’s code offers guidance to ISS on how to offer age-appropriate online services to children. See Standard 3 of the AADC – Age appropriate application for further information:
“Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.”
You might also find it helpful to review Annex B of the AADC - Age and developmental stages.
- We use the following security measures on our app:
- We undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place.
- We use trusted, robust third-party platforms to support the game.
- We do not store credit card or personal information in human readable forms.
- We separate personal data from gameplay or operational data.
- We keep our third-party software up to date. Patches will be tested and checked before deployment.
- We use encryption, pseudonymisation or anonymisation, where it is appropriate to do so.
- We ensure that any data processor we use also implements appropriate technical and organisational measures.
- All data is regularly backed up.
- We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
Helpful hint: You might find it helpful to consult your information or data security policy to assist you in providing information about security measures. You can see more information in our guidance on security.
We do not process geolocation data. This is switched off within the game with no option to turn on.
We do not carry out any automated decision-making.
Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
The nature of the data is as described above under the heading ‘What data we collect and how’. We do not process any other personal data. Nor do we process any special category or criminal offence data.
Volume of data
We have yet to launch the app but envisage between three and five million users in the first year.
Retention of data
We have a retention schedule which specifies storage periods for the limited categories of personal data which we process. These periods reflect relevant legal requirements and limitation periods applicable to contractual claims. Once retention periods have expired, we securely delete data and log deletions. The majority of data obtained from game play is anonymised so that it is no longer personal data and not subject to the limits on retention set out in the UK GDPR.
Helpful hint: You might find it helpful to consult your data retention policy or schedule to assist you in describing how you retain data.
The data subjects whose data we process are located in the UK and worldwide.
Describe the context of the processing: what is the nature of your service? Are you designing it for children? If not, are children under 18 likely to access it anyway? What is the likely age range of your users? How much control will they have? Would they understand and expect you to use their data in this way? Does your service use any nudge techniques? Are there prior concerns over similar services or particular security flaws? Is your service novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in, particularly over online risks to children? Are there any relevant industry standards, codes of practice or public guidance in this area? What responsibilities do you have under the applicable equality legislation for England, Scotland, Wales and Northern Ireland? Is there any relevant guidance or research on the development needs, wellbeing or capacity of children in the relevant age range? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
Nature of service and users
Our service is a mobile app game aimed at children between five to eight years of age. It has therefore been designed with these age users in mind, in particular collecting minimum amounts of personal data. It is a new game which has not yet been launched.
No nudge techniques are used to encourage children to change privacy settings, make in-app purchases or sign up to subscriptions. The game features a pause button which enables children to pause game-play at any time and not lose their place in the game.
Guidance: Nudge techniques are design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision-making. The code states that ISS should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections. See Standard 13 of the code – Nudge techniques.
The personal data we process relating to child users is very limited, as described above. The performance data we collect is immediately anonymised, apart from the data about a child’s playing history, which is available to parents. We only use it to analyse, develop and improve game or advertisement effectiveness.
We consider that the very limited processing will be in line with users’ expectations. We have clearly explained it in the parental information and our privacy notice which is available when first accessing the app. It is also accessible from within the game through the settings, in versions appropriate for both adults and children aged five to eight. A child-friendly version of the privacy notice is also offered using an avatar to guide the child through a series of just-in-time notices in appropriate places (eg at first use of the game or the family circle features). The privacy notice features an avatar speaking the privacy notice sections, with the words also displayed for older children to read.
Mobile gaming apps of this type are not novel and ours uses data in a similar, if not more limited way, than is common in this market place.
We are aware of several codes and other pieces of guidance which we have taken into account when designing our game and uses of personal data:
- The ICO’s Age appropriate design code.
- The Chief Medical Officer’s Commentary on screen based activities.
- The OFT’s Principles for online and app based games.
- The CAP code on non-broadcast advertising.
Describe the purposes of the processing: what do you want to achieve with your service? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? What are the specific intended benefits for children?
Guidance: The Information Commissioner is required to take into account the UK’s obligations under the UNCRC in drafting this code. All the standards of the code relate to the best interest standard. See Standard 1 Best interest of the child, which states:
“The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.”
In order to implement this standard you need to consider the needs of child users and work out how you can best support those needs in the design of your online service, when you process their personal data.
Aim of our service
Our aim is to offer a game for five to eight year olds which is both fun to play and educational. It provides an age-appropriate game which has been specifically designed with this age group in mind, either free of charge or at limited cost, if they choose to subscribe or make purchases. It also helps children engage with numbers and practice maths skills whilst playing.
Intended effect on individuals
It enables parents and educators to provide their children with, and to enable children to enjoy, an age-appropriate game which helps children engage with numbers and improve their mental arithmetic in a fun environment.
Benefits of the processing
The benefits of the processing are (for us) that it enables us to run our business, improve awareness of our brand in the market place, and increase our market share and revenue. The processing benefits children and parents or educators in the ways described above.