The ICO exists to empower you through information.

The Children’s code is a code of practice that sets out how online services, likely to be accessed by children, should protect them in the digital world.

We’ve audited game design companies to better understand how the Children’s code applies in the games sector and importantly, what steps games companies can take to make sure they apply with the code. We’ve set out our top tips to ensure your players have a good game.

Sussing out the danger – running risk assessments

Having a defined process to help you identify and minimise the data protection risks within your games will help protect the rights and freedoms of children.

You should:

  • Consult with external stakeholders, including children, as part of any risk assessment. To do this, you could gather feedback from existing players, carry out a public consultation, conduct user testing or contact relevant children's rights groups for their views. You could consider completing a Children’s Rights Impact Assessment as part of this process.
  • Assess and document the game’s appeal to children during the game design stage, and with legacy products, to help you decide the most appropriate age assurance measure to put in place. You should also consider if you need to tailor any in-game content or data processing needs for children. Just because the game isn’t aimed at children, doesn’t mean they won’t want to play it.
  • Regularly review assessments after a game goes live. If you discover unexpected age groups are playing the game, you should make any necessary adjustments.
  • Ensure you risk assess any randomised rewards, such as loot boxes, against the Children’s code and the UK Government’s response to their consultation on loot boxes and gambling.

Further reading

Buff your age assurance – know your players’ ages

The age range of your players and the different needs of children at different ages and stages of development should be at the heart of how you design your games and apply the code.

You should:

  • Assess and document how you will identify if UK players are under 18 and work out their actual ages with an appropriate level of certainty.
  • Investigate potential age assurance solutions to provide greater levels of certainty, linking back to risk assessments done at the design stage. You should implement your identified age assurance solution across all games, stores or platforms as quickly as possible.
  • Implement measures to discourage or prevent players from giving false declarations of age. You could introduce a cooldown mechanism that prevents players from returning to a previous page to provide a different date of birth within a fixed time-period. Alternatively, you could explore access to a data-free core element of your game until parental consent is confirmed or age assurance measures are put in place.

Further reading

Open-world gameplay – being transparent

Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents and games providers.

You could:

  • Run user research to trial child friendly privacy information with different age groups.
  • Display transparency information based on ability rather than age. For example, transparency information at beginner, intermediate, and expert levels.
  • Design different ways to communicate privacy information which may be more effective for children of different ages. For example, you could use age-appropriate videos and graphics in 'bite sized' chunks, using mission-style storylines or deploying in-game pop-ups or messages.

Further reading

Preventing a critical hit – preventing the detrimental use of children’s data

It is important to only process children’s personal data in ways that is not detrimental to their health or wellbeing.

You should:

  • Ensure that all optional uses of personal data are off by default and only activated after valid consent is obtained from the player (or for children under 13-years-old, their parent or guardian). Optional uses of personal data include tailored product recommendations or offers designed to promote or market other services.
  • Introduce checkpoints, automatic periodic saving of progress, or natural breaks in play between game matches into game design. Include age-appropriate prompts to encourage players to take breaks from extended play or help them to disengage from extended sessions without feeling pressurised to continue playing or becoming fearful of missing out.
  • Implement measures to control or monitor product placement, advertising, or sponsorship arrangements within community servers, where children can access community servers from within the game.

Further reading

Stealth mode – setting high privacy settings and parental controls

Designing your games to promote meaningful parent or guardian-child interactions, while setting a high level of privacy by default and providing a range of appropriate parental controls is key.

You could:

  • Provide parents with ‘real time alerts’ about their child’s activity, where it is in the child’s best interests. This might include notifications if their child tries to change a privacy setting, access ‘riskier’ in-game features or is exposed to inappropriate content. If parents opt-in to receive real-time alerts, you should give children age-appropriate information about this.
  • Ensure you give players age-appropriate explanations and prompts at the point they try to change any privacy settings. The prompts should be specific to each individual privacy setting and inform players of the risks and impact of lowering that specific setting before any change. Consider theming or gamifying these prompts to fit the game being played to heighten engagement by child users.
  • Assess if it is possible to introduce variable settings that allow children to control what personal data is visible to other players. For example, you could allow players to hide their account name, so that other players cannot search for them.
  • Have voice chat functionality off by default for children, allow players to turn on a ‘do not disturb’ setting permanently as well as in the current session and change the default ‘receiving friend requests’ setting to ‘no-one.’ Introduce a setting to allow only other children to communicate as an option, and consider options for age assurance for the chat function to identify adults trying to pose as children.

Further reading

  • We have produced design guidance, which includes gaming worked examples of the data privacy moments and age-appropriate mindsets.

Scouting – profiling responsibly

You must offer children control over both whether you use their personal data and how you use it. This is especially important where profiling is not essential to play the game.

You should:

  • Check that any third-party advertising provider is displaying age-appropriate content to children in-game.
  • Provide age-appropriate information in-game at the point that profiling takes place. You should encourage children to seek a trusted adult and to only activate profiling if they understand how profiling uses their personal data.
  • Separate the opt-in consent for marketing from the acceptance of Terms of Service and the Privacy Policy when players create a new account. There is a risk that players may think that marketing is part of the contract and that they must accept it to continue, which could infringe the transparency principle.
  • Make sure profiling for marketing purposes is off by default for children, or consider restricting marketing to contextual advertising that doesn't process children's data.

Further reading

Pushing FOMO – implementing positive nudge techniques

It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.

You should:

  • Assess and document the risks of introducing time-limited or one time only offers on items targeted at children.
  • Implement positive nudge techniques to promote the best interests of children. For example, you could encourage children towards high privacy options, sensible purchasing of in-game items, use of parental controls, and pro-wellbeing behaviours such as taking breaks.
  • Review how you communicate social media competitions and partnerships to children and be mindful of encouraging children to create social media accounts for fear of missing out on rewards when running competitions and other activities on social media platforms that have a minimum age restriction.
  • Monitor player behaviour and click-throughs to identify any unintentional nudge points. For example, where players are nudged towards reducing privacy settings despite not having specifically intended this.
  • You should use neutral purchase button design and support workflows to allow a decision not to proceed with a purchase. You could allow refund of a purchase in a reasonable time frame.

Interested in the next level?

If you’re interested in working with us, you can volunteer for an audit. You’ll benefit from the data protection knowledge and experience of our audit team, at no expense to your company. It’s an opportunity to discuss relevant data protection issues with the members of the ICO team and get an independent assessment of your conformance with the Code.

But don’t just take our word for it, here’s some feedback from the games companies we’ve worked with so far:

“The overall experience was smooth, open and collaborative – which was a positive surprise and quite novel approach to interact with the regulator. It was greatly appreciated.”

“We found the overall audit process very constructive. It was helpful to have the different questions linked to each principle of the code. We appreciated having in advance the "proposed engagement work plan. We also appreciated your interest in other subjects we had to present.”

“Based on the feedback and recommendations, we are reviewing existing features and building a plan to remediate risk and further document processes to put in place to do so.”

You can get in touch by email to [email protected].

Read some of our published audit Executive Summary Reports on our website.

Data Protection Certification is a way of demonstrating that your processing of personal data complies with the UK GDPR requirements, and can clearly demonstrate your commitment to data protection compliance, to individuals and other businesses.

The ACCS Age Appropriate Design Certification Scheme, approved and published on the ICO website, relates to online services likely to be accessed by children in the UK and will assist your organisation in ensuring compliance against the ICO Age Appropriate Design Code. We would encourage all relevant organisations to consider getting certified.

Guidance note

To help you to understand the law, the code and good practice as clearly as possible, these top tips say what organisations should and could do to comply.

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the code. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the code.

Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.