Review

TL;DR

The headline policy area for 2025 has undoubtedly been consumer protection. Starting with a whisper as the UK Competition and Markets Authority (CMA) published largely uneventful new guidance, it grew to a roar in March when the EU Consumer Protection Cooperation Network (CPC Network) suddenly dropped its principles for games to follow when using in-game currencies. Their push to constrain the use of in-game currencies, including by stating the value of in-game items in “real world money,” was echoed by the European Commission’s consultation on the Digital Fairness Act in July. With the EC now mulling over responses, their next steps will be a big story in 2026.

Online safety policy, particularly relating to children, advanced steadily last year. The start of Online Safety Act (OSA) enforcement in the UK was a pivotal moment, with age verification rollouts sweeping across the internet (alongside increased VPN use). In the EU, this area was marked by the consultation and publication of Guidelines on the protection of minors under the Digital Services Act (DSA). They set out a clear list of measures that online platforms must implement to protect minors from online risks, addictive behaviours, and harmful commercial practices, including restrictions on loot boxes and in-game currencies. For 2026, we’re looking at the Ofcom pressing the start button on their OSA fee regime, and more from the EC on a harmonised age verification approach across the Union.

The competition landscape also saw significant action, with the EC imposing its first fine under the Digital Markets Act (DMA) after confirming that restrictions in Apple’s App Store policy terms failed to comply with the DMA’s anti-steering provisions. In the UK, the CMA launched investigations against Apple and Google to determine whether they have Strategic Market Status (SMS) on their mobile platforms, confirming this status in October. Consultations on interventions to constrain the impacts of SMS should be heading our way in 2026.

Finally, 2025 has witnessed important developments in data protection, with the EC officially presenting its Digital Omnibus Package. This proposal aims to amend the General Data Protection Regulation (GDPR) and other rules to enhance legal certainty and reduce administrative burdens. Across the channel, the Information Commissioner's Office (ICO) announced a monitoring program to scrutinise data protection practices in ten of the most popular mobile games played by children in the UK. 2026 will see both of these progressing, with ramifications for the industry.

Now, let’s zoom in…

Consumer protection

This year saw regulators and stakeholders homing in concerns about manipulative design and opaque in-game purchases. In March, without a heads-up or consultation, the CPC Network published its Key Principles on ‘In-game Virtual Currencies’, aimed at addressing concerns over transparency, vulnerability, and fair terms. Controversially, the CPC Network departed from the widely held legal position regarding in-game currencies, stating instead that purchasable in-game currencies are “digital representations of value.” Consequently, their principles require transactions using these currencies to be subject to consumer protection rules. This includes requiring prices for digital content to be shown in real-world money and significantly restricting the use of layered currencies or ‘odd priced’ bundles. See our explanation here.

In July, the EC launched their consultation on the upcoming DFA. The DFA, prompted by the EU Digital Fairness Fitness Check (2024), aims to address concerns about consumer protection gaps, such as dark patterns, influencer marketing, and addictive design. For video games, this could mean mandatory fiat price displays, restrictions on loot boxes, and disabling pay-to-win features. It might also affect long-standing game design approaches, such as rewards for regular participation. These proposals could significantly affect fundamental design, monetisation, and player engagement techniques, signalling a major potential change for companies operating in Europe. Check our explanations here and here.

In the UK, April saw the enforcement of the new consumer protection regime under the Digital Markets, Competition and Consumers Act (DMCCA), empowering the CMA to directly enforce consumer law. To support traders, the CMA published guidance on its approach to Unfair Commercial Practices and on Price Transparency. Proving themselves to be a role model for regulators everywhere, they re-consulted on pricing over the summer as a result of concerns raised about the needs of specific sectors. In November, the CMA opened its first DMCCA investigations over issues like drip pricing and misleading countdown timers, alongside dispatching 100 advisory letters across 14 sectors. While not targeting the video game industry, it is nonetheless highly relevant. Find out more with our explanation here.

What to expect for 2026?

A strong and increasing focus on digital protection in both jurisdictions, particularly on unfair commercial practices online. The EC is expected to publish the DFA’s final impact assessment in the summer, outlining  the evidence for new legislation and the their preferred intervention approach. After the EC presents the legislative draft by the end of 2026, it will enter the EU legislative process, where it will be negotiated by the EU Parliament and Council. The Parliament has provided clear insights into its position towards some of the provisions contained in the DFA through the recent adoption of its resolution on minors online – expect significant support for restrictions on in-game currencies and loot boxes.

In the UK should anticipate further enforcement of DMCCA consumer protection provisions and implementation of the new subscription regime. From the Autumn, video game companies providing subscription services will be required to provide detailed pre-contractual information, reminder notices before auto-renewal, and straightforward cancellation mechanisms.

So, be ready to show that consumers are already treated fairly, with transparent pricing techniques and clear information about purchases, and that video games function very differently to social media. Companies must engage actively in the discussion of upcoming legislation, such as the DFA, to provide insights into the potential effects on players and the industry.

App distribution

The CMA opened 2025 by launching its second DMCCA competition investigation in January, aiming to determine whether Google and Apple’s mobile platforms hold “Strategic Market Status (SMS)”. SMS designation was confirmed in October, finding that both companies had substantial and entrenched market power alongside positions of strategic significance. The CMA highlighted areas of concern that contributed to the designation, specifically on the app distribution mechanism: platform rules that restrict sideloading, limitations on steering users outside of the platform, and unpredictable app review processes. The decision aligns with previous CMA findings on mobile ecosystems, as well as the EC’s designation under the DMA and recent antitrust decisions in the US and Australia, signalling a global consensus on the need to improve competition in this ecosystem. Check our full explanation here.

In April, the EC imposed its first DMA fine against Apple after confirming that it failed to comply with steering obligations (we explained it here).  Following this, Apple updated App Store policies for the EU in June, allowing developers to use external payment systems and enabling users to install apps from alternative app marketplaces. While considered to be a positive step, there are still concerns (and more concerns) that they do not fully align with the DMA. If the Commission concludes that rules still violate the DMA, they could issue further non-compliance decisions or fines.

What to expect for 2026?

The outlook is dominated by enforcement action in both jurisdictions. The EC has two ongoing investigations regarding app distribution to wrap up, starting with the long-running one into whether Apple’s new contractual terms for developers using alternative app stores comply with the DMA’s sideloading obligations. The regulator has also issued preliminary findings that Google Play Store rules fail to comply with the steering obligations, with the final decision pending.

Having consulted this summer, in May the EC will report to the European Economic and Social Committee on how effectively the DMA has met its objective to ensure contestable and fair digital markets. While a key focus is the DMA’s adaptability to the AI sector, it will potentially include relevant proposals for future legislation. In the UK, the CMA is expected to consult on pro-competitive interventions on Google and Apple; these are likely to be targeted to address specific practices identified as limiting competition, instead of the broader EU approach.

Companies using the main app distribution platforms are strongly advised to engage in the upcoming consultations so they can provide insights on remedies to promote competition in the app distribution market, based on their needs and their experience in other jurisdictions. It’s also wise to closely monitor upcoming decisions from the EC and subsequent actions, which may provide new opportunities to engage consumers through the introduction of alternative payment and app distribution channels.

Online safety and child protection

A ramp-up of online safety enforcement was a big feature of 2025 in the EU and the UK. In Europe, the EC’s focus has been big online platforms, preliminarily finding that major social media platforms (such as Facebook and Instagram) failed to comply with the obligations to provide effective mechanisms for users to flag illegal content and challenge content moderation decisions. Taking the first investigatory step following the adoption of the Guidelines on Protection of Minors published this year, the Commission sent information requests to the Apple App Store, Google Play Store and Snapchat to understand how they are protecting minors and preventing them from accessing illegal products or harmful material.

On age assurance and verification, the Commission released a prototype of an EU-wide age verification app designed to be privacy-preserving and user-friendly, with the aim of supporting platforms to meet their DSA obligations. It will be tested in collaboration with Member States, online platforms and final users, with companies openly invited to engage.

In the UK, this year was characterised by the initial enforcement of the OSA. In-scope providers, including video game platforms, were required to complete and record detailed risk assessments for both illegal content and content harmful to children, and adopt practical measurements to prevent users from encountering it. Ofcom published guidance on how the OSA applies to video games, explaining that user interaction, voice/text chat, and user-generated content bring games into scope, and highlighting specific risks like grooming, terrorism, and hate offences that must be actively mitigated. Ofcom also developed the OSA funding regime and issued specific guidance on harmful content and activity that disproportionately affects women and girls.

What to expect for 2026?

Expanding enforcement beyond the largest digital platforms. Digital Services Coordinators (DSCs), the national regulators in each EU Member State, are due to start enforcing DSA requirements on transparency, accountability for content moderation, and effective redress to users. This will shift the focus to remaining smaller online platforms and hosting services, potentially bringing video games companies into scope. We also expect the adoption of the EU Digital Identity Wallets towards the end of 2026 will impact compliance expectations. With online safety and child protection activity ongoing in Spain and France, which risks fragmenting the European compliance environment, video game companies should carefully monitor further online safety developments at the state level.

Ofcom’s updated OSA roadmap promises a report on use and effectiveness by the end of July, the results of which could influence future compliance expectations and lead to new obligations for age assurance technology. A consultation on additional duties for categorised services is also expected around July. Ofcom’s enforcement will focus on auditing information submitted by platforms, requiring them to demonstrate that risk assessments have resulted in effective moderation systems, reporting mechanisms and age assurance methods; video game companies should also anticipate a move towards more active regulatory scrutiny and increasing enforcement.

Data protection and ICO enforcement

Last month, the EC presented the Digital Omnibus Package, aimed at amending GDPR and other rules to reduce administrative burdens on businesses and provide legal certainty. The most significant changes for video game companies include the amendment of “personal data” to exclude information if the entity holding it does not have the “means reasonably likely to be used” to identify the individual. The omnibus package also aims to reduce cookie banner fatigue through the introduction of relevant technology tools.

The UK Data (Use and Access) Act received Royal Assent in June, reforming the UK GDPR and Privacy and Electronic Communications Regulations in areas such as children’s data management, the use of cookies, and digital ID. Importantly for the creative industries, including video games, the use of copyrighted materials for AI training was left open for future discussions. See our explanation here.

Mirroring the increased focus on children’s safety, the UK Information Commissioner’s Office (ICO) announced a renewed scrutiny of the gaming sector, launching a monitoring program to assess how ten popular mobile games protect children's privacy. This review will specifically check compliance with the ICO’s Children’s Code standards: default privacy settings, geolocation controls, and targeted advertising practices. The ICO revealed that an early review had already found that many mobile games’ design features can be especially intrusive, raising important questions about how these games are designed and experienced, and their adherence to the Code. The announcement clearly signals the ICO’s intensifying focus on compliance within the interactive entertainment industry.

What to expect for 2026?

More enforcement on data protection; following the ICO’s announcement, the video games industry is in the spotlight for 2026. Now would be a good time to review your in-game privacy defaults and advertising practices against the expected standards. In the meantime, the attempts to regulate the use of copyrighted material for AI training in the UK seem to be delayed, but may well be back on the docket next year. In the EU, the legislative process on the Digital Omnibus Package is expected to continue through 2026, with an imminent adoption by mid-2026. This would require video game companies to assess how the proposed amendments to the GDPR will affect their processing of data and prepare for the changes related to cookie consent exceptions.