Explained

Cookies

The DUAA introduces key changes to the rules governing the use of cookies and similar tracking technologies under PECR, most notably regarding the need for consent. The Act provides exemptions from the requirement to seek consent for certain non-essential cookies used for statistical data, website performance, user preferences, and service improvements. This could offer a welcome simplification for video game companies.

Furthermore, the Bill introduces a new legal basis for processing personal data, known as ‘recognised legitimate interest’, allowing it to be processed without the need for a legitimate interest assessment. For the video games industry, this provision might allow companies to process data more readily in the context of the online safety of children, if this falls within the recognised legitimate interest of safeguarding vulnerable individuals.

Children’s data protection

The protection of children's data is one of the main topics of the DUAA. It introduces the concept of ‘children’s higher protection matters’ to the principle of data protection by design and default, particularly for online services that children are likely to access.

The ICO has stated that companies should already satisfy this requirement if they conform to the existing Age Appropriate Design Code (AADC). For video game companies, it means a continued emphasis on:

• Best interest of the child: Prioritising the best interests of children when processing their data.

• Privacy by design and default: Implementing privacy-protective settings as the default for child users.

• Age-appropriate application: Designing and developing services in a way that is appropriate for the age and developmental stage of the children likely to use them.

Information Commission

The DUAA also brings about structural changes to the UK's data protection regulator. It abolishes the ICO and replaces it with the Information Commission, alongside changes to its internal structure. This shift aims to modernise the governance and operation of the regulatory body.

Furthermore, the Act reforms the process under which data subjects can submit complaints by requiring complaints to be addressed by the relevant business first. This is a significant change for video game companies, as they will now be the first point of contact for data-related complaints. Companies will have new obligations:

• Acknowledgement: Acknowledge complaints within 30 days.

• Response: Respond to complaints ‘without undue delay.’

Video game companies will therefore need to establish clear procedures and channels for processing data complaints, as well as dedicated staff.

Digital ID

The DUAA establishes a framework for ‘trusted’ providers of digital verification services (DVS) by introducing a DVS register with additional certification through a DVS Trust Framework. This framework will be created by the Secretary of State in consultation with the regulator.

This initiative represents transformative potential for the video games industry, particularly in areas such as age verification for restricted content and purchases, providing a more reliable and streamlined method for verifying age, and helping companies comply with various age-related regulations such as the Online Safety Act. However, its usefulness will depend on the direction of future developments and is one to watch closely.

AI models and copyright

Perhaps one of the most critical and currently unresolved topics for the creative industries, including game developers, is the debate surrounding the use of copyrighted materials for AI training models.  The creative industries have raised concerns that AI companies are using their work, including character designs, music, and art, for training AI models without permission, payment, or transparency. This directly impacts the intellectual property of the artists. While the House of Lords initially sought to amend the Bill to address these concerns, after a drawn-out tussle during ping-pong they were ultimately overturned by the Commons.

As a result, the DUAA only introduces a requirement for the Government to publish an interim report on its proposals for copyrighted material and AI within six months of Royal Assent, and a final report three months later. This commitment provides a roadmap for future policy development. Moreover, the Government is already expected to publish a response to the AI Copyright consultation launched at the end of 2024 in the coming months and there are plans for a separate AI Bill.

What's next?

As the changes introduced by the DUAA are expected to begin this year, the ICO is planning to update its guidance for organisations over time. The data regulator recommends that companies:

• Familiarise themselves with the changes that the DUAA makes to data protection law. This includes understanding the new cookie exemptions, the concept of ‘recognised legitimate interest’, and the revised complaint handling process.

• Companies providing an online service that is likely to be used by children should ensure they are complying with the new requirements. Even though the ICO considers that those already conforming to the AADC should be on track, a review of current practices is advisable.

In addition, we would recommend monitoring developments regarding the Digital ID framework to understand how trusted DVS can be leveraged for age verification, staying informed about secondary legislation and upcoming consultations, and proactively engaging with discussions around AI and copyright due to the implications that it has for the video games industry.