What’s in scope? Data processing

The government is mulling over raising the ‘digital age of consent’ – that’s the age at which minors can legally consent to the processing of their personal data, currently set at 13. For video games companies, this will affect how player data can be used for features like personalised recommendations, in-game advertising, or social functionalities.

The “Growing up in the online world” consultation (closing 26 May), which is intended to inform future age restriction regulations, asks whether 13 is still an appropriate age for agreeing to what is now an increasingly complex ecosystem of data processing, given the reality of data profiling and targeted advertising techniques that children encounter in today’s online world. As with other focus areas, the general vibe is that this could be set at 16.

The government wants to know if a potential higher digital age of consent should be applicable to all services or just to specific ones, with the aim of ensuring that a higher age wouldn’t block children from accessing beneficial services. They are also asking about the risk of negative outcomes, both in terms of parental involvement and burdens on industry (including costs and the volume of requests).

Raising the age means that video games companies relying on consent for processing player data would have to obtain parental consent for any users under the new threshold (and somehow verify it’s actually from a parent) if they wish to continue their current practices. For those with a large teenage player base, this would represent a particularly significant change in how accounts are managed.

Where video games currently implement a minimum player age of 13 in their terms of service to avoid this issue, an increase in the digital age of consent could necessitate either making significant changes to onboarding processes and privacy policies (as per the above), or a decision to raise the minimum player age (thus losing a proportion of the active player base).

Regardless, age assurance will be highly relevant to ensure that implementation is meaningful. This is particularly important given recent ICO action to get platforms (including a video game company) to use highly effective age assurance to enforce their minimum age rules that prohibit players below the digital age of consent, rather than rely on self-declaration.

As with other areas, it will be important for video games companies to outline the core differences in the way that data is processed in games, whether compliance burdens will be more significant for no player benefit (and therefore disproportionate), and whether there is scope for a risk-based approach.

If you think this is relevant to your game and want to know what it might mean for you, we’re more than happy to talk it through.

You might also want to check out our handy tracker page and our overview of what else could land games companies in scope of the regulations and consultation.