Data protection trends in children's online gaming – International Association of Privacy Professionals

The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
The IAPP presents its sixth annual “Privacy Tech Vendor Report.” This issue, the IAPP lists 364 privacy technology vendors.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
Children now spend a lot of time playing games online, but the gaming industry has received less scrutiny than social media or streaming platforms over privacy concerns. As gaming grows, the scale of user vulnerability increases as well. Many young people do not understand the data risks posed by online games. Luckily, privacy regulators are increasingly focusing efforts toward protecting children’s safety and autonomy online.
Young people enjoy online games because they allow for play, learning and socialization. Parents express concerns about the amount of time spent gaming, but research is only just emerging about the impacts. A recent study from the Oxford Internet Institute on gamers 18 and older found that time spent playing video games had “little to no” effect on well-being. Its authors pointed to the need for further research, which would presumably include investigations into mental health outcomes for gamers younger than 18. 
The gaming experience often encourages children to unknowingly exchange personal information for “free” access to benefits. Minors who play mobile application games face different data risks from peers who play personal computer or console games. The PC and console side of the gaming industry is dominated by large and long-standing companies. Industry leaders such as Sony, Microsoft and Nintendo have established privacy programs and understand the risks that attend abuses of personal data. The mobile gaming sector has many new and small companies that lack internal privacy resources and may not follow data protection principles. As a result, regulators have turned their attention to online gaming, a quickly growing sector that frequently markets digital products to young people. The discussion below addresses some key privacy issues with children gaming online as well as emergent policy solutions.
Gaming companies will face significant legal and business risks if they treat all players in the same way. Age-assurance processes help them manage the risks posed to children and their personal information in the online gaming environment. Many jurisdictions, and the UN Convention on the Rights of the Child, define a child as anyone under the age of 18. That segment of the population has unique vulnerabilities and, therefore, deserves special accommodations and enhanced protections.
Age assurance should not be seen as a silver bullet or as a sufficient protection unto itself. It will only work effectively as part of a wider privacy-by-design approach. Age assurance has the strength of flexibility compared with the related process of age verification. The former gives a greater choice of solutions for risk mitigation; the latter sometimes imposes disproportionate measures. Age-assurance processes include age verification or self-declaration. If the data protection risk profile for children is low in certain situations, then age-assurance requirements can become less than onerous, even unnecessary. When risks for children are high, companies must implement effective risk mitigation around personal data use in online gaming.
No standard process for identifying adult versus child users has emerged. Debates continue over whether such measures would provide reliable protections or adversely impact privacy. In some circumstances, the collection of additional personal information could add to children’s risk of online harms. Some youth advocates worry that “flagging” an underaged user may draw the attention of predatory actors just as reliably as it would trigger protective controls. 
We believe that proportionate and risk-based requirements for age assurance are necessary and inevitable, despite challenges. Policy reality and government intentions point in that direction. Before the internet can become a safe place for children, systems and services will have to demonstrate how they provide an age-appropriate environment for child gamers. Knowing the age of users is a key component in creating a safe online experience. Age-assurance processes should support fun, exploration, and socialization while establishing high-privacy settings by default. The aim should not be to keep children away from online gaming; instead, we must work to ensure they remain safe and feel empowered.  
Age-assurance requirements now appear in international standards, in legislation, and in regulatory codes and guidance. For example:
The U.K. Information Commissioner’s Office Age Appropriate Design Code demands a risk-based approach to assessing the age of individual users. Companies must ensure that their online services effectively apply the standards in this code to child users. It gives a choice: either establish age with a level of certainty proportionate to the risks that arise from processing children’s data or apply the code’s standards to all users.
• The OECD Recommendation on Children in the Digital Environment was adopted in 2021, and the accompanying Digital Service Provider Guidelines also focus on this issue. They require service providers to “regularly take steps necessary to prevent children from accessing services and content that should not be accessible to them, and that could be detrimental to their health and well-being or undermine any of their rights.” 
• The EU Digital Services Act, agreed to in April 2022, requires providers of online platforms that are accessible to minors to put in place appropriate measures for ensuring a high level of privacy, safety and security for minors accessing their services.
• Currently before the U.K.’s House of Commons, the Online Safety Bill proposes a safety duty that will require proportionate systems and processes designed to prevent children of any age from encountering content that is harmful to children. 
European currents that move toward comprehensive protections for children online have now washed up on the United States’ shores. The U.S.’s most populous state recently passed the California Age-Appropriate Design Code Act, which follows in the wake of similar guardrails and requirements now enshrined in British law. An August 2022 article in The New York Times speculated the legislation “could herald a shift in the way lawmakers regulate the tech industry” more broadly. The article reflects the fact that regional and national laws tend to affect the way major tech companies operate across the board, in part because of the amount of effort required to implement different treatments of users based on geographic location or age.
A privacy-by-design approach to game development will have to consider many issues beyond age assurance. Once a gaming company has identified a young user, how will it inform that person of their privacy rights? How can children easily understand how their data is used? What controls or settings will be presented? Online games often hide privacy settings, making it difficult for even relatively sophisticated users to exercise control over their personal information.
Game developers may feel that presenting boilerplate privacy declarations will spoil all the fun. But when they do not provide age-appropriate and timely information about data collection, developers place themselves in an asymmetrical relationship to gamers. Users of any age deserve to know whether personal information will be shared with third parties and how one service links up with other digital platforms — via sign-in partners like Google or Facebook, for example. Understanding data collection enacted by mobile gaming companies seems especially important, because they often record sensitive information including geolocation and close contacts from the mobile device. Policymakers and game developers must struggle with a challenging question: Can an underaged player consent to broad uses of their data?
Gameplay itself sometimes leads to unfair use of personal information. Many games follow users’ behaviors and give them nudges that encourage prolonged engagement with the digital environment. Personal information collected can be used to curate highly targeted in-game advertisements. Further, companies sometimes use personal information to foster offline connections between players. And that can lead to contact risks for young people. Gamers who reveal behavioral patterns and personal data may be manipulated into making particular social connections or purchases that stock their avatars’ “loot boxes” with attractive, in-game features.
In that regard, policy experts have debated the gray area where gaming and gambling overlap. Online games allow young users to compile assets, then spend digital tokens or actual currency. Such activities can be addictive, so regulations must play a role in managing the relationship between developers and gamers. Some of these issues stretch beyond data protection but must not fall into a regulatory gap.
The regulatory environment for online gaming companies places them squarely in the crosshairs of data protection authorities. The U.K. ICO has issued statutory guidance in its Age Appropriate Design Code. That landmark guidance will enable companies to take practical steps toward protecting children’s privacy. It also helps them prepare for future online safety legislation. And the ICO has recently engaged widely across the online gaming sector with respect to Children’s Code conformance. Emergent principles and best practices that will need to work with future gaming innovations include data minimization, privacy by design, responsible governance and risk-based treatment of young users.
Game developers already have expertise in crafting user experiences that make their products intuitive, interactive and exciting for kids. The industry must now apply that expertise to work for privacy. In the U.K., the ICO will demand evidence of effective and principled design. To prepare for possible investigations, game developers must document their decisions in that regard. Companies must show that concerns over children’s privacy are understood and acted upon. Regulators will place the onus for responsible uses of data on service providers rather than users. To that end, default settings should set a high bar for privacy.
Regulatory authorities seem to be catching up to the online gaming industry, which has largely avoided the intense scrutiny social media platforms receive. But the gaming sector represents a moving target. We already see what gamers might call “boss-level” challenges on the horizon. Advances in Virtual Reality and the emergence of the metaverse make games increasingly immersive. Immersive play exposes unprecedented volumes of information about gamers, their connections and their vulnerabilities to manipulation. Data protection principles still guide the regulation of new online gaming services, although further guidance will be needed in light of developments such as the metaverse. An excellent article by Notarize Data Protection Officer Gary Weingarden, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, and Deutsche Bank Senior Counsel Matthias Artzt, CIPP/E, sets out how data protection will apply in this virtual context.  
The rate of change in online gaming is frenetic and has, to date, largely outpaced enforcement. And yet, across the board, regulators’ postures and signals from governments indicate that present and future laws will place an increasingly rigorous set of risk-based requirements on companies that gather and exploit children’s personal information. These requirements must be practical, and take account of all the benefits and risks related to online gaming. And they must grow from trustworthy evidence about how we can effectively protect and enable safe exploration in the realm of online gaming. Let the children play — safely. 

Children’s Privacy and Safety intends to help the practitioner and advocate on their journey to protect children’s data privacy and safety. The privacy laws and safety protections impacting children vary from country to country and across industries and data types, making it hard to apply a singular global approach. This comprehensive treatise is intended to provide reliable and substantive background on children’s privacy, data protection, and safety issues.
View Here
Submit for CPEs
If you want to comment on this post, you need to login.

Children’s Privacy and Safety intends to help the practitioner and advocate on their journey to protect children’s data privacy and safety. The privacy laws and safety protections impacting children vary from country to country and across industries and data types, making it hard to apply a singular global approach. This comprehensive treatise is intended to provide reliable and substantive background on children’s privacy, data protection, and safety issues.
View Here
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200

source

Leave a Comment

Your email address will not be published.