With around 90% of children in the UK engaging with mobile games, the Information Commissioner’s Office (ICO) has launched a monitoring program targeting 10 popular titles to assess adherence to privacy protections specifically designed for young users. This initiative comes amid growing parental concern, with 84% of parents worried about their children’s exposure to strangers or harmful content through mobile gaming, and 76% anxious about personal data sharing and advertising practices. Early findings suggest that many mobile games incorporate design features that may be intrusive, raising questions about their compliance with the Children’s Code standards.
This article talks about the regulatory landscape shaping this investigation, the reasons behind the ICO’s focus on mobile gaming, the implications for businesses and individuals, emerging industry trends, and what the future holds for privacy in children’s mobile gaming.
Regulatory Landscape
The ICO’s scrutiny of mobile games is an extension of its Children’s Code Strategy, which enforces the Age-Appropriate Design Code (AADC)—a set of 15 standards that digital services must follow to protect children’s data under UK GDPR. The Children’s Code mandates that services likely to be accessed by children must default to the highest privacy settings, minimize data collection, provide clear and accessible privacy information, and restrict targeted advertising among other requirements. The ICO’s prior interventions in social media and video-sharing platforms have led to significant improvements, such as private profiles by default and restricted visibility of child users.
Specifically, the ICO’s new monitoring program will assess mobile games on three critical fronts: default privacy settings, geolocation controls, and targeted advertising practices. The review will also consider any additional privacy issues that arise during the investigation. This regulatory focus aligns with broader international efforts to strengthen age assurance and data protection for children, including ongoing collaboration with Ofcom under the Online Safety Act and participation in the International Age Assurance Working Group.
Why the ICO’s Focus on Mobile Games Now
The shift toward mobile games reflects their pervasive role in children’s digital lives and the unique privacy challenges they pose. Unlike social media platforms, mobile games often blend entertainment with data-driven features such as profiling for advertising and location tracking, which can be especially intrusive for younger users. The ICO’s early review indicated that many games do not meet the high standards set by the Children’s Code, particularly regarding default privacy settings and the use of geolocation data.
Parental concerns have also driven this focus. Research shows that 30% of parents have stopped their children from using certain mobile games due to worries about data collection or usage. This underscores a pressing need for regulatory oversight to ensure mobile games provide safe, privacy-respecting environments for children.
Applicable Regulations, Standards, and Obligations
The core regulatory framework is the Age-Appropriate Design Code, which requires digital services to:
- Implement default high privacy settings for child users.
- Limit data collection to what is necessary and avoid profiling children for targeted advertising.
- Provide clear, accessible, and child-friendly privacy notices.
- Ensure robust age assurance mechanisms to prevent underage data processing without consent.
- Control geolocation data carefully, minimizing risks of exposing children’s locations.
These obligations are backed by the UK GDPR and the Data Protection Act 2018. Non-compliance can lead to enforcement actions including monetary penalties, as seen in previous ICO cases against platforms like Reddit and Imgur for inadequate age assurance and improper use of children’s data.
Impact on Businesses & Individuals
For businesses developing or publishing mobile games popular with children, the ICO’s investigation signals heightened regulatory risk. Companies must ensure their privacy policies, controls, and procedures align with the Children’s Code to avoid enforcement actions, which can include fines and reputational damage. The ICO’s previous enforcement actions demonstrate that even exiting the UK market does not absolve companies from liability for past infringements.
For individuals, particularly parents and children, this scrutiny aims to enhance privacy protections, reduce exposure to harmful content, and control how personal data is collected and used. It empowers parents to make informed decisions and encourages safer digital environments for children.
Trends, Challenges & Industry Reactions
The ICO’s focus on mobile games follows successful interventions in social media and video-sharing platforms, where changes like private defaults and restricted child visibility have been implemented. However, mobile games present distinct challenges due to their diverse formats—from casual puzzles to complex multiplayer experiences—and their integration of advertising and location-based features.
Industry responses have included calls for clearer guidance on implementing the Children’s Code within game design and operations. Experts emphasize the importance of conducting thorough Children’s Code Data Protection Impact Assessments to identify risks and mitigation strategies. There is also increasing attention on age assurance systems, with the ICO warning against reliance on self-declaration methods that are insufficient for high-risk services.
Current enforcement trends indicate that the ICO is prepared to take robust action against non-compliant platforms, reinforcing the need for mobile game companies to prioritize data protection. The sector is witnessing a gradual shift toward embedding privacy by design and enhancing transparency for young users.
Compliance Requirements
Mobile game developers and publishers should consider the following compliance steps:
- Complete a Children’s Code Data Protection Impact Assessment focusing on data collection, processing, and security for children.
- Set default privacy settings to the highest level, minimizing data sharing and profiling.
- Implement strong geolocation controls to prevent inadvertent exposure of children’s locations.
- Disable targeted advertising and profiling by default for under-18 users.
- Provide clear, accessible, and child-friendly privacy notices, including just-in-time notices explaining data use.
- Adopt robust age assurance mechanisms beyond self-declaration, potentially integrating technological solutions to verify age.
- Regularly audit and update privacy practices to reflect evolving regulatory expectations and technological changes.
Common pitfalls to avoid include lax age verification, opaque data collection practices, and default settings that expose children’s data unnecessarily.
Future Outlook
The ICO’s expanded focus on mobile games signals a broader regulatory trajectory emphasizing children’s digital privacy across all platforms. As enforcement intensifies, mobile game companies will need to embed privacy protections deeply into their products and business models. The Children’s Code is likely to evolve in tandem with technological advancements, requiring ongoing vigilance and adaptation.
Internationally, similar regulatory efforts—from the EU to the US—are converging on stricter controls over children’s data, suggesting a global trend toward more protective frameworks. Collaboration between regulators, industry stakeholders, and child advocacy groups will be crucial in shaping practical and effective privacy standards.
Recommendations for businesses include early engagement with regulators, investment in privacy-enhancing technologies, and transparent communication with users and parents. For parents and guardians, awareness of privacy settings and advocacy for safer digital environments remain key.
Ultimately, the ICO’s Children’s Code scrutiny reveals hidden risks in mobile game privacy that demand urgent attention to safeguard the digital experiences of children today and in the future.
FAQ
1. What is the ICO’s Children’s Code and why does it matter for mobile games?
Ans: The Children’s Code, also known as the Age-Appropriate Design Code, is a set of 15 standards that digital services must follow to protect children’s privacy under UK GDPR. It mandates high default privacy settings, limits on data collection, and restrictions on targeted advertising for children. For mobile games, compliance ensures that children’s data is handled safely and responsibly.
2. Which aspects of mobile games is the ICO reviewing in its investigation?
Ans: The ICO is focusing on default privacy settings, geolocation controls, targeted advertising practices, and any other privacy issues identified during the review of 10 popular mobile games played by children in the UK.
3. What risks do mobile games pose to children’s privacy?
Ans: Mobile games may collect excessive personal data, track location, and profile children for targeted ads, often without adequate safeguards. These practices can expose children to privacy breaches, harmful content, and unwanted contact.
4. What consequences might companies face if they fail to comply with the Children’s Code?
Ans: Non-compliance can lead to ICO enforcement actions including monetary penalties, orders to change practices, and reputational damage. Previous cases against platforms like Reddit and Imgur show that fines and legal scrutiny are real risks.
5. How can mobile game developers prepare for the ICO’s scrutiny?
Ans: Developers should conduct Children’s Code Data Protection Impact Assessments, set privacy-friendly defaults, implement robust age assurance, limit geolocation data use, disable targeted ads for children, and provide clear, child-friendly privacy information.