The gaming sector is a thriving industry and is hugely popular amongst young people and children. Ask a boy between 8 and 11 years old if he has played a video game in the past month, and you’ll get a 93% chance of a “yes”. Between the ages of 6 and 10, regardless of gender, 71% of children play video games, and this figure only increases as they get older - reaching 80% among kids between 11 and 14. However, while this active participation is great for the industry, it is not without risks for the younger generation.
While European regulation already involves online users age verification, gaming actors face several challenges in designing and implementing a user-friendly compliant age verification mechanism. Recent European initiatives are moving towards adoption of recommendations on age verification mechanisms, which should enable stakeholders to better anticipate competent authorities’ expectations in practice.
Children need extra care
Children playing videogames may face several risks, including breaches of their privacy rights recognised under the General Data Protection Regulation (GDPR) and of their “safety” rights, covered in particular by the Convention on the Rights of the Child (e.g. the right to live and develop healthily).
In practice, privacy rights can be challenged by the risks inherent in the nature and volume of personal data processed through video games (e.g. name and surname for online account creation, gaming habits for personalised advertising, etc.).
As for safety rights, they can easily be infringed if a child accesses harmful content through online gaming (e.g., exposure to violence, sexual content, etc.). See our Gaming Series #2 post on online safety and gaming from the EU and UK regulatory perspectives for further details on online safety regulation.
State of play from a data protection perspective
Focusing specifically on data protection, the European legislator introduced a specific layer of protection for children’s privacy under the GDPR, by requiring parental consent for processing involving personal data of children under the age of 16 - or at least 13, at the Member state’s discretion.
This requires gaming actors to:
- verify user’s age in order to determine whether parent’s consent is required;
- obtain such a valid consent where the user does not meet the minimum age requirements; and
- in the absence of consent, refrain from collecting and processing the child’s personal data.
Some jurisdictions are even more protective, such as France, which requires a joint consent from both the parent and the child when under 15.
Circumventing challenges
Technical and legal challenges
Implementing an effective age verification mechanism raises however both technical and legal challenges to industry players.
Verifying the age of an Internet user is technically hampered by the difficulty to really know who the person behind the computer or smartphone is.
Various legal obstacles also stand in the way of the development of appropriate mechanism by industry players, including in particular:
- The tricky balance between the necessary processing of children’s personal data to determine their age; and the need to protect their privacy.
- The absence of harmonized legislation in this area, considering the absence of: (i) consensus on the age of minority itself: while the GDPR is particularly flexible on this, the cultural, historical, and social heritage of the different European countries has led them to choose different ages of “online legal majority” (e.g., 15 in France, 13 in Belgium, 14 in Italy, etc.); and (ii) uniform European practical guidelines.
As a result, although the widely applied Pan European Game Information (PEGI) system provides guidance to parents in relation to the age suitability of a game, no proper age verification mechanism has yet emerged in the video game industry, and more generally in the online digital environment.
The digital world has nevertheless tried to comply with existing age-related requirements with more or less creativity.
Existing solutions
Several age verification solutions exist but the French Data Protection Authority (CNIL) has already pointed out their respective weaknesses and areas of improvement:
| Existing solutions | Points for improvement |
| Payment card validation process | Intervention of an independent third party and strong security to limit phishing risks |
| Estimate based on facial analysis | Local verification on the user's terminal to minimize the risk of data leakage |
| Identify documentation | Obtaining proof of identity with "live detection test" together with a certification (or labelling) body to oversee |
Facing this absence of foolproof protection for children, the CNIL has asked for urgent action from public authorities to propose and regulate more reliable, and privacy-friendly devices…
Is Europe about to level up?
A recent paper from the European Parliament has indicated that the EU is currently focusing on age verification guidance. More particularly:
- The new European strategy for a better Internet for children envisages a comprehensive EU code of conduct on age-appropriate design for 2024.
- The Commission intends to strengthen age verification methods by means of a robust framework of certification and interoperability in the context of the EU eID proposal.
- The EU co-founded euCONSENT project is building a browser-based interoperable age verification methodology.
In the meantime, GDPR requirements remain in force. Data protection authorities expect that reasonable efforts and resources will be put in place by gaming stakeholders to demonstrate their willingness to implement a privacy balanced age verification solution: age verification is a serious game!
Visit our dedicated Gaming page to find out about our Linklaters gaming offering.
unknownx500
