On 28 March 2024, the Personal Data Protection Commission of Singapore (PDPC) issued its Advisory Guidelines on the Personal Data Protection Act (PDPA) for Children's Personal Data in the Digital Environment (Guidelines).
The Guidelines, which aim to protect children in the digital environment by clarifying the relevant data protection provisions in the PDPA, apply to organisations offering online products and services accessible by children, such as online games, social media services, smart toys and devices, and educational technology. Given the proliferation of online gaming and the gamification of education, it is critical for games companies to understand and comply with the Guidelines.
While the Guidelines define children as individuals who are below 18 years old, the PDPC specified that the Guidelines should be read together with the Data Activities Relating to Minors chapter of its Advisory Guidelines on the PDPA for Selected Topics, which addresses the application of data protection obligation on general activities for individuals below 21 years old.
Games companies can consider complying with the key points of the Guidelines as follows:
Use a child-centric communication approach
When communicating with children, whether through the terms and conditions or via design features in games, companies should use plain and simple language, and adopt age-appropriate media such as infographics, animation, and videos.
Such readily understandable communication is particularly crucial when organisations seek to obtain consent from children for the collection, use, and disclosure of their personal data. To check if the language used is child-friendly, companies can conduct trial runs of their games with children of different age groups, and adjust the language accordingly to ensure comprehension.
Obtain valid consent
Under the Singapore Civil Law Act 1909, a contract entered into by an individual who is at least 18 years old will be taken as effective. While the PDPA does not specify the situations in which a child may give consent, the PDPC has taken the view that children between 13 to 17 years old can give valid consent if they readily understand the policies on the collection, use and disclosure of their personal data, and the withdrawal of their consent.
However, if an organisation believes that a child does not have sufficient understanding of the nature and consequences of giving consent, consent should be obtained from their parent or guardian instead. Specifically for children under 13 years old, consent can only be obtained from the child’s parent or guardian.
Ensure that there are reasonable purposes for use of children’s personal data
Organisations are encouraged to adopt data minimisation policies to ensure that the purposes for the collection and sharing of children’s personal data are considered reasonable under the PDPA.
In online games where personal data is often collected for user accounts, games companies should only collect sufficient personal data for the game to be played effectively. Examples of what is reasonable may include:
- collecting a user’s age for age verification purposes to ensure age-appropriate content or to protect the child from harmful content;
- using behavioural data of the child, such as the use of high-risk search terms (e.g. self-harm or suicide) to direct the child to relevant safety information.
Certain age assurance methods such as analysing behavioural and telemetric data of users (e.g. browsing history) to create a profile of the user’s interests and habits will be considered as collection of personal data of the user. While the PDPC supports the use of such age assurance methods to implement safeguards for children, the personal data collected must be limited to the amount necessary for these purposes.
Similarly, some online games may use geolocation data from mobile phones to identify the location of that device. Such data will be considered personal data if the user can be identified when the geolocation data is combined with other identifiers. To the extent such geolocation data is used to determine or monitor the location of a child user, games companies are encouraged to implement relevant safeguards and data minimisation policies to minimise the risk posed to the child user. For example, collecting a user’s approximate location rather than precise location.
Abiding by the principle of data minimisation will serve as an effective guardrail, ensuring that games companies can provide an engaging gaming experience without amassing unnecessary personal data of children. This can also help in reducing potential risks related to data breaches and misuse, reinforcing user trust in gaming platforms.
Implement and update practices to protect children’s personal data
The PDPC recommends all organisations that handle children’s personal data to implement the basic and enhanced practices listed in its Guide to Data Protection Practices for ICT Systems. Games companies should recognise that data protection by design is not a one-off procedure but should be considered a continuous process through the entire lifecycle of a game. Regular system reviews should be conducted to assess the effectiveness of data protection measures and update them according to the latest technology and potential threats.
This may include developing and maintaining infocomm technology security policies for data protection; including policies on account and access control, backup and retention; using one-time passwords or multi-factor authentication; and conducting network penetration testing on systems that process or store the data.
Implement a data breach notification procedure
Where a data breach affecting a games company results in significant harm to individuals who are children, the company remains obliged under the PDPA to inform the affected individuals, even though the individual is a child. Any communication of the data breach to the child must be in a language that is readily understandable by the child so that the child may understand the consequences of the data breach.
Games companies handling children's data are also encouraged to be proactive and inform parents about data breaches impacting their children’s personal data, even when not strictly required under the PDPA. This proactive approach would enable measures to be implemented to reduce the damage resulting from these occurrences.
Conduct data protection impact assessments
To comply with their accountability obligation under the PDPA, games companies are encouraged to conduct data protection impact assessments (DPIA) to help them develop and implement appropriate data protection policies and practices.
Games companies are also advised to conduct DPIAs prior to the release of online products targeted at children, to allow designers and developers to identify and minimise the privacy risks involved.
The Guidelines provide sample questions to consider when conducting a DPIA, such as the nature of the product or service, the context, purpose and scope of any data processing, consent, protection and security, and breach notification processes.
Commentary
Given the sensitivities around the handling of children’s personal data, which is subject to a higher standard of protection under the PDPA, and the ubiquity of online gaming in today’s digital environment, games companies need to be acutely aware of the measures necessary to ensure compliance. Games companies are encouraged to adopt a data protection by design approach and integrate data protection principles from the developmental stages of their games, rendering data protection an intrinsic part of the gaming experience.
While not legally binding, the Guidelines provide a helpful guide to organisations for compliance with the PDPA, particularly given that the personal data of children is considered to be sensitive personal data and must be accorded a higher standard of protection under the PDPA. The suggestions provided by the PDPC offer practical and actionable steps that organisations such as games companies can take towards ensuring that their products and services remain appropriate for children.