This post has been edited as of March 17, 2023 to reflect updated information.
Welcome to part two of a five-part series, where we're diving into the anticipated impact the California Age-Appropriate Design Code Act (AADC) will have across industries. In part one, we looked at five things that advertisers need to be aware of.
Here, we will be examining how the California AADC may impact the video game industry, for game developers and publishers alike.
California AADC Updates.
The California AADC is modeled after the UK Age-Appropriate Design Code, commonly referred to as the "Children's Code." Although no enforcement of the Children's Code has come from the UK Information Commissioner’s Office (ICO) yet, the ICO recently released guidance meant specifically for video game designers. This guidance may shed some light on how California regulators may enforce the California version of the AADC.
In December, 2022, NetChoice (a group of technology companies) sued in California federal court to block the AADC. Professor Eric Goldman of Santa Clara University School of Law filed an amicus brief, arguing the California AADC is unconstitutional. The U.S. Chamber of Commerce argued in its own amicus brief that the California AADC is preempted by federal law, the Children’s Online Privacy Protection Act (COPPA). We are watching this case closely.
Unlike other industries, the video game industry is all but assured to be within the scope of AADC enforcement. Gaming is popular with both children and adults, with many games designed to appeal across all ages. As such, many people of a variety of ages often end up in the same online spaces. While there are many issues that will face game companies under the California AADC, this article focuses primarily on age assurance requirements.
1. Game companies will need to pay close attention to the definition of "online products, services, and features."
The California AADC will apply to certain companies that offer "online products, services, and features" that are likely to be accessed by children under the age of 18. Under the AADC, "online products, services, and features" explicitly excludes the delivery or use of physical products and certain internet and telecommunication providers.
Notably, however, the AADC does not currently define what is within this very broad scope. The definition is interestingly opaque. While massively multiplayer online games seem to clearly fall within this scope, games that are incidentally online may not.
For example, if a single-player RPG game connects to the internet for the sole purpose of providing updates to the game, does it become an "online product?" What if this single-player game is hosted on an online platform, like Steam? What if the game can be downloaded online and accessed offline?
Game companies will need to both keep an eye out for clarification in upcoming regulations and prepare for the possibility that enforcement may extend to these single-player games.
2. Game companies will need to either verify player ages or make their games child-friendly.
Game companies with "online products, services, and features" covered by the AADC will need to estimate players' ages "within a reasonable level of certainty." Although the AADC applies to online products that are "likely to be accessed by a child," this threshold likely covers most, if not all, video games.
As Professor Goldman points out in his amicus brief in the NetChoice case, the California AADC does not require age verification, but rather "age assurances" by covered entities - though this distinction ultimately has little meaning.
This means game companies would need to either: (1) verify all player ages to some degree of reasonable certainty (more on this process below) or (2) redesign aspects of their games to be child-friendly for all players.
The law also arguably requires that game companies complete certain age-estimations, regardless of game design and suitability for children. Again, the threshold question here is whether an online game is "likely to be accessed" by a child under the age of 18. The UK Children’s Code includes guidance on appropriate measures for establishing or estimating the age of users while maintaining compliance with data protection obligations. Notably, the California AADC does not include similar guidance, and it is not clear if such regulatory guidance will be forthcoming.
3. Game companies will need to allocate responsibility for compliance.
Another complicated issue for game companies will be determining which party bears the brunt of responsibility for compliance. While all covered entities will need to comply with the AADC, the power to comply may not be shared equally. Realistically, a game developer does not necessarily have the same technical controls over player access that game publishers or game platforms may have.
This raises the very simple question: who will be in charge of estimating ages?
Each party at the various levels of the gaming ecosystems will likely need to confirm players' ages and will also need to determine who bears responsibility for what. For example, game developers may need to build in certain functionalities which allow for age-verification, and game publishers would then implement these systems, or otherwise employ third-party vendors to do so. Alternatively, platforms could be responsible for maintaining age verification processes that can be used across publishers and trickle down individually through each game.
4. Game companies will need to invest in age-assurance mechanisms.
Game companies that choose to limit certain player access to their games based upon age will need to not only think about which party is responsible, but also how they can begin estimating players' ages.
As Professor Goldman suggests, age-assurance processes likely extend well beyond self-reporting where players provide their own ages (commonly referred to as "age-gating"). This means that game companies will need to either collect documentation from players to verify their ages, or use automated means such as facial scans.
The ICO noted in its recent guidance for the UK Children’s Code that game designers should implement measures to discourage or prevent players from falsifying their ages. Whether California follows the lead of the ICO is uncertain.
5. Game companies will have to consider how to provide privacy protective default settings for player-to-player interactions.
The AADC’s focus on privacy by default almost assuredly extends to online player-to-player interactions.
AADC compliance is likely not as simple as bifurcating a game into one version for minors and one version for adults. Harmful interactions can occur between children; take, for example, a game where thirteen-year-olds can interact with seventeen-year-olds or a twelve-year-old child cyberbullies a same-aged child.
Under the AADC, game companies will need to ensure that they provide highly protective default settings. Some of these include turning off live voice and text chat for minors, allowing minor players to hide their account names so that other players cannot search for them, and providing robust parental controls. Unlike COPPA, companies which fall under the AADC cannot obtain parental consent to legitimize their collection and use of children’s data if it poses a risk of detriment to such children.
Conclusion.
Time will tell whether the NetChoice suit or other challenges to the California AADC will succeed.
Nevertheless, businesses covered by the AADC should think about compliance now. Regardless of what happens to the California AADC, children’s privacy has obviously become an important current focus for regulators.