The Online Safety Act for Games

This is a comprehensive and detailed guide specifically focused around the Online Safety Act and Ofcom’s regulation in relation to the gaming industry.

I have gone through well over 1,000 pages of legislation from the UK Government and statements from Ofcom (the independent regulator appointed by the UK gov to enforce the OSA) to produce the following guide on how the Online Safety Act specifically impacts games.

As a note, I have read everything manually and have written this myself. There was no AI used in the production of this guide.

TABLE OF CONTENT

WHAT IS THE ONLINE SAFETY ACT?

The Online Safety Act is a piece of legislation within the United Kingdom which impacts all companies globally as long as they meet certain conditions regarding users/usage within the UK.

The intent is to make the internet safer for users within the UK, specifically for children.

Alongside the legislation, there is also a new regulatory framework (regulated by Ofcom). There are two key areas of focus; “illegal content and activity”, and “content that is harmful to children”.

The Online Safety Act and Ofcom’s regulatory framework

The Online Safety Act is the legislation, but there are also different and key parts that you need to be aware of which are being regulated by Ofcom.

There is a lot to unpack here, which is why I’ve read every statement and volume, as well as the whole of the Online Safety Act, so I can do my best to make you aware of the key points.

ARE GAMES IMPACTED BY THE ONLINE SAFETY ACT?

THE SHORT ANSWER

Yes, because Ofcom says so, and because the legislation says so.
Here is a screenshot of one section of one volume of one statement where Ofcom specifically reference the gaming industry. They do this dozens of times.

Specific risk factor Key kinds of content harmful to children in draft Children's User-to-User Risk Profile Changes to key kinds of content harmful to children in final Children's User-to-User Risk Profile
1a. Social media services All kinds of content harmful to children Added: Content that shames or otherwise stigmatises body types or physical features and content that promotes depression, hopelessness and despair
1b. Messaging services Bullying content and violent content No change
1c. Discussion forums and chat room services Eating disorder content and suicide and self-harm content No change
1d. Gaming services Abuse and hate content, bullying content and violent content No change
1e. Pornography services Pornographic content No change
1f. Video-sharing services Dangerous stunts and challenges content, eating disorder content, harmful substances content, suicide and self-harm content, and violent content Added: Abuse and hate content, content that shames or otherwise stigmatises body types or physical features and content that promotes depression, hopelessness and despair
2a. Services with user profiles Eating disorder content Added: Abuse and hate content
2b. Services where users can post or send content anonymously, including without an account Abuse and hate content, bullying content and violent content Added: Content that promotes depression, hopelessness and despair
3a. Services with user connections Dangerous stunts and challenges content, pornographic content, suicide and self-harm content, and violent content Added: Eating disorder content

Table 5.1. Differences between the key kinds of content harmful to children associated with specific risk factors in the draft and final Children's User-to-User Risk Profile

AS PER THE LEGISLATION SPECIFICALLY

Services who have users in the UK (1.1,) need to be safe by design (1.3.a,) and have a higher standard of protection for children than adults (1.3.b.i,), whilst providing transparency and accountability in relation to those services (1.3.b.iii,).

Games are user-to-user internet services, as they are an internet service (”a service that is made available by means of the internet (228.1) by means of which content (see definitions) that is generated directly on the service by a user may be encountered by another user(s) of the service (3.1,) specifically in regards to users being able to communicate and send messages to each other (55.3.). You are a “regulated user-to-user service if your game has links with the United Kingdom (4.2.a,), which means that users from the United Kingdom are a target market for your game, children from the United Kingdom are likely to play your game, or your game is capable of being used in the United Kingdom by children (4.6.a), or your game might be found appealing by children within the UK.

Additionally, here are the key definitions from the Online Safety Act (the actual legislation). These are important to understand, or at least be aware of.

FURTHER SUPPORTING THAT GAMES ARE IN SCOPE

Feedback from the gaming industry and Ofcom’s responses in relation to the Online Safety Act and consultations on Ofcom’s regulatory framework:

Gaming services - Summary of stakeholder feedback
4.105 Stakeholders discussed our assessment of risks associated with gaming services:

  • UK Interactive Entertainment (Ukie) suggested that, unlike social media platforms, the controlled environment of gaming platforms reduces the risk of children encountering harmful content.90 █████ also emphasised the importance of proportionality and taking a service-specific approach to risks associated with gaming platforms.

  • █████ suggested that our presentation of risks associated with violent content, bullying content and abuse and hate content on gaming platforms is “misleading” and would disproportionately burden the “diverse and dynamic” gaming industry.

  • b4.106 █████ challenged our conflation of gaming services with games-adjacent communications platforms.

Ofcom’s decision

4.107 We have assessed our presentation of gaming services in the Children’s Register and consider that we have presented a balanced discussion of the relevant risks, based on the available evidence. We recognise that risks will differ depending on the design of specific gaming services, which we expect providers to reflect in their risk assessments. More detail on the process that services should follow in conducting their risks assessments is set out in the Children’s Risk Assessment Guidance.

We note the distinction between gaming services, which allow users to interact within partially or fully simulated virtual environments, and gaming-adjacent services, where users are able to stream and chat about games. We have, therefore, updated Section 5 of Children’s Register (Abuse and hate content) to include the term ‘gaming-adjacent services’ to more accurately represent the examples provided.

Link to Ofcom’s statement “Volume 2: Protecting children from harms online, the causes and impacts of online harms to children”.

Additionally, Ofcom has conducted research into children and their access to video games, and found:

  • (1.38) More than 80% of children once they hit the age of 13 play online video games

  • (1.39) 7-18 year olds spend on average 3.4 hours a day online.

  • (1.45b) Many children play online games which may bring them into contact with strangers, including adults.

  • Three quarters (75%) of children aged 8-17 game online,

  • 25% play with people they do not know outside the game.

  • Additionally, 24% chat to people through the game who they do not know outside of it.

  • When prompted, 62% of parents whose 3-17-year-old played games online expressed concern about their child talking to strangers while gaming (either within the game or via a chat function) and 54% were concerned that their child might be bullied.

See “Children’s online behaviours and risk of harm within the Children’s Register of Risks"

IN SUMMARY - ARE GAMES IMPACTED BY THE OSA?

Yes. There is no way you can possibly argue that games/gaming services are not in scope or don’t need to make changes to be compliant.

Ofcom don’t care if you think it’s unfair or not relevant to games.
From their research and stats, they have determined that such a massive proportion of children have access to and play games, that the gaming industry 100% needs to be regulated to protect children from encountering illegal or harmful content.

They think it is fair and relevant, and they will fine you 10% of global turnover or £18m, whichever is greater, if you fail to comply.
Games are 100% in scope and being regulated - without a shadow of a doubt.

DO I NEED TO CARE ABOUT COMPLYING WITH THE ONLINE SAFETY ACT?

Yes. Fines are £18m or 10% of global turnover, whichever is greater.

Here are some comments from Ofcom’s latest statement “Volume 1: Overview scope and regulatory approach” from their finalised guidance regarding the Online Safety Act:

“Services cannot decline to take steps to protect children because it is too expensive or inconvenient – protecting children is a priority. All services, even the smallest, will have to take action”

It doesn’t matter if you’re a small studio/game; you have to comply. No excuses.

”By now, all services must have carried out assessments to determine whether they are in scope of the children’s safety duties. We anticipate that most services not using highly effective age assurance will be in scope of the regulatory package we are confirming today.”

Services in scope of the children’s safety duties now have until 24 July 2025 to complete and record their children’s risk assessments, as explained in the Children’s Risk Assessment Guidance. There’s lots of work which you should have completed by now, and if you haven’t - do it now. The most important and major deadlines are coming up. Don’t miss them.

“We can now confirm that our proposals will also include measures to protect children from grooming through the use of highly effective age assurance. By the end of 2025, we will publish our final guidance on wider protections for women and girls following our consultation in February 2025.”

This is an evolving and expanding topic which will progress further legislatively to further protect users, which means service providers will have to continue evolving their processes and adjusting their product/service offering to ensure compliance, as the compliance changes.

Additionally, you need to remember that the Online Safety Act has been enacted for the first time in the UK, but it is not unique. Australia has passed their version and it is coming into regulation at the end of 2025, and EU member states are in the process of passing their own versions.

So this is not a one-off tick box exercise for today, and it’s not something that you can ignore. This is a global area of focus, and will be ever-developing over the coming years.

WHAT DO GAMES HAVE TO DO?

THE ACCURATE, SHORT, BUT NOT-VERY-HELPFUL ANSWER

Follow Ofcom’s guidance and to complete the:

  1. Children’s access assessment, (should have been completed by Jan 2025)

  2. Illegal content assessment and safety duties, (should have been completed by March 2025)

  3. Children’s risk assessment, (should have been completed by April 2025)

  4. Comply with Children’s Safety Duties. (Due July 25th 2025 at the latest)

Ofcom has hundreds of pages of guidance as well as online/interactive tools regarding how to do this. I recommend your DPO, legal team, or designated child safety officer (which is a new named person you have to have) read and complete these steps.

Although this is critically important, and you need to do this, it’s not a helpful answer as an overview to the games industry. As a result, I’ve condensed a lot of information to give you a more full and useful answer. That said, you still need to do the above.

SECTION 1 - Types of content that the Online Safety Act and Ofcom are regulating

There are two types of content, two assessments you need to undertake, and two lots of steps you need to perform:

SUMMARY OF TYPES OF CONTENT THAT THE ONLINE SAFETY ACT AND OFCOM ARE REGULATING

Summary of content types for video games:

Although there are a lot of content types to cover; most of the behaviours in relation to games can be distilled into three main groups. We will cover functionalities in full detail in the coming section, although we touch on it here.

1. Toxic players who send message that are:

  • Primary Priority Content:

    • Encourage or provide instruction on suicide (tell people to kill themselves, especially who do so enthusiastically and in detail).

    • Encourage or provides instruction on self-harm (tell people to hurt themselves, especially who do so enthusiastically and in detail).

  • Priority Content:

    • Abuse - generally abusive content targeting specific protected characteristics.

    • Bullying - humiliating or degrading content, and/or conveying a serious threat.

2. Predators who message/communicate with children (CSEA, CSAM, and grooming)

  • Content which incites a child under 16 to engage in sexual activity, even where the incitement takes place but the sexual activity does not.

  • Sexual communication with a child where:

    • The child is under 16,

    • The perpetrator is over 18,

    • The adult intends to communicate with the child,

    • The communication is either itself sexual, or was intended to encourage the child to make a sexual communication,

    • The adult did not believe the person they were communicating with was 16 or over,

    • The communication was for the purposes of sexual gratification of the adult in question.

3. Violent content within the game itself which may not be age-appropriate

  • Violent content relating to people:

    • If your game has content which depicts real or realistic serious violence against a person,

    • or the real/realistic serious injury of a person in graphic detail,

  • Violent content relating to animals, including fictional creatures:

    • Depicts real or realistic serious violence against an animal,

    • Depicts real or realistic serious injury of an animal in graphic detail,

    • Realistically depicts serious violence against a fictional creature, or the serious injury of a fictional creature in graphic detail.

SECTION 2 - Risk Factors

Ofcom have established risk factors for service providers. The three that are most relevant to games are:

  1. Service type

  2. User base

  3. Functionalities

The nice thing here is that almost all games will fall into the same categories:

  • You are all games (service type)

  • User base will be diverse based on game and genre

  • Almost all games have the same risk factors in regards to functionality:

    • Anonymous profiles (anyone can create an account and it’s not tied to them as a person),

    • User networking and user connections, (user’s who don’t know each other can come across each other),

    • The big one: User communication (user’s can message and/or chat).

  • There are lots of service types, but as you’re reading this, we will assume that you are a game.

  • Age is a key component to your user base.
    For the full read and context on age, read: “17. Recommended age groups” (page 311) of the Children’s Register of Risks”.

    Additionally, to support age being a key factor specifically within games, Ofcom has undertaken research and found (see “Children’s online behaviours and risk of harm within the Children’s Register of Risks"):

    • (1.38) More than 80% of children once they hit the age of 13 play online video games

    • (1.39) 7-18 year olds spend on average 3.4 hours a day online.

    • (1.45b) Many children play online games which may bring them into contact with strangers, including adults.

      • Three quarters (75%) of children aged 8-17 game online,

      • 25% play with people they do not know outside the game.

      • Additionally, 24% chat to people through the game who they do not know outside of it.

      • When prompted, 62% of parents whose 3-17-year-old played games online expressed concern about their child talking to strangers while gaming (either within the game or via a chat function) and 54% were concerned that their child might be bullied.

    The age bands are as follows:

    • 0-5 pre-literate and early literacy.

    • 6-9 years: Core primary school years.

    • 10-12 years: Transition years.

    • 13-15 years: Early teens.

    • 16-17 years: Approach adulthood.

    As a note, these age bands align with the Information Commissioner’s Office (ICO) Age appropriate design code, on the basis of evidence linking certain online behaviours to age and developmental stage. Additionally, Ofcom mention that they created these age groups with consideration to life stages, online presence, parental involvement, and age-specific risks.

    Additional and important commentary from Ofcom regarding age and age bands includes:

    17.1 As mandated by the Online Safety Act 2023 (the Act), user-to-user services must assess “the level of risk of harm to children presented by different kinds of content that is harmful to children, giving separate consideration to children in different age groups”. There are similar requirements for search services to consider children in different age groups.

    17.2 The Act also imposes a number of safety duties requiring services likely to be accessed by children to manage and mitigate risks of harm from content that is harmful to children. This includes, in relation to user-to-user services, operating a service using proportionate systems and processes designed to:
    - (i) prevent children of any age from encountering primary priority content that is harmful to children, and
    - (ii) protect children in age groups judged to be at risk of harm (in the risk assessment) from encountering priority content that is harmful to children and non-designated content.1573

    0-5 pre-literate and early literacy.

    A time of significant growth and brain development for very young children. Children of this age are heavily dependent on their parents, with parental involvement substantially influencing their online activity.

    Age-specific risks

    17.15 Just by being online, children in this age group are at risk of encountering harmful content. As children use devices or profiles of other family members, this may lead to a risk of encountering age-inappropriate content, including harmful content, as recommender systems1587 recommend content on the basis of the search and viewing history of the other user(s).

    17.16 The use of child-specific or restricted-age services does not guarantee that children will necessarily be protected from harmful content. It is possible that children may be more likely to use these services unsupervised. There have been cases of bad actors in the past using child-friendly formats, such as cartoons on toddler-oriented channels, to disseminate harmful content on child-specific services.1588

    6-9 years: Core primary school years.

    After starting mainstream education, children become more independent and increasingly go online. Parents create rules to control and manage their children’s online access and exposure to content.

    Age-specific risks

    17.24 Some children in this age group are starting to encounter harmful content, and this exposure has the potential for lasting impact. Research by the Office of the Children’s Commissioner for England found that, of the children and young people surveyed who had seen pornography, one in ten (10%) had seen it by the age of 9. Exposure to pornography at this age carries a high risk of harm. For example, older children reflect on being deeply affected by sexual or violent content they encountered when they were younger, which may have been more extreme than they anticipated (in some cases the child had looked for the content, and in other cases it had been recommended).1600

    17.25 Children are also being exposed to upsetting behaviour online. Over a fifth (22%) of 8-9- year-olds reported that people had been nasty or hurtful to them, with a majority of these children experiencing this through a communication technology such as messaging or social media.1601

    17.26 As with the younger age group, the use of family members’ devices or profiles may lead to a risk of encountering age-inappropriate content, including harmful content. Recommender systems present content on the basis of various factors, including the profile of the user and the search and viewing history of any user(s) of that account/profile. For example, we heard from children who had been shown harmful content via an auto-play function on a social media service when using their parent’s phone and account.1602

    10-12 years: Transition years.

    A period of rapid biological and social transitions when children gain more independence and socialise more online. Direct parental supervision starts to be replaced by more passive supervision approaches

    Age-specific risks

    17.33 More independent use of devices, and a shift in the type of parental supervision, as well as increased use of social media and messaging services to interact with peers, creates a risk of harmful encounters online. Children may start to be more exposed to, or more aware of, bullying content online, with 10-12-year-olds describing how they feel confused when trying to distinguish between jokes and ‘mean behaviour’ online.1613 Due to the rapid neurological development taking place in the teenage brain at this point, the psychological impacts of bullying can last into adulthood.1614 Research has found that of the children who have seen online pornography around one in four (27%) had encountered it by the age of 11.1615

    17.34 Despite a 13+ minimum age restriction for many social media sites, 86% of 10-12-year-olds say they have their own social media profile.1616 Our research estimates that one in five (20%) children aged 8-17 with an account on at least one online service (e.g., social media) have an adult profile, having signed up with a false date of birth. Seventeen per cent of 8- 12-year-olds have at least one adult-aged (18+) profile.1617 Alongside this, 66% of 8-12-yearolds have at least one profile in which their user age is 13-15 years old.1618

    17.35 Evidence suggests that 11-12 is the age at which children feel safest online. A report by the Office of the Children’s Commissioner for England found that the proportion of children who agree they feel safe online peaks at ages 11 and 12 (80%), increasing from 38% from the age of 5.1619

    13-15 years: Early teens.

    This age group is fully online with children using an increasing variety of services and apps. Parents’ involvement in their children’s online use starts to decline. Increased independence and decision-making, coupled with an increased vulnerability to mental health issues, means children can be exposed to, and actively seek out, harmful content.

    Age-specific risks

    17.45 A greater use of online services, more independent decision-making and the risk-taking tendencies common in this age group can together increase the risk of encountering harmful content.

    17.46 Ofcom research estimates that a fifth (19%) of 13-15-year-olds have an adult-aged profile on at least one online service, potentially exposing them to inappropriately-aged content.1640 A falsely-aged profile will also mean a child can access and use functionalities on services that have a minimum age of 16 years old, such as direct messaging or livestreaming on some services.

    17.47 Exposure to hate and bullying content increases from the age of 13. Sixty-eight per cent of 13-17-year-olds say they have seen images or videos that were ‘mean, or bully someone’, compared to 47% of 8-12-year-olds.1641 Encountering hate online is also quite common; three-quarters of children aged 13-15 report having seen online hate on social media.1642

    17.48 Children in this age group are particularly vulnerable if they encounter content relating to self-harm and suicide.1643 Due to hormonal changes and mental health challenges, children in this age group may be at risk of the most severe impacts from encountering this type of content, particularly if seen in high volumes.1644 Five per cent of 13-17-year-olds had experienced/seen content encouraging or assisting serious self-harm, and 4% had experienced/seen content encouraging or assisting suicide over a four-week period.1645

    16-17 years: Approach adulthood.

    At 16 children attain new legal rights for the first time, while parental supervision, and parental concern about their online safety, both decrease. But changes in their behaviour and decision-making ability at this age can lead to an increased risk of exposure to harmful content.

    Age-specific risks

    17.59 Our research also estimates that almost three in ten (28%) of 16-17-year-olds have a profile with an age of at least 18 on at least one online service (e.g., social media).1663 These children could receive age-inappropriate content suggestions as well as access restricted functionalities. For example, some services restrict the use of livestreaming to 18-year-olds.

    17.60 Older children are also more likely to experience communication that potentially makes them feel uncomfortable; 64% of 16-17-year-olds reported experiencing at least one potentially uncomfortable communication, compared to 58% of 13-15-year-olds. These uncomfortable experiences included receiving abusive, nasty or rude messages/voice notes/comments, reported by one in five (20%) 16-17-year-olds.1664

    Summary on user base:

    A core part of performing your illegal content, children’s access, and children’s risk assessments includes understanding your user base.

    One key requirement from the legislation, which is reiterated by Ofcom, is the need of services to use highly effective age assurance (HEAA) as part of your children’s access assessment and to perform your illegal content safety duties and children’s safety duties.

    To paraphrase: You can’t state that you don’t have children accessing your service, or the age bands of your users, without having HEAA implemented. Additionally, HEAA is required to abide by your illegal content and harmful content safety duties.

    If you have PC, PPC, or NDC which children either can access, or may have access to, you will have to implement HEAA to both understand your user base, as well as protect them from this content. That said, you have the ability to proportionately adjust certain access based on age band.

  • There are two parts to functionalities: functionality within your existing game which attribute to risk factors, and functionalities that Ofcom recommend to mitigate risk. This section focuses on the former (functionalities in your game currently which can attribute risk of illegal content or harmful content being discovered or interacted with by children).

    There are two main themes throughout the guidance regarding the gaming industry on functionality; User Messaging and Anonymity.

    For full context, please review Ofcom: Children’s Register of Risks:

    • Section 3: Suicide and self-harm content
      3.42 - Suicide and self-harm content in gaming services (Primary priority content)

    • Section 5: Abuse and hate content
      5.86 - Abuse and hate content in gaming services (Priority content)

    • Section 6: Bullying content,
      6.60 - Bullying content in gaming services (Priority content)

    • Section 7: Violent content
      7.58 - Violent content in gaming services (Priority content)

    It is absolutely clear that Ofcom has identified that in-game messaging and communication is a key area of risk for children in regards to coming into contact with suicide and self-harm content, abuse and hate content, bullying content, and violent content.

SUMMARY OF RISK FACTORS

I don’t think it comes as a surprise to any of us, but Ofcom has evidenced and established that:

  • Children are playing video games younger than ever before, and for longer periods,

  • Players can communicate in games,

  • Games have toxicity amongst players,

  • That toxicity, whilst maybe considered unpleasant behaviour amongst adults, is actually an extremely high risk point of the Online Safety Act and Ofcom in relation to children. Especially Suicide and Self-harm content, which is classified as Primary Priority Content (the most extreme content which children have to be protected from the most).

  • Ofcom highlight anonymity amongst players as a large risk factor. This is something that I don’t think will be able to change, for two reasons:

    • I don’t believe players would be tolerant of sharing their real identity with games companies,

    • I don’t believe players would be accepting or tolerant of their real identity being openly available, visible, or tied to their game accounts,

    • I don’t believe that it would be legal under GDPR, ePrivacy directive, or CCPA to enforce this upon users.

  • With that said, the lack of accountability behind behaviour is clearly a risk factor - as Ofcom have established. The anonymity aspect doesn’t have to be compromised to provide the accountability functionality though; which is something we have accomplished at PlaySafe ID.

SECTION 3 - Codes of practice and recommended measures

The following are functionalities you almost certainly need to add into your game/service. These are all important to Ofcom and the Online Safety Act, and cannot be overlooked or deferred. They need to be considered and implemented where appropriate.

I have broken down the list of codes to those specific to games, but for all details, please refer to: Protection of Children Code of Practice for user-to-user services.

    • PCU A2 - Individual accountable for the safety duties protecting children and reporting and complaints duties,

    • PCU A3 - Written statements of responsibilities,

    • PCU A5 - Tracking evidence of new and increasing harm to children,

    • PCU A6 - Code of conduct regarding protection of children from harmful content,

    • PCU A7 - Compliance training.

    • PCU B5 - Priority content is prohibited on the service, but it is not technically feasible to take down all such content when the provider determines it to be in breach of its terms of service. This covers bullying, abuse and hate, and violent content (toxic messages from users).

    • Potentially, PCU B4 - which is the same as above but in relation to Primary Priority Content (specifically suicide or self-harm). For games with a higher proportion of serious toxicity, this might be more appropriate.

    • At either rate, you will need to implement highly effective age assurance to gate user access to the relevant functionalities (user communication) until HEAA has been completed. More on this specifically in the following section.

    • PCU C1 - Having a content moderation function to review and assess suspected content that is harmful to children,

    • PCU C2 - Having a content moderation function that allows for swift action against content harmful to children,

    • PCU C3 - Setting internal content policies,

    • PCU C4 - Performance targets,

    • PCU C5 - Prioritisation,

    • PCU C6 - Resourcing

    • PCU C7 - Provision of training and materials to individuals working in content moderation (non-volunteers),

    • PCU C8 - Provision of materials to volunteers.

    • PCU D1 - Enabling complaints,

    • PCU D2 - Having easy to find, easy to access, and easy to use complaints systems and processes,

    • PCU D3 - Provision of information prior to the submission of a complaint,

    • PCU D4 - Appropriate action-sending indicative timeframes,

    • PCU D5 - Appropriate action-sending further information about how the complaint will be handled,

    • PCU D6 - Opt-out from communications following a complaint,

    • PCU D7 - Appropriate action for relevant complaints about content considered harmful to children,

    • PCU D8 - Appropriate action for content appeals-determination,

    • PCU D10 - Appropriate action for content appeals-action following determination,

    • PCU D11 - Appropriate action for age assessment appeals

    • PCU D13 - Appropriate action for complaints about non-compliance with certain duties

    • PCU D14 - Exception: Manifestly unfounded complaints.

    • PCU F1 - Providing age-appropriate user support materials for children,

    • PCU F3 - Signposting children to support when they report harmful content,

    • PCU J1 - User blocking and muting, only where your game has more than 700,000 monthly active United Kingdom users,

    • PCU J3 - Invitations to group chats, where the service has group messaging functionality.

    • PCU G1 - Terms of service: Substance (all services),

    • PCU G3 - Terms of service: Clarity and accessibility.

SUMMARY OF CODES OF PRACTICE AND RECOMMENDED MEASURES

There’s a lot you have to do here, and it’s as simple as “do it”:

From having a designated and named member of staff responsible for protecting children, reporting, and complaints duties, to a whole host of functionality that you just have to have in place.

The good news is that Ofcom have made it very clear as to what you have to do. The bad news is, there’s a lot.

Section 4 - What we recommend / predict that games will do

Firstly, you need to complete the following:


Here are other important bits of info to support you in doing so:

In the following sections, we will specifically cover “what do I need to do to my game” aside from the administrative processes mentioned above.

Requirement - Implement Highly Effective Age Assurance

Firstly, let’s cover what Ofcom and the OSA say about HEAA:

2.1 All providers of Part 3 services are required to carry out children’s access assessments to determine whether a service, or part of a service, is likely to be accessed by children.

2.2 The Act says that service providers may only conclude that it is not possible for children to access a service if that service uses a form of age assurance with the result that children are not normally able to access that service or part of it. 1

2.3 We consider that, in order to secure the result that children are not normally able to access their service (or a part of it), service providers should deploy highly effective age assurance and implement effective access controls to prevent users from accessing the service (or relevant part of it) unless they have been identified as adults.2

2.4 As stated in the Children’s Access Assessment Guidance, service providers should consult this guidance to understand what constitutes highly effective age assurance and / or to carry out an in-depth assessment of whether a particular form of age assurance is highly effective for the purpose of stage 1 of the children’s access assessment.3 Protection of Children Codes

2.5 The Protection of Children Code of Practice for user-to-user services (“the Code”), includes recommended measures on the implementation of highly effective age assurance in certain circumstances. 4 The Code sets out the definition of highly effective age assurance for these recommended measures, and lists the steps that service providers should take to fulfil each of the criteria.5

2.6 The Code also includes other recommended measures which may be relevant to the way that service providers implement and operate a highly effective age assurance process on their service – for example, measures relating to the clarity and accessibility of terms of service, and reporting and complaints.6

2.7 Service providers are required to keep records of (1) steps that they have taken in accordance with the Code, or (2) any alternative steps they have taken to comply with their duties.7 Service providers should consult our Record Keeping and Review Guidance for this purpose.8

2.8 This guidance will help service providers in adopting recommended measures that relate to the implementation of highly effective age assurance, by providing additional technical detail and examples on how to meet the standard.

It’s clear that you need to implement highly effective age assurance, both to effectively and accurately complete your Children’s Access Assessment, but also to abide by your Children’s Safety Duties thereafter.

Criteria to ensure an age assurance process is highly effective

4.1 Service providers need to:

- choose an appropriate kind (or kinds) of age assurance; and
- implement it in such a way that it is highly effective at correctly determining whether a user is a child.

4.2 To ensure that an age assurance process is, in practice, highly effective at correctly determining whether or not a user is a child, service providers should ensure that the process fulfills each of the following four criteria:

- it is technically accurate;
- it is robust;
- it is reliable; and
- it is fair.

Please see Guidance on highly effective age assurance part 3 services for all details.

Additionally, providers are need to consider:

  • Accessibility for users,

  • Interoperability; the ability for technological systems to communicate with each other using common and standardised formats.

Kinds of age assurance that are capable of being highly effective:

  • Photo-ID matching - The most accurate, robust, reliable, and fair.

  • Facial age estimation - Varying degrees of accuracy and reliability. Potentially more risky than photo-ID matching.

  • Opening banking - Accurate, robust, and reliable. Fair for over 18s, not usable for under 18s. Suitable for Primary Priority Content gating to an entire service. Not suitable for most games.

  • Credit card checks - Same as Open Banking.

  • Email-based age estimation - Varying degrees of accuracy and reliability; likely similar to open banking; good for gating under 18s, but likely less good at accurately providing an actual age of a user.

  • Use a Digital Identity Service - The best solution if the digital identity service uses Photo-ID matching. This means you don’t have to provide any disruption to users who are already verified, and new users being verified for the first time will be able to re-use the verification across other services in the future. Highest level of accuracy, robust, reliability, fairness - with least amount of friction, disruption. Additionally, improves accessibility for users, and ticks the interoperability consideration.

What methods are not capable of being highly effective:

  • Self-declaration of age,

  • Age verification through online payment methods which do not require a user to be over the age of 18,

  • General contractual restrictions on the use of the service by children,

SUMMARY OF HIGHLY EFFECTIVE AGE ASSURANCE

My recommendation is to use a reusable digital identity service, but make sure you choose one who verifies users based on photo-ID matching.
This is for a few very important reasons:

  1. They will have an easier integration by which you just call their API and ask if a user is valid or for the users’ age,

  2. They will be the data controller for all the PII (personally identifiable information) collected and processed throughout the verification process. If however you integrate or use any other method, you are the data controller, and the service you use is the data processor. This has GDPR, ePrivacy, and CCPA implications regarding data collection, handling and processing, increasing your workload, complexity, and liability. Whereas working with a reusable digital identity service dodges all of this for you; especially if they only return the user’s age and not a date of birth (as it’s too course to be considered PII either directly or indirectly).

  3. There’s less friction to the end user as they can verify themselves once with the reusable digital identity service, and then prove their age without sharing any other information with a wide range of games and services.

  4. Following on from the previous point; Gamers HATE sharing information and data with games companies. Having a setup which means they don’t have to share this data with you (through integrating any other solution) will provide the best experience to the player/user.

  5. Lower costs: A reusable digital identity service has volume commitments with a KYC provider, which means they get a much lower price per verification. This lower price can be passed on to you.

  6. The most compliant and future-proofed solution as per the legislation. A reusable digital identity service that uses photo-ID matching is the most technically accurate, robust, reliable, and fair method out of all which are “capable”. You only want to implement a solution once, so make sure you implement the right one so you don’t have to make big changes and cause disruption to your game and players in a few months.

Recommended provider

I recommend you integrate PlaySafe ID as it is the reusable digital identity provider specifically designed for games and gamers.

In addition to all of the improvements to your compliance and reduction to liability, speed and ease of integration, and massive cost savings - we also provide meaningful accountability to bad actors to keep your game fair and safe for everyone.

With PlaySafe ID you can turn on a new set of matchmaking where only verified PlaySafe ID users can play. Users who are caught cheating, hacking, botting, or being inappropriate to children face penalties across all PlaySafe Protected games and services.

So, not only can you solve your compliance and liability issues regarding the Online Safety Act and Ofcom, and future proof yourselves from the Australian and EU versions coming soon - but you can also directly provide the most fair, fun, and safe environment for players to improve retention and ARPU - all with less risk, cost, time, and effort.

Requirement - Limiting access to functionality based on age

As established by Ofcom and mandated by Ofcom and the Online Safety Act, in-game messaging is a high risk factor for children due to the range of illegal and harmful content that can be encountered:

  1. Illegal content:

    1. CSEA,

    2. CSAM,

  2. Grooming.

  3. Harmful content:

  4. Primary priority content: Suicide and self-harm content,

  5. Priority content: Abuse and hate content, bullying content, and violent content.

The good news for games is as follows:

You are considered PCU B5 (Link here - page 10)

This means that you don’t allow PPC, PC, or NDC on your service, but it might exist and users might encounter it before you can reasonably stop/remove it. For example: user communication. You don’t allow any of the content types above, but that doesn’t mean you can stop them instantly 100% of the time.

As a result of being a PCU B5, you DON’T have to block access to your service/game before a user completes the highly effective age assurance process.
In other words, anyone can still buy, download, install, and play your game as normal.

It DOES mean however that you WILL likely have to block access to all user-to-user messaging/communication services until the users has completed the HEAA process, as this is where the risk for illegal content and harmful content lays. Note: This will be subject to your own children’s access assessment, illegal content assessment and safety duties, , children’s risk assessment, and children’s safety duties - which you still need to complete. But this is the likely outcome in my opinion.

There will likely be variability in the limitation/restriction of service based on age group and your assessments. For example, you might find that:

  • All user-to-user communication is disabled until a user is 13 years old,

  • From 13-17 communication is enabled, with parental controls, and with the profanity filter permanently on,

  • Note: This is not an instruction. You will have to complete your own assessments and determine the right implementation for your specific game and userbase. This is a broad guess from intuition and experience as to what my gut feeling is will be the most likely outcome in the majority of cases. But, do the work yourself and ensure you implement the right solution for your game(s).

  • You might find that a different approach, more staggered approach, or even a more lenient or stronger approach is required. It depends on your game, userbase, and identified risks.

IMPLEMENT THE FUNCTIONALITY RECOMMENDATIONS (TO IMPROVE CHILD SAFETY)

As per the Protection of Children Code of Practice for user-to-user services, and as referenced in section 3 (above) “Section 3: Codes of practice and recommended measures”, you need to ensure you implement the recommended functionalities required to improve child safety.

These include functionalities that improve:

  • Governance and accountability of your service

  • Age assurance (highly effective age assurance)

  • Content moderation

  • Reporting and complaints

  • Settings, functionalities, and user support

  • User controls

  • Terms of service

SUMMARY

I believe that the Online Safety Act and Ofcom are well intentioned and basing their legislative and compliance frameworks from extensive research, data, and consultation (with industry, users, parents, and children). I also believe that any reasonable adult with a common-sense view can appreciate the online world as it is today is not a safe environment for children. By giving children access to the internet, we are giving them access to any and all content, as well as the ability to contact or be contacted by any and all people. A literal Pandora's box.

It is for these reasons that I believe the Online Safety Act is a positive legislative and compliance beachhead which has the potential to make an incredibly positive impact on the lives of millions of children in the UK - and as the Australian and EU member state versions come into effect, across the world too.

I think that age-gating as it stands today (asking a user if they’re over 18 and to click a button) is a woefully pathetic system, and in 10 years we will all look back at how bad it was, and shake our heads collectively in disbelief at how easy it was for children to access things which we all universally agree as a society that they shouldn’t be able to access.

I feel that highly effective age assurance is an incredibly positive step, especially when implemented through a reusable digital identity service who uses photo-ID verification. I think it provides as frictionless and as positive an experience as possible for the user, whilst minimising disruption, risk, cost, effort, and liability on the game studio/developer. We have also already proven at PlaySafe ID that gamers are happy to verify themselves in exchange for a better gaming experience - as long as their data is secure and never shared with the game studio, and with the addition of PlaySafe Protected matchmaking to keep cheaters & bad actors out of games.

I also think that the measures to restrict functionality that isn’t age appropriate, or that may contain the risk of exposing children to illegal content or harmful content is a good step. There will likely be resistance, or reluctance, of games wanting to implement these features (because it’s time, money, effort, and extra work). But, it’s now business-critical for them to do so, and I think it’s a positive thing. I do also like that Ofcom have taken a proportionate response and not made it a requirement to gate access to all services prior to a user completing the HEAA process. Just gating the functionality that poses the risk is a positive step that should minimise disruption to games.

Ultimately, I suppose my final thought is this:

Games are supposed to be fun. They aren’t supposed to be dangerous.
Kids shouldn’t be at risk of CSEA, CSAM, or grooming. They also shouldn’t be at risk of coming into contact with suicide or self-harm content, bullying, abuse or hate content, or violent content.

The experience of playing a game should be something we all look forward to - not something that fills parents with dread or leaves children frightened, scared, sad - or damaged.

It’s all of our jobs to do better.
And the Online Safety Act and Ofcom are taking the legislative and compliance framework steps to ensure that we all collectively do better.
Because children deserve better than we’ve all been able to deliver so far.

AUTHOR & ABOUT

This guide was written by Andrew Wailes, CEO of PlaySafe ID.
Andrew has a particular focus on gaming tech with reference to changing legislative and compliance landscapes.
His main areas of focus are gaming, gaming tech, Online Safety Act, GDPR, ePrivacy Directive, and COPPA - as well as Apple’s & Google’s policies, and some other random stuff.

Visit the PlaySafe ID Studio/Dev page and learn how we can help you solve your OSA/Ofcom compliance issues today.