Introduction

In 2019, the TIGA board discussed and devised a draft set of voluntary Principles for Safeguarding Players. On 13th December 2019, TIGA published the draft Principles and Positive Practices (see below) and invited games businesses to provide feedback and comments.  The formal consultation period ended on 20th January 2020. On 25th February 2020, TIGA formally published the first set of voluntary Principles for Safeguarding Players and Positive Practices.

TIGA will continue to welcome further feedback and comments on the Principles and Positive Practices, which should be sent to: suzi@tiga.org

1. Protecting children

Take particular care in the design of games that are likely to appeal to children and provide the necessary tools and information about content for parents, guardians and children to enable them to manage all aspects of their children’s enjoyment of games.

2. Treating consumers fairly

Deal with players as consumers in a fair manner at all times, in addition to complying with all relevant marketing, advertising and consumer protection law.

3. Safeguarding online communities

Make every effort to ensure that online communities and interactions are safe and do not expose players to harm.

4. Respecting personal data

Take appropriate and proportionate measures to fulfil the seven data protection principles under the General Data Protection Regulation (GDPR) and comply with all other relevant data protection laws to ensure that players’ rights to personal data privacy are respected.

5. Spending and time management

Enable players to manage the amount of time and money spent on games through appropriate design and proportionate measures.

Positive Practices for Games Companies

The five TIGA Principles embody the spirit of the approach that games companies should adopt in operating their businesses within the UK.

The TIGA Principles are broad and high-level in scope and targeted towards positive outcomes.  The Principles are designed to be proportionate: they take into account the fact that a specific action may be appropriate for one business, but it may not be appropriate for another.  For example, what may be expected of a large games delivery platform may be different from that expected of an indie developer with fewer than five employees.

In order to assist games companies to comply with the TIGA Principles, TIGA has created the following set of ‘Positive Practices’ for each Principle.  The Positive Practices draw upon multiple sources, including legislation, codes of conduct issued by regulators and feedback from TIGA members. The Positive Practices specify a number of behaviours that would tend to suggest compliance with the Principles, but they are not an exhaustive list.  While it may be possible to achieve compliance with the Principles without complying with all of the following Positive Practices, this is likely to be difficult.  Equally, there may be other actions required to comply with the Principles that are not included in the Positive Practices.

TIGA may update the list of Positive Practices from time to time to take account of new legislation, codes of conduct produced by regulators, experience of TIGA members, developing business practices and technological advancements within the games industry.

P.1. Protecting Children

Take particular care in the design of games that are likely to appeal to children and provide the necessary tools and information about content for parents, guardians and children to enable them to manage all aspects of their children’s enjoyment of games.

PP 1.1. Best interests of children. Games businesses should aim to ensure that games are safe to use for all players. Games businesses should consider that some players, both adults and children, may be more vulnerable than others. Games businesses should, in particular, ensure that the best interests of the child are a primary consideration whenever designing and developing online services likely to be accessed by a child.

PP 1.2. Parental controls. In the case of providers of game platforms, provide a robust and accessible set of parental controls that enable a parent or guardian to manage all aspects of their child’s enjoyment of games. Game developers should also endeavour to include parental controls for games released on platforms that do not feature parental controls, where proportionate.  Controls should include:

  1. Screen time and spending for a particular game or all games (see Principle 5)
  2. Controlling which games can be accessed by reference to their PEGI ratings.
  3. Restricting online communications from strangers who have not been added as ‘friends’.

PP 1.3. Promotion of parental controls. Promote the following on your company’s website and promotional materials in a clear and prominent manner:

  1. Applicable age ratings in each territory where the game is sold.
  2. The availability of parental controls on the devices on which the game is published.
  3. Safety information relating to the safe operation of any hardware required to play the game.

PP 1.4. Ease of use of parental controls. Parental controls should be located all in one place on the platform, they should be easy to use, parents should be prompted to set them up and parents should be provided with documentation that is easily understood.

PP 1.5. Age verification. Where a game is available for download outside of a platform featuring a robust age verification process, developers should include their own robust age verification process within the game, if proportionate to do so.

PP 1.6. Publicise online safety advice. Publicise the following sources of information:

P.2. Treating Consumers Fairly

Deal with players as consumers in a fair manner at all times, in addition to complying with all relevant marketing, advertising and consumer protection law.

PP 2.1. Accessible terms. Ensure that all terms and conditions with users are clear and accessible, including to children and other vulnerable users, and that they meet standards set by any relevant regulators.

PP 2.2. Fair enforcement of terms. Enforce terms and conditions effectively and consistently.

PP 2.3. Refund policy. Have a fair refund policy that takes into account a player’s individual circumstances, for example, if a child were to enter into unauthorized transactions on a parent’s credit card. (In the case of providers of game platforms, the refund policy will be the platform provider’s responsibility).

PP 2.4. Complaints process. Establish and maintain a complaints and appeals process that is effective, easy to use, and provides users with timely, clear and transparent responses to complaints.

PP 2.5. Compliance with OFT principles. Adhere to the 8 principles relating to online games and in-app purchases published by the Office for Fair Trading (now the Competition and Markets Authority), which can be summarised as follows:

    1. Costs information about in-game subscriptions and purchases should be provided clearly, accurately and prominently up-front, before the consumer begins to play, download or sign up.
    2. Game information, including a clear description, game functionality and compatibility with hardware and software, should also be provided clearly, accurately and prominently up-front.
    3. Information about your game company should additionally be provided clearly, accurately and prominently up-front.
    4. Commercial intent of any in-game promotion of paid-for content or promotion of any other product or service should be clear and distinguishable from gameplay.
    5. Companies should not mislead by giving the false impression that payments are required or are an integral part of the game, if that is not the case.
    6. Companies should not include any aggressive practices or exploit a child’s inherent inexperience, vulnerability or credulity or place undue influence or pressure on a child to make a purchase.
    7. Companies should not include direct exhortations to children to make a purchase or persuade others to make purchases for them.
    8. Payments should not be taken from the payment account holder unless express, informed consent for that specific payment has been given by the account holder.

(See: https://www.gov.uk/government/publications/principles-for-online-and-app-based-games).

PP 2.6. Compliance with the CAP Code. Comply with the Advertising Standards Agency’s CAP Code.

(See: https://www.asa.org.uk/codes-and-rulings/advertising-codes/non-broadcast-code.html)

PP 2.7. Compliance with consumer law. Comply with all applicable consumer law.

PP 2.8. Constant review of industry guidance. Games companies should keep information and guidance published by TIGA under review at https://tiga.org/about-tiga-and-our-industry/consumer-advice.

 

 

P.3. Safeguarding Online Communities

Make every effort to ensure that online communities and interactions are safe and do not expose players to harm.

PP 3.1. Acceptable behaviour standards. Make explicitly clear the standard of behaviour required and behaviour that will not be accepted.

PP 3.2. Prevent illegal behaviour. Take additional measures to prevent the furtherance of illegal behaviour that has been recognized as harmful and prevalent in online communities.  These harms include child sexual exploitation and abuse, terrorist activity, organized immigration crime, extreme and revenge pornography, harassment and cyberstalking, hate crimes, encouraging or assisting suicide, incitement of violent, sale of illegal goods/services, accessing content illegally uploaded from prisons and the distribution of indecent images by under 18s.

PP 3.3. Prevent online harms. Also take measures to prevent the furtherance of other online harms, including cyberbullying and trolling, extremist content and activity, coercive behaviour, intimidation, disinformation, violent content, advocacy of self-harm and the promotion of female genital mutilation.

PP 3.4. Accessible complaints system. Provide clear, effective, easily accessible complaints and reporting procedures and tools for players to use and protect themselves online.

PP 3.5. Player management system. Set up proportionate systems to manage players’ behaviour online, including appropriate systems, procedures, technologies and investment, including in staffing, training and support of human moderators.

PP 3.6. Assist law enforcement. Comply with any requests by law enforcement to assist with specific monitoring, for example, where a specific threat to the safety of children has been identified and support investigations to bring criminals who break the law in online games to justice.  (Nevertheless, for the avoidance of doubt, games businesses are not expected to undertake general monitoring of all communications on their online services, as this would be a disproportionate burden on companies and would raise privacy concerns.)

PP 3.7. Effective user reporting. Take prompt, transparent and effective action following user reporting, including by imposing proportionate sanctions on players who breach behaviour policies in an appropriate timeframe.

PP 3.8. Safety technology. Purchase or develop safety technologies to reduce the burden on users to stay safe online and assist with identifying, flagging, blocking or removing illegal or harmful content.

PP 3.9. Records of harmful content. Keep appropriate records of reports of illegal and harmful content and behaviour, including the number of reports received, how many of those reports led to action and what the action taken was.

PP 3.10. Support for users. Provide information to users who have suffered online harm about appropriate sources of support.

PP 3.11. Review efforts to tackle online harms. Regularly review efforts in tackling online harms and adapt online processes to drive continuous improvement.

PP 3.12. User protection from harm by design.  Include features of game design to minimise harassment, ‘griefing’, ‘trolling’ and other undesirable online behaviours, for example, by enabling players to mute, make invisible and not be impeded by the avatars of those who are harassing them (while respecting the limitations of a player vs player environment).

P.4. Data Protection

Take appropriate and proportionate measures to fulfil the seven data protection principles under the General Data Protection Regulation (GDPR) and comply with all other relevant data protection laws to ensure that players’ rights to personal data privacy are respected.

PP 4.1. Compliance with GDPR. Comply in full with the spirit and letter of the data privacy law enshrined in the General Data Protection Regulation (GDPR)’s seven core principles, which can be summarised as follows:

  1. Lawfulness, fairness and transparency – personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Purpose limitation – personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data minimisation – personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy – personal data shall be accurate and, where necessary, kept up to date.
  5. Storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
  6. Integrity and confidentiality (security) – data shall be processed in a manner that ensures appropriate security, including protection against loss or unauthorised use.
  7. Accountability – the controller shall be responsible for, and be able to demonstrate compliance with, the above principles.

PP 4.2. Data protection at heart of game design. Be responsible for placing data protection at the centre of the design of online services and games in a way that mitigates the risk to players’ information.

PP 4.3. Undertake Data Protection Impact Assessments (DPIAs). Undertake DPIAs and have them approved by the ICO where high risks persist.

PP 4.4. Right of erasure. Offer a right to erasure of personal data online, with stronger provisions where data has been gathered from a child user.

PP 4.5. Policies and procedures. Ensure that you have policies and procedures in place that demonstrate how you comply with data protection obligations, including data protection training for relevant staff involved in the design and development of games.

PP 4.6. Privacy by design. Design games to be privacy by design and by default, meaning that default data privacy settings should be high and avoid more intrusive and optional uses of personal data.

PP 4.7. Transparent use of personal data. Where players provide games companies with personal data in order to access online games and services, they should be able to expect the service to operate in the way that you say it will and for what you say you are going to do. To this end, games companies should uphold their own standards and published rules that govern the behaviour of players.  For example, if games companies say that user behaviour will be monitored actively by human moderators, then games companies need to make sure that this happens.  If player data is used to determine purchasing-related in-game variables, such as the value of virtual currency or the probability of receiving a reward in a ‘lucky dip’, this should be made clear to the player.

PP 4.8. Parental consent for personal data of children. Obtain parental consent for the processing of personal data of children under the age of 13, where consent is relied upon for the processing.

P.5.  Spending and Time Management

Enable players to manage the amount of time and money spent on games through appropriate design and proportionate measures.

PP 5.1. Spending and time controls. In the case of game companies operating closed game platforms, provide controls to enable players and/or their parents and guardians to monitor and also to restrict the overall amount of money and time spent within each game and on the platform as a whole.  In the case of games available on an open platform, consider introducing such controls where proportionate and technically practical.

PP 5.2. Independent time management. Where proportionate and technically practical, include game design features that enable and encourage players to be able to manage the time spent within the game, for example:

    • enabling players to save a single-player game regularly;
    • designing multiplayer games so that they do not require long individual play sessions to avoid being penalised, or provide alternatives, such as the possibility of substituting another player during an extended session;
    • including features such as reminder messages to take breaks; rest systems (where characters continue to progress while the player takes time away from the game); and time limitation structures (e.g. player has a specific time limit to complete a level in order to encourage shorter periods of play).

PP 5.3. Self-exclusion. Where proportionate and technically practical include the function for players to self-exclude from further spending any more money or time on a game for a set period of time.

PP 5.4. Spending caps. Where proportionate and technically practical, allow players to set an in-game spending cap for any in-game purchases, whether daily, weekly, monthly or a combination of the foregoing.

PP 5.5. Track spending. Allow players to track their spending on in-game purchases, including lifetime spending on the game and by providing the option for periodic emails or other communications to remind players what they have spent.

PP 5.6. Analysing spending. Where proportionate and technically practical, obtain anonymised data relating to spending for use in analysing typical amounts of spending, frequency of spending and patterns of spending, for use in independent research and for assisting players with managing their spending (while protecting any sensitive commercial information at all times).

PP. 5.7. Monitoring. Introduce processes and systems to monitor and protect individual levels of in‑game spending (to the extent technologically and legally practical, and where proportionate).  Where spending indicates patterns of spending that are not typical for that individual or for players as a whole, consider sending automated reminders to players, having a cooling-off period where no further spending is possible or other appropriate and proportionate measures.

PP 5.8. Disclosure of loot boxes. Disclose the use of paid or hard currency loot boxes (or other chance systems) up-front before a player purchases, downloads or signs up to a game and describe their potential contents and the chances of that content being received in simple and easy to understand language.

Whilst every care has been taken to ensure the accuracy of the information in this document at the time of publication, the information is intended as guidance only. It should not be considered as legal advice.