Guides
Start typing to search…

What you have to practically implement

Firstly, you need to complete the following:


Here are other important bits of info to support you in doing so:


In the following sections, we will specifically cover “what do I need to do to my game” aside from the administrative processes mentioned above.


❗️

Step 1: Requirement for all games - Highly Effective Age Assurance

Firstly, let’s cover what Ofcom and the OSA say about HEAA:


2.1 All providers of Part 3 services are required to carry out children’s access assessments to determine whether a service, or part of a service, is likely to be accessed by children.

2.2 The Act says that service providers may only conclude that it is not possible for children to access a service if that service uses a form of age assurance with the result that children are not normally able to access that service or part of it. 1

2.3 We consider that, in order to secure the result that children are not normally able to access their service (or a part of it), service providers should deploy highly effective age assurance and implement effective access controls to prevent users from accessing the service (or relevant part of it) unless they have been identified as adults.2

2.4 As stated in the Children’s Access Assessment Guidance, service providers should consult this guidance to understand what constitutes highly effective age assurance and / or to carry out an in-depth assessment of whether a particular form of age assurance is highly effective for the purpose of stage 1 of the children’s access assessment.3 Protection of Children Codes

2.5 The Protection of Children Code of Practice for user-to-user services (“the Code”), includes recommended measures on the implementation of highly effective age assurance in certain circumstances. 4 The Code sets out the definition of highly effective age assurance for these recommended measures, and lists the steps that service providers should take to fulfil each of the criteria.5

2.6 The Code also includes other recommended measures which may be relevant to the way that service providers implement and operate a highly effective age assurance process on their service – for example, measures relating to the clarity and accessibility of terms of service, and reporting and complaints.6

2.7 Service providers are required to keep records of (1) steps that they have taken in accordance with the Code, or (2) any alternative steps they have taken to comply with their duties.7 Service providers should consult our Record Keeping and Review Guidance for this purpose.8

2.8 This guidance will help service providers in adopting recommended measures that relate to the implementation of highly effective age assurance, by providing additional technical detail and examples on how to meet the standard.


📘

It’s clear that you need to implement highly effective age assurance

Both to effectively and accurately complete your Children’s Access Assessment, but also to abide by your Children’s Safety Duties thereafter.


Criteria to ensure an age assurance process is highly effective

4.1 Service providers need to:

  • choose an appropriate kind (or kinds) of age assurance; and
  • implement it in such a way that it is highly effective at correctly determining whether a user is a child.

4.2 To ensure that an age assurance process is, in practice, highly effective at correctly determining whether or not a user is a child, service providers should ensure that the process fulfills each of the following four criteria:

  • it is technically accurate;
  • it is robust;
  • it is reliable; and
  • it is fair.

Please seeGuidance on highly effective age assurance part 3 services for all details.


Additionally, providers are need to consider:

  • Accessibility for users,
  • Interoperability; the ability for technological systems to communicate with each other using common and standardised formats.


Kinds of age assurance that are capable of being highly effective:

  • Photo-ID matching - The most accurate, robust, reliable, and fair.
  • Facial age estimation - Varying degrees of accuracy and reliability. Potentially more risky than photo-ID matching.
  • Opening banking - Accurate, robust, and reliable. Fair for over 18s, not usable for under 18s. Suitable for Primary Priority Content gating to an entire service. Not suitable for most games.
  • Credit card checks - Same as Open Banking.
  • Email-based age estimation - Varying degrees of accuracy and reliability; likely similar to open banking; good for gating under 18s, but likely less good at accurately providing an actual age of a user.
  • Use a Digital Identity Service - The best solution if the digital identity service uses Photo-ID matching. This means you don’t have to provide any disruption to users who are already verified, and new users being verified for the first time will be able to re-use the verification across other services in the future. Highest level of accuracy, robust, reliability, fairness - with least amount of friction, disruption. Additionally, improves accessibility for users, and ticks the interoperability consideration.

What methods are not capable of being highly effective:

  • Self-declaration of age,
  • Age verification through online payment methods which do not require a user to be over the age of 18,
  • General contractual restrictions on the use of the service by children,

📘

Summary of Highly Effective Age Assurance

Our recommendation is to use a reusable digital identity service, but make sure you choose one who verifies users based on photo-ID matching.

This is for a few very important reasons:

  1. They will have an easier integration by which you just call their API and ask if a user is valid or for the users’ age,
  2. They will be the data controller for all the PII (personally identifiable information) collected and processed throughout the verification process. If however you integrate or use any other method, you are the data controller, and the service you use is the data processor. This has GDPR, ePrivacy, and CCPA implications regarding data collection, handling and processing, increasing your workload, complexity, and liability. Whereas working with a reusable digital identity service dodges all of this for you; especially if they only return the user’s age and not a date of birth (as it’s too course to be considered PII either directly or indirectly).
  3. There’s less friction to the end user as they can verify themselves once with the reusable digital identity service, and then prove their age without sharing any other information with a wide range of games and services.
  4. Following on from the previous point; Gamers HATE sharing information and data with games companies. Having a setup which means they don’t have to share this data with you (through integrating any other solution) will provide the best experience to the player/user.
  5. Lower costs: A reusable digital identity service has volume commitments with a KYC provider, which means they get a much lower price per verification. This lower price can be passed on to you.
  6. The most compliant and future-proofed solution as per the legislation. A reusable digital identity service that uses photo-ID matching is the most technically accurate, robust, reliable, and fair method out of all which are “capable”. You only want to implement a solution once, so make sure you implement the right one so you don’t have to make big changes and cause disruption to your game and players in a few months.

👍

Recommended provider for HEAA

PlaySafe ID is the reusable digital identity provider specifically designed for games and gamers.

In addition to all of the improvements to your compliance and reduction to liability, speed and ease of integration, and massive cost savings - we also provide meaningful accountability to bad actors to keep your game fair and safe for everyone.

With PlaySafe ID you can turn on a new set of matchmaking where only verified PlaySafe ID users can play. Users who are caught cheating, hacking, botting, or being inappropriate to children face penalties across all PlaySafe Protected games and services.

So, not only can you solve your compliance and liability issues regarding the Online Safety Act and Ofcom, and future proof yourselves from the Australian and EU versions coming soon - but you can also directly provide the most fair, fun, and safe environment for players to improve retention and ARPU - all with less risk, cost, time, and effort.


Step 2: Requirement - Limiting access to functionality based on age

As established by Ofcom and mandated by Ofcom and the Online Safety Act, in-game messaging is a high risk factor for children due to the range of illegal and harmful content that can be encountered:

  1. Illegal content:
    1. CSEA,
    2. CSAM,
  2. Grooming.
  3. Harmful content:
  4. Primary priority content: Suicide and self-harm content,
  5. Priority content: Abuse and hate content, bullying content, and violent content.

The good news is as follows:

You are considered PCU B5 (Link here - page 10)

This means that you don’t allow PPC, PC, or NDC on your service, but it might exist and users might encounter it before you can reasonably stop/remove it. For example: user communication. You don’t allow any of the content types above, but that doesn’t mean you can stop them instantly 100% of the time.

As a result of being a PCU B5, you DON’T have to block access to your service/game before a user completes the highly effective age assurance process.In other words, anyone can still buy, download, install, and play your game as normal.

It DOES mean however that you WILL likely have to block access to all user-to-user messaging/communication services until the users has completed the HEAA process, as this is where the risk for illegal content and harmful content lays. Note: This will be subject to your own children’s access assessment, illegal content assessment and safety duties, , children’s risk assessment, and children’s safety duties - which you still need to complete. But this is the likely outcome in my opinion.

There will likely be variability in the limitation/restriction of service based on age group and your assessments. For example, you might find that:

  • All user-to-user communication is disabled until a user is 13 years old,
  • From 13-17 communication is enabled, with parental controls, and with the profanity filter permanently on,
  • Note: This is not an instruction. You will have to complete your own assessments and determine the right implementation for your specific game and userbase. This is a broad guess from intuition and experience as to what my gut feeling is will be the most likely outcome in the majority of cases. But, do the work yourself and ensure you implement the right solution for your game(s).
  • You might find that a different approach, more staggered approach, or even a more lenient or stronger approach is required. It depends on your game, userbase, and identified risks.

📘

Step 3: Implement the functionality recommendations

As per the Protection of Children Code of Practice for user-to-user services, and as referenced in section 3 (above) “Section 3: Codes of practice and recommended measures”, you need to ensure you implement the recommended functionalities required to improve child safety.

These include functionalities that improve:

  • Governance and accountability of your service
  • Age assurance (highly effective age assurance)
  • Content moderation
  • Reporting and complaints
  • Settings, functionalities, and user support
  • User controls
  • Terms of service

Updated 6 days ago