Andrew Wailes is CEO and founder of PlaySafe ID, a digital identity platform that verifies online players through a single secure ID to ensure fair play and to protect children from online predators.
On July 25, the UK’s Online Safety Act (OSA) will kick in with full effect – and wherever you are in the world, if your games target UK users, or are even ‘likely’ to be played by youngsters in the UK, you’re legally obligated to comply.
If that sounds a little concerning, fear not – there’s plenty you can still do. There are over 1,000 pages of documents from the UK government and Ofcom detailing the OSA and its implementation. Those are backed up by further detailed guidance from Ofcom, the independent regulator assigned with enforcing the act.
In this article, you’ll find an overview of the fundamental intent and impacts of the OSA, along with guidance to the essential steps your company will probably need to take.
Why is the OSA being implemented?
The OSA has a clear purpose, as defined by the legislation itself: “Services who have users in the UK need to be safe by design, and have a higher standard of protection for children than adults, whilst providing transparency and accountability in relation to those services.” And, because Ofcom describes games as “a fundamental form of entertainment for children”, it’s absolutely clear that video games are within the scope of the legislation.
It’s an admirable and important purpose, and any game company should already be motivated to suitably protect its users. But as much as you can agree with the legislation’s intentions, wrapping your head around the practicalities as a games studio or publisher is rather less straightforward.
It is worth noting that in drawing up the legislation, lawmakers consulted with the games industry and received some pushback. Some from the world of games expressed worry about applying a blanket approach to the diverse spread of platforms our industry has created.
If you act now you still have time – just
Others were understandably concerned that Ofcom’s presentation of risks associated with violent content, bullying content, and abusive and hateful content on gaming platforms was “misleading” and would disproportionately burden the gaming industry.
It may be that assumptions about games’ perceived harmful elements forged decades ago continue to have influence. Ultimately, however, the decision was made to include all video games and ‘gaming-adjacent services’ such as streaming and communications platforms.
Simply put, if you make or publish games today – whether you are a major outfit or a modest microstudio – you need to get compliant. Fail to do so, and the body has the power to fine you 10% of global turnover, or £18 million, whichever is greater.
The time is now
It’s a matter of protecting children, adult players, and your business. Fortunately, if you act now you still have time – just. Soon, comparable legislation will be implemented at a global scale, with Australia and EU member states currently coming close to installing their own regulatory frameworks. Acting today to meet the most significant UK deadlines may also give you a head start on future global compliance.
Several key deadlines have passed, and the most significant – July 25, when the OSA comes into full force – is just around the corner. If you have yet to act on the previous dates, get to work on what is required now. While we aren’t in a position to make any promises about the government response, your effort and proactivity may see you through. And regardless, you are required to act, even if you’ve missed a deadline. The dates are:
That might feel like a lot. If you are feeling overwhelmed, we’d point you to the PlaySafe ID guide ‘What do games have to do to comply?‘, which covers the fundamentals in plain, straightforward language.
Next, we will address the fundamentals of compliance and your responsibilities, but with the available space and the complexity of the legislation, it is unreasonable to promise a complete and legally binding handbook here. Consider this a primer before tackling the guide or even the full documentation.
User age and harmful content
Practically speaking, to be compliant you ultimately need to ensure that your games use highly effective age verification, meeting the legislation’s framing of ‘highly effective’, and you must limit access to functionality deemed inappropriate relative to given users’ ages. The OSA’s framing of ‘highly effective’ is complex, but ultimately you must use a system that is “technically accurate, robust, reliable, and fair” when it comes to determining the actual age of a user.
The OSA considers photo-ID matching, facial age estimation, opening banking, credit card checks, email-based age estimation, and digital identity services as at least ‘capable’ of being highly effective, although in many cases those approaches will only be available to adult users. As such, reusable digital identity services that include a photo ID element are most likely to suit more games companies when it comes to meeting the highly effective status for age verification.
There’s every chance your games are all fully compliant, but regardless, you are required to make the necessary assessments, and ensure you meet duties to your users. Broadly speaking, you’ll need to assess the likelihood of illegal content and illegal harms, as well as the likelihood of the distinct content that may be harmful to children.
You’ll also need to precisely meet the OSA’s framing of ‘harmful content’, rather than use your own criteria or instincts – including addressing factors you might not have previously considered. Because even if your game is plainly safe for all ages, you still need to go through this process.
With regards to the gaming medium, the types of illegal content most relevant and likely are child sexual exploitation and abuse (CSEA), offences relating to child sexual abuse material (CSAM), and grooming, along with threats, abuse, and insults, including those motivated by hate. For further context there, make sure you read Ofcom’s guide, ‘Protecting people from illegal harms online, Illegal content judgements guidance (ICJG)‘.
If focus will help, we’d keenly recommend that you start by completing and recording ‘children’s risk assessments’ by the close of July 24 this year. Ofcom’s ‘Children’s Risk Assessment Guidance and Children’s Risk Profiles‘ document provides a complete overview of that process.
Get your data protection officer, legal department or support, or designated child safety officer (a new named person you will have to have) to read and complete those steps. And again, we hope our overall guide serves to set you on the path, and keep you informed across all the key details.
The dangers that the online world present to children may not be easy to think about, but they are very real
Having thoroughly reviewed the legislation, we at PlaySafe ID are convinced it’s well intended, and informed by extensive research, data, and consultation with industry, children, and parents.
The dangers that the online world present to children may not be easy to think about, but they are very real – and as such the OSA should be viewed as positive legislature that primarily protects children, but that also lets the games industry thrive and grow, by providing appropriate content to appropriate audiences, and galvanising its reputation. And while the process of compliance might feel overwhelming and complex, that inconvenience pales in comparison to the importance of protecting young users.
Games should be fun – not dangerous or damaging. At PlaySafe ID we are convinced that highly effective age assurance should form a cornerstone of making games safer spaces for young users – as should robust systems for limiting access to certain functions and content. That also protects adults’ right to access and consumer games that explore mature or difficult themes.
We also firmly believe that making players aware they are accountable for their actions – and not protected by anonymity – will greatly improve safety, and let all of us have a better time in connected worlds. That’s why we’ve built a business around player ID technology.
Getting your games in check is no longer just morally admirable and business-critical. It is increasingly enshrined in law – through legislation built to deliver a better online world. As an industry, we’ve collectively achieved amazing things. Now we have an opportunity to do even better.
