HomeInsightsThe ICO turns its focus on mobile games played by children

Contacts

Christina Henry

Paul Gardner

Peter Lewin

Isabel Davies

Romilly Carboni

December 2, 2025

In an update to its Children’s Code Strategy, the Information Commissioner’s Office (the “ICO”) has announced that its regulatory focus will move to mobile games played by children in the UK.

We have commented on the ICO’s Children’s Code Strategy previously, including here and here.

Since April 2024, the ICO’s attention in respect of use of children’s data has focused, in particular, on social media platforms (SNPs) and video sharing platforms (VSPs). Today’s announcement marks a change in direction. The ICO says they will be launching a monitoring programme of 10 popular mobile games (as yet unnamed) “ranging from casual puzzle games to complex multiplayer experiences”. Default privacy settings, geolocation settings and profiling for advertising will be key areas for scrutiny.

5 practical steps mobile game companies can take to prepare for the spotlight:

  1. Make sure you’ve completed a Children’s Code Data Protection Impact Assessment to identify risks and mitigations from a data protection perspective for children accessing the game, with a particular eye to compliance with the 15 standards set out in the Children’s Code.
  2. Make sure children understand how their data is being used. Consider a bespoke child-friendly privacy notice and make use of ‘just in time’ notices.
  3. Review default settings and be prepared to justify approach. Watch out for ‘nudging’ techniques in game design – especially to switch geolocation to ‘on’.
  4. Ensure age assurance is in place, where appropriate. The ICO has extensive guidance on this here.
  5. Review advertising practices, especially regarding targeted ads. Remember the Children’s Code applies to anyone under 18 years old. What is appropriate may vary depending on the age of the children playing the game.

Mobile games companies can also take some key learnings from the ICO’s work in connection with SNPs and VSPs:

Default privacy settings

The update emphasises that high-privacy defaults remain central to protecting children online, with research suggesting that social pressure and ‘FOMO’ drives oversharing of information.

Default geolocation settings

The ICO’s focus here is on preventing sharing of children’s precise location. Organisations are encouraged to have location sharing turned off by default, giving children the choice to share it when they want to. Targeted engagement since March has led to satisfactory positions at Vero, the removal of nudges to enable precise location at Befriend, 18+ restrictions at Flickr, and Frog’s exit from the UK market. The ICO is now turning to focus specifically on Snap and Meta on the compliance of their map features, with Snap committing to a comprehensive review by the end of the year.

Targeted ads

The ICO has reiterated that profiling children should be turned off by default for most services. Results from recent interventions include X (formerly Twitter) ceasing ads to children and a commitment from Viber to turn off personalised advertising for under 18s by default. Soda, Vimeo and Wizz App are noted to have made improvements, too.

Recommender systems

This relates to SMPs and VSPs using profiling to recommend content to users, reported to be sometimes harmful in nature. An investigation has been opened into TikTok’s use of 13-17 year-olds’ data in such systems and an information notice subsequently issued. The ICO has now confirmed that it will defend TikTok’s appeal against the information notice.

Age assurance

The ICO has concluded that there could be scope for profiling to be used as part of an age assurance system, but flags widespread risks from the use of self-declaration for services likely to pose high risks to children. On using information of under 13s, the ICO is pursuing cases against Reddit and Imgur (MediaLab) over inadequate age assurance, and has issued notices of intent to fine (noting that exiting the UK market does not remove liability for Imgur’s past infringements). The ICO has identified 17 platforms for their next phase of work in this area.

Finally, the ICO has confirmed continued collaboration with Ofcom under the Online Safety Act, including a further joint statement planned for early 2026. This comes alongside ongoing international work through the International Age Assurance Working Group.

Mobile games

While the ICO notes that work with SMPs and VSPs relating to privacy settings, geolocation and targeted advertising is concluding having “secured positive improvements”, it has been made clear that this is to make way for further investigations into mobile games.

The ICO’s actions in 2025, noted above, provide the context for this call to action for those in the interactive entertainment space, to ensure they have implemented robust data protection and privacy policies, controls and procedures. They are especially likely to be targeted for ICO investigations and enforcement if they develop or publish any mobile games popular with children.

If you’d like to know more, or if you are affected by the ICO’s Children’s Code Strategy and need help understanding and adapting to it, please get in touch.

Expertise