On 1 December 2025, the Information Commissioner’s Office (ICO) announced a monitoring programme that targets 10 popular mobile games played by children in the UK.[1]
The announcement was accompanied by the ICO's ‘Children's Code Strategy progress update – December 2025’, which confirmed that the ICO was concluding its work with social media and video-sharing platforms and turning its focus to the mobile gaming sector.[2]
Why is the ICO assessing the mobile gaming sector?
The ICO's announcement stresses the need for this programme based on the high participation rate of children in the video gaming sector and parents’ concern about the content their children are exposed to.
The ICO states that 90% of UK children play games on digital devices (though it is not clear if this refers to mobile games only or on other devices as well).[3] The ICO’s research reveals that 84% of UK parents are concerned about their children's exposure to strangers or harmful content through mobile games, with a further 50% being 'very concerned'. Three in four parents are worried about children sharing personal data, and are concerned about data collection by game companies for advertising purposes. A further 30% report that their child has stopped using a mobile game because of the parent/carer or child having data-related concerns.
Information Commissioner John Edwards said that the ICO's early review “suggests that many mobile games’ design features can be especially intrusive, raising important questions about how these games are designed and experienced, and their adherence to the ICO’s Children’s code standards.”
What will the review assess?
The review will assess three areas of compliance, based on its Age-Appropriate Design Code (or the Children’s Code):[4]
1. Default privacy settings - whether games offer children the most protective, or ‘high privacy’ settings by default.
2. Default geolocation controls - whether location data is switched off by default for child users and how geolocation information is managed if children choose to enable it.
3. Targeted advertising practices – whether profiling children for targeted advertising is off default.
What developers and businesses should expect
The ICO's gaming review follows an established and expanding playbook, which it used successfully in its review of social media and video sharing platforms. In the previous review, the ICO announced it secured improvements or confirmed good practice to 10 platforms’ approach to children’s privacy settings, including on Twitch, Viber and Hoop. With companies that did not comply or failed to adequately comply, the ICO moved from monitoring and engagement to formal notices of intent and finally imposed hefty monetary penalties, most recently against MediaLab (Imgur)[5] and Reddit.[6]
There is no reason to believe the gaming sector will be treated differently. As such, developers, publishers, and platform operators should anticipate the following:
- The in-scope video game developers should expect direct engagement from the ICO, as the ICO will seek information about data practices, privacy architectures, and age assurance methods.
- Scrutiny of Data Protection Impact Assessments (DPIAs) - the Children's Code requires a DPIA for any service likely to be accessed by children, and the ICO will assess whether studios have conducted and maintained these documents in respect of all game features, including in-app purchases, social features, and advertising.[7]
- Failure to cooperate and comply will attract warnings, reprimands, enforcement notices, and monetary penalties - for serious breaches of the data protection principles, the ICO has the power to issue fines of up to £17.5 million or 4% of the company’s annual worldwide turnover, whichever is higher.[8]
Video-game developers who operate outside of mobile gaming may also be subject to review under the ICO’s programme. As the ICO’s December 2025 update explicitly states, the ICO will use the monitoring programme to “identify whether we need to extend our compliance assessment work to […] other sectors of the games sector in the future”, which could include console games and PC titles with online features.
Key takeaway for 2026
The ICO has clearly signalled that it will apply to mobile games the same enforcement strategy it used to reshape social media and video sharing platforms in the UK. In-scope game studios can expect engagement and rigorous assessment from the ICO, while smaller game studios can expect to see the programme produce best-practice and guidance on what the ICO expects from game developers, publishers and platform operators. While developers that have not audited their games for Children’s Code compliance, particularly regarding default settings, geolocation and targeted advertising, should treat this as a matter of priority.
[1] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/children-s-online-privacy-in-mobile-games-under-spotlight/
[2] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/protecting-childrens-privacy-online-our-childrens-code-strategy/children-s-code-strategy-progress-update-december-2025/
[3] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/children-s-online-privacy-in-mobile-games-under-spotlight/
[4] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/protecting-childrens-privacy-online-our-childrens-code-strategy/children-s-code-strategy-progress-update-december-2025/
[5] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/imgur-owner-medialab-fined-over-children-s-privacy-failures/
[6] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/reddit-issued-with-1447m-fine-for-children-s-privacy-failures/
[7] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/2-data-protection-impact-assessments/
