U.S. FTC Lodges Complaint Against Microsoft for Violating Children’s Online Privacy Protection Act
The tech-giant company Microsoft is set to pay to $20 million to settle Federal Trade Commission (FTC) charges for violating the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.
The FTC alleged that from 2015 to 2020 Microsoft retained the data for years that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said, “Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids.”
He added, “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
As part of a proposed order filed by the Department of Justice (DOJ) on behalf of the FTC, Microsoft will be required to take several steps to bolster privacy protections for child users of its Xbox system. The order seeks to extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data.
In addition, the order clarified that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data. The order must be approved by a Federal Court for its implementation.
The DOJ filed the complaint and stipulated order in the U.S. District Court for the Western District of Washington state.
The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and to obtain verifiable parental consent before collecting and using any personal information collected from children.
According to the complaint filed by DOJ, Microsoft violated the COPPA Rule’s notice, consent, and data retention requirements.
Microsoft’s Xbox gaming products allow users to play and chat with other players through its Xbox Live service. According to the complaint to access and play games on an Xbox console or use any of the other Xbox Live features, users must create an account, which requires users to provide personal information including their first and last name, email address and their date of birth.
The complaint alleged that even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers.
After a child makes an account, they can create a profile that will include their ‘gamertag,’ which is the primary identifier visible to the user and other Xbox Live users, and can also upload a picture or include an avatar, which is a figure or image that represents the user.
According to the complaint, Microsoft combined this information with a unique persistent identifier it creates for each account holder, even children, and could share this information with third-party game and app developers. Microsoft by default allowed all users, including children to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt out if they do not want their children to access them.
The complaint revealed that Microsoft had failed to fully comply with COPPA’s notice provisions. For instance, Microsoft failed to disclose to parents all the information it collected, such as a child’s profile picture.
In addition to the monetary penalty, Microsoft will be required under the proposed order to:
(i) Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
(ii) Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
(iii) Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfil the purpose for which it was collected; and
(iv) Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
The Commission voted 3-0 to refer the complaint and proposed federal order to the Department of Justice.
Notably, it is the Commission’s third COPPA action within the last few weeks, following an announcement in mid-May against ed tech provider Edmodo and one last week involving Amazon.
The lead attorneys representing FTC on this matter are Megan Cox and Peder Magee from the FTC’s Bureau of Consumer Protection.