On June 5th, the Federal Trade Commission (FTC) announced a settlement with Microsoft over alleged violations of the Children’s Online Privacy Protection Act (COPPA) for its data practices involving its Xbox live product. According to the FTC, Microsoft violated COPPA by collecting children’s data prior to obtaining parental consent; having insufficient direct and online privacy notices; and lacking proper data retention practices. As part of this settlement, Microsoft was fined $20 million and is required to implement a number of specific privacy-protective measures going forward, including a requirement to notify third parties who receive data from Microsoft that they have received a child’s personal information.
The Microsoft Xbox enforcement action provides insight into the FTC’s approach to COPPA enforcement. Notably, the underlying complaint included allegations that Microsoft violated COPPA in relation to a broad scope of personal information categories – including photo, video, audio, biometric, and health information – demonstrating that the FTC interprets the definition of personal information under COPPA expansively. Additionally, the FTC’s proposed order with Microsoft and its subsequent blog on the resulting requirements imposed on the company indicate that the agency is focused on enforcing COPPA against any entity “with actual knowledge” that it is processing children’s information, regardless of whether that entity has directed its service to children.
The Microsoft settlement is one of various FTC actions related to the mishandling of the collection, use, and disclosure of children’s data. It comes only days after the FTC announced an action against Amazon Alexa for similar COPPA violations. Both of these settlements are part of a string of 2023 enforcement decisions from the FTC through which the agency has emphasized protecting what it deems to be more “sensitive” categories of information – including health data, biometric information, and genetic data (in addition to children’s information). Companies that process these more sensitive data categories in the ordinary course of business should be particularly aware of the FTC’s recent enforcement actions.
In this post, we summarize the FTC’s complaint and proposed stipulated order in the Microsoft enforcement action and highlight key takeaways for companies looking to understand how this enforcement action should impact their data privacy and security programs moving forward.
The complaint’s specific allegations against Microsoft’s Xbox live product include the following:
1. Failure to Provide Prior Parental Notice and Obtain Verifiable Parental Consent. The FTC alleged that Microsoft’s notice and consent process violated COPPA’s notice and consent rules, which requires covered entities to provide notice and obtain verifiable parental consent before collecting, using, or disclosing children’s personal information, see 16 C.F.R. § 312.4, 312.4(a), since the process required children to provide personal information (e.g., full name, birth date, telephone number) in the first step of the account creation process and explicitly prior to involving a parent to obtain verifiable parental consent.
2. Deficient Direct and Online Privacy Notice. The complaint alleged that Microsoft’s direct and online privacy notice did not adequately describe Microsoft’s data collection, use, and disclosure practices in violation of COPPA’s requirement that parent’s receive direct and complete notice of practices with regards to children’s information, see 16 C.F.R. § 312.4. The complaint highlights various types of collection, use, and disclosure practices with respect to children’s information, in connection with Microsoft’s Xbox offerings, which were not described in Microsoft’s direct privacy notice (the “Notice”).
a. Collection. The Notice allegedly failed to notify parents of collection practices regarding additional personal information children shared through their profile or Xbox live usage, such as their real name from “gamertags,” photos from “avatars,” and voice from video messages.
b. Use and Disclosure. The complaint further alleged that the Notice failed to capture Microsoft’s use of collected children’s information, for example, Microsoft allegedly created a customer persistent identifier (i.e., an Xbox User ID or XUID) for each Xbox Live user which Microsoft combined with other collected information. This information could be shared with third-party game and app developers. According to the complaint, Xbox’s default settings allowed all users, including children, to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt-out. Additionally, the Notice allegedly failed to alert parents that while using the Xbox Live feature, a child could disclose other personal information, for example, through writing in their “activity feed,” which is visible to other users, or by exchanging direct user-to-user text messages. Notably, the complaint highlights that Microsoft’s default settings allowed a child only to disclose their activity feed or otherwise communicate with only the “friends” that a parent added to the child’s account. Still, the FTC found that because of the lack of notice regarding known forms of disclosure, Microsoft’s practices were in violation of COPPA’s notice and consent requirements.
3. Unreasonable Retention Periods for Collected Children’s Information. The complaint also alleged that Microsoft retained, in many instances for years, children’s personal information collected during the registration process, including where parents did not complete the registration process in violation of COPPA’s prohibitions on retaining children’s personal information for longer than necessary to fulfill the purpose for which that information was collected, see 16 C.F.R. § 312.10.
The Proposed Stipulated Order
The proposed stipulated order imposes the following requirements on Microsoft (among other requirements):
1. Obtain Verifiable Parental Consent. Microsoft must, within a certain time period, obtain parental consent for accounts created before May 2021 where the account holder is still a child. Microsoft must confirm that verifiable consent has been obtained for all active children’s accounts and delete all accounts where verifiable parental consent cannot be obtained.
2. Publicize a Data Retention and Deletion Schedule. Microsoft must establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not successfully obtained parental consent. Further, Microsoft must set forth the purpose for collection of children’s data and establish a retention schedule to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected. This schedule must be made publicly available on Microsoft’s website, as well as provided in future direct notices.
3. Provide Third-Party Notice. Microsoft must provide notice that a user is a child when it discloses children’s information to third parties, such as video game publishers. The order stipulates that it is permissible to indicate that the user is a child under the age of 13 through an API. According to an FTC press release, the goal of this provision is to “require the publishers to apply COPPA’s protections to that child.”
Here are some of the key takeaways that companies should be aware of in light of this decision, especially if they are subject to COPPA:
1. Broad Definition of “Personal Information.” This enforcement action should serve as a reminder that COPPA’s definition of “personal information” is broad. In this action, the FTC pointed not only to children’s full names, email addresses, and telephone numbers, but also photographs, video, or audio, as well as information collected and combined with other categories of personal information through unique identifiers. Companies should be aware of the breadth of COPPA’s personal information definition and take inventory of the information they currently collect to assess compliance.
2. Sequence of Compliance is Important. The complaint emphasized that Microsoft did not obtain parental consent prior to the collection of children’s information. Specifically, although Microsoft required children to involve their parents in the registration process prior to a child’s account being accessible, the FTC highlighted the sequence of collection and notice which resulted in the collection of children’s information prior to obtaining parental consent. The FTC’s approach indicates a strict application of COPPA’s parental consent rights, which requires companies to obtain verifiable parental consent prior to collecting children’s information. Companies should be aware that the FTC will strictly assess COPPA compliance. As such, companies should ensure that their notice and consent process obtains verifiable parental consent prior to the collection of children’s information.
3. Specificity Regarding Data Practices for Children’s Personal Information. The Microsoft complaint also serves as a clear reminder to companies that privacy notices must provide complete descriptions of: (1) the information that the company intends to collect, (2) how the company plans to use such collected information, and (3) the company’s disclosure practices, especially with respect to children’s information. In this complaint, the FTC flagged various practices regarding children’s data such as the potential collection of children’s likeness through video or photograph, or the linking of children’s data with a unique identifier, practices not described at all stages of notice. Moving forward, companies should ensure that their privacy policies reflect their complete data practices. Further, companies should not rely on general statements regarding their collection, use, and disclosure practices as this could give rise to liability.
4. Default Settings a Source of Liability. The complaint noted that Microsoft provided parents the option to disallow children from disclosing personal information to third-party games or apps, however, because default settings allowed for a child to use such games or apps the practice violated COPPA. This signals that default settings can be a source of liability where not aligned with regulatory requirements. Alternatively, the complaint also noted that Microsoft had default settings, which prohibited children from sharing information through their activity feed beyond their parent-controlled friends list. Despite having this default setting, the FTC focused on the lack of parental notice of the potential for children to share information through activity feeds – demonstrating that although default settings may be a mitigating factor, they should not be relied upon. Companies should pay close attention to the FTC complaint’s emphasis on Microsoft’s default settings and ensure that their default settings are designed with COPPA compliance in mind. However, companies should not rely on compliance informed default settings.
5. COPPA Requires Strict Data Retention Practices. The Microsoft complaint highlights that compliance with COPPA requires for companies to have detailed and established retention and deletion schedules, which are aligned with the purpose for which the retained information was collected. In this complaint, the FTC reasoned that Microsoft’s retention policy was deficient, among other reasons, because it allowed for the retention of children’s information where the parental consent process was incomplete – a deficiency that resulted in the retention of children’s information in some cases for years. This should serve as a warning to companies that collect children’s information that retention practices, particularly, deletion schedules should ensure that information gathered from children without proper consent, is promptly identified and deleted.
6. Third-Party Awareness as a Source of Accountability. According to the proposed order, Microsoft must, when sharing user information, make third parties aware if the information shared is children’s information. The FTC’s guidance, in light of the Microsoft decision, indicates that the FTC will be paying attention to companies with “actual knowledge” of collected children’s information, not only companies that market their products or services towards children. Companies should remain aware of whether the data they receive will make them subject to COPPA requirements.