Another Enforcement in Children’s Privacy: FTC Fines Microsoft $20 Million

For a third time in the span of two weeks, the Federal Trade Commission (FTC) issued an enforcement action against a technology company for violating the Children’s Online Privacy Protection Act (COPPA). On June 5, 2023, Microsoft was fined $20 million due to Xbox’s failure to comply with COPPA’s notice, consent, and data retention requirements.

The Department of Justice and FTC’s proposed order alleges that Xbox, an online gaming system, knew that children under 13 were creating accounts and accessing live online services where they could interact with other players such as Xbox Live and other Xbox products. The agencies alleged that the company violated COPPA by enabling “approximately 218,000 users in the United States [to] enter[] full birthdates indicating that they were children younger than 13 years old” when creating accounts between January 2017 to December 2021.

Xbox’s collection of the users’ data violated COPPA on multiple fronts. Most notably, Xbox allegedly failed to obtain parental consent before collecting or using children’s data and failed to provide notice of its information practices directly to children’s parents. For example, before April 2021, Xbox prompted children to enter additional information, such as their telephone numbers, even after users indicated they were under 13. Xbox only instructed children to involve their parents (e.g., by having an adult sign up for or link an existing Microsoft account) after collecting children’s identifying information.

Additionally, after parents approved the use of children’s accounts, Xbox provided incomplete notice of its information practices. The proposed order specifies that Xbox failed to disclose that it intended to collect images from children’s accounts that “could contain a child’s likeness,” which included children’s uploaded photographs known as “gamerpic[s].” Xbox also collected text messages, voice messages, and video recordings during Xbox Live sessions, which, based on the default settings of children’s accounts, authorized the company to share children’s information with third-party game developers.

In other cases where prospective users began the account setup process and then stopped, Xbox retained the personal information of approximately 10 million individuals, including child users, for at least five years. This allegedly violated COPPA’s requirement of not retaining information from children online for longer than “reasonably necessary to fulfill the purpose for which the information was collected.”

The FTC’s enforcement action is significant because it clarifies that avatars generated from children’s photographs or other biometric and health information are covered by COPPA when combined with the collection of other personal information (e.g., during the account setup process). As part of the proposed order, Microsoft will not only pay $20 million to settle charges but also improve children’s privacy protections, such as by establishing protocols to delete children’s personal information after the data is no longer necessary to fulfill the purpose for which it was collected.

In some respects, the FTC’s proposed order shares similarities with the May 22 action against Edmodo and May 31 action against Amazon. In the former, ed-tech platform Edmodo similarly collected children’s personal information without first obtaining consent from children’s parents. The company then shared users’ personal information with third-party advertising companies and retained the data indefinitely (until the company created a two-year deletion policy in 2020). In the latter, the technology giant’s voice assistant, Alexa, retained children’s voice recordings indefinitely, even after parents requested the information’s deletion.

The trio of enforcement actions indicates that the FTC is taking a harsher stance on children’s privacy across industries. Online service providers should revisit their privacy policies to ensure optimal COPPA compliance.