Xbox’s collection of the users’ data violated COPPA on multiple fronts. Most notably, Xbox allegedly failed to obtain parental consent before collecting or using children’s data and failed to provide notice of its information practices directly to children’s parents. For example, before April 2021, Xbox prompted children to enter additional information, such as their telephone numbers, even after users indicated they were under 13. Xbox only instructed children to involve their parents (e.g., by having an adult sign up for or link an existing Microsoft account) after collecting children’s identifying information.
Additionally, after parents approved the use of children’s accounts, Xbox provided incomplete notice of its information practices. The proposed order specifies that Xbox failed to disclose that it intended to collect images from children’s accounts that “could contain a child’s likeness,” which included children’s uploaded photographs known as “gamerpic[s].” Xbox also collected text messages, voice messages, and video recordings during Xbox Live sessions, which, based on the default settings of children’s accounts, authorized the company to share children’s information with third-party game developers.
In other cases where prospective users began the account setup process and then stopped, Xbox retained the personal information of approximately 10 million individuals, including child users, for at least five years. This allegedly violated COPPA’s requirement of not retaining information from children online for longer than “reasonably necessary to fulfill the purpose for which the information was collected.”
The FTC’s enforcement action is significant because it clarifies that avatars generated from children’s photographs or other biometric and health information are covered by COPPA when combined with the collection of other personal information (e.g., during the account setup process). As part of the proposed order, Microsoft will not only pay $20 million to settle charges but also improve children’s privacy protections, such as by establishing protocols to delete children’s personal information after the data is no longer necessary to fulfill the purpose for which it was collected.
In some respects, the FTC’s proposed order shares similarities with the May 22 action against Edmodo and May 31 action against Amazon. In the former, ed-tech platform Edmodo similarly collected children’s personal information without first obtaining consent from children’s parents. The company then shared users’ personal information with third-party advertising companies and retained the data indefinitely (until the company created a two-year deletion policy in 2020). In the latter, the technology giant’s voice assistant, Alexa, retained children’s voice recordings indefinitely, even after parents requested the information’s deletion.
The trio of enforcement actions indicates that the FTC is taking a harsher stance on children’s privacy across industries. Online service providers should revisit their privacy policies to ensure optimal COPPA compliance.