Microsoft, one of the leading technology companies, agreed to settle charges with FTC for privacy violations of the Children’s Online Privacy Protection Act (COPPA). As part of the settlement agreement, Microsoft has agreed to pay a hefty fine of $20 million and revise its data privacy procedures for children.
COPPA: Safeguarding Children’s Online Privacy
COPPA, a crucial U.S. federal law, aims to protect the privacy of kids under the 13 years of age while they are using the internet. It needs operators of websites and online services to obtain parental consent, provide the ability to review and delete personal information, allow parents to refuse data collection, and implement security measures to protect the collected information when children register for online accounts.
Microsoft’s Alleged COPPA Violations – Privacy Violations
According to the FTC, Microsoft allegedly collected and retained personal information from children who signed up for the Xbox Live service without obtaining parental consent or notifying them. Shockingly, in some instances between 2015 and 2020, Microsoft stored children’s data on its servers for several years.
Court documents have revealed that approximately 218,000 U.S.-based Xbox console users, from January 2017 to December 2021, created Microsoft accounts using birth dates that indicated they were under the age of 13. This information should have signaled Microsoft to apply COPPA protections to these users. However, the FTC alleges that Microsoft failed to take the needed actions required by the law, thereby violating multiple sections of COPPA.
Microsoft’s Failure to Comply with COPPA
The FTC’s complaint states that even when users indicated they were under 13 years old, Microsoft continued to request additional personal information until late 2021. This included asking for a phone number and requiring users to agree to Microsoft’s service agreement and advertising policy. Notably, the advertising policy contained a pre-checked box until 2019, enabling Microsoft to send promotional messages and share user data with advertisers.
For more in-depth information regarding the COPPA violations and the evidence collected, refer to the complaint submitted by the U.S. Department of Justice on behalf of the FTC to the U.S. District Court of the Western District of Washington.
Proposed Measures and Compliance Requirements to Counter Against Privacy Violations
In addition to the financial penalty, the FTC has outlined several measures that Microsoft must implement to ensure compliance with COPPA. These include:
- Informing parents about the additional privacy protections available through creating a separate account for their child.
- Obtaining parental consent for accounts created before May 2021, if the account holder is still a child.
- Deleting all personal data of COPPA-protected users if it is no longer required for providing the originally offered services.
- Removing all user data collected without acquiring parental consent from Microsoft’s systems.
- Deleting COPPA-protected user data within two weeks of collection.
- Extending COPPA protections to third-party gaming publishers who receive user data from Microsoft.
- Expanding COPPA protections to biometric and health information collected for creating avatars when combined with personally identifiable information.
It is very vital to note that while both parties have accepted the settlement, it still awaits approval from the Court.
FTC’s Ongoing Commitment to Protecting Children’s Privacy
The recent enforcement actions by the FTC emphasize the significance of tech companies complying with data privacy regulations, particularly when handling sensitive information of underage users. In a related case, the FTC fined Amazon $25 million for disregarding parents’ requests to delete their children’s data and continuing to use sensitive user information for training machine learning algorithms.