Microsoft Corp. has been required to pay a $20m civil penalty for violating the Children’s Online Privacy Protection Act (COPPA) and the Children’s Online Privacy Protection Rule (COPPA Rule) by collecting and storing kids’ personal information without their parents’ consent.
The Justice Department, together with the Federal Trade Commission (FTC), found that the data was collected in connection with the Xbox Live service and through the Xbox brand of gaming consoles.
“It is essential that before collecting children’s personal information, online companies provide complete and timely disclosures about their information collection practices so that parents can make informed decisions.”
Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division
Allegedly, even if Microsoft knew that some of the users were children, the company continued to collect personal data like phone numbers, before notifying the users parents or obtaining parental consent. The company also stored data longer than permitted by the COPPA Rule.
“It is essential that before collecting children’s personal information, online companies provide complete and timely disclosures about their information collection practices so that parents can make informed decisions,” said Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division.
In addition, when notice was provided to some parents, it was incomplete and did not disclose what type of data was collected, such as profile pictures, and therefore did not comply with the COPPA Rule’s requirements.
“This settlement requires Microsoft to clearly communicate with parents about their child’s data and sets up procedures to monitor Microsoft’s compliance with federal statutes regarding children’s online privacy. This work will make children safer online,” said US Attorney Nick Brown for the Western District of Washington.
Bolster kids’ protection
Besides the monetary penalty, the stipulated order will require Microsoft to strengthen its privacy protections for children using the Xbox system by:
- Informing parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default.
- Securing parental consent for accounts that were created before May 2021 if the account holder is still a child.
- Creating and upholding systems to delete, within two weeks from the collection date, all personal information if it has not obtained parental consent, and to delete all other personal data collected from children after it is no longer necessary to fulfil the purpose for which it was collected.
- Extending COPPA protections to cover third-party video game publishers, and giving notice of when it discloses kids’ personal information.
Avatars that are generated from a child’s image with biometric and health information will also be covered by the COPPA Rule when collected with other personal data.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Director Samuel Levine of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
Amazon violations
This is the FTC’s third COPPA action within the last few weeks. It slapped a $6m monetary penalty on ed tech provider Edmodo for unlawfully using kids’ data for advertising and outsourced compliance to school districts. Amazon was then hit with a $25m fine for keeping kids’ Alexa voice recordings forever and deceiving parents and users about its data deletion practices.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Levine. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
The COPPA Rule summary
The rule requires online services and websites directed to children under the age of 13 to notify their parents about the personal information they collect. They must also obtain verifiable parental consent before collecting and using any children’s’ personal data.
Source: FTC