The Federal Trade Commission (”FTC”) continues to prove that failing to comply with the Children’s Online Privacy Protection Act (“COPPA”) can be costly for technology firms. In the past month, the FTC, in conjunction with the Department of Justice (“DOJ”), has filed proposed orders against Microsoft, Amazon, and Edmodo alleging COPPA violations.
COPPA regulates the collection, use, and disclosure of personal information of children under the age of 13. These rules require online services and websites to provide notification to parents/guardians before any collection of a child’s personal information and obtain receipt of verifiable parental consent before collecting or using any personal information collected from children. Additionally, COPPA provides restrictions on the length of time data collected from a child can be retained, provides parents’ rights regarding the disposition of their children’s data, and sets requirements for who can provide consent and what the consent must contain.
Recent Enforcement Actions
In the proposed order filed by the DOJ on behalf of the FTC, Microsoft will be required to pay a settlement amount of $20 million dollars to settle allegations that Microsoft impermissibly collected personal information from children without providing appropriate notice to parents nor obtaining parents’ consent. The FTC’s complaint alleges that the process for creating an account on its Xbox gaming consoles collected children’s personal information, including biometric data and health information, as part of the account creation process even after an individual indicated they were under 13. Microsoft did require individuals under 13 to involve their parents, but this was after the account creation process. However, even if the parent failed to complete the process, Microsoft would still retain the child’s personal information for years. The FTC further alleged that Microsoft would, by default, share a child’s account information with third-party vendors, requiring parents to take additional steps to opt out if they did not want their child’s information shared.
The FTC and DOJ proposed order will require Amazon to pay a settlement amount of $25 million to settle allegations that it violated COPPA by not fulling requests made by parents to delete sensitive voice recordings and geolocation data of children collected through its Alexa voice assistants and Alexa app. By not fulfilling these requests, Amazon continued to use the information for its own purposes. The order will require Amazon to delete inactive Alexa accounts belonging to children, notify its users about their retention and deletion practices and controls, and prohibit Amazon from misrepresenting its privacy policies related to children’s voice information.
Under another proposed FTC and DOJ order, Edmodo, an education technology provider, will be required to pay a settlement amount of $6 million dollars and make changes to its practices to restrict the collection of children’s personal information without obtaining parental consent and using that data for advertising. Prior to the proposed order, Edmodo was collecting personal information from children such as their names, email addresses, dates of birth, and phone numbers to be used to provide ads. Additionally, Edmodo will have to start limiting the amount of personal information they collect from children in order to participate in an educational activity. The FTC also alleged that Edmodo failed to provide information regarding their data collection practices to schools and teachers, and failed to obtain verifiable parental consent. Edmodo required schools and teachers to authorize data collection on behalf of parents, however, failed to provide schools or teachers with information they would need to be compliant with COPPA.
This is a first for the FTC as it looks to follow through on a policy statement issued in May 2022 that warned educational technology companies from forcing schools and parents to provide personal information about children to permit them to participate in online education.
All of these actions highlight the need for technology firms to assess and be aware of any data that is collected from children. Measures must be put in place to limit such collection and to ensure appropriate consent and notice processes are in place. Failing to heed these lessons can put technology firms in the crosshairs for future FTC enforcement actions.