[co-author: Ariyana DeWitz]*
The FTC won’t let them be! No, not Eminem, online service providers. Right on the heels of fining Epic Games and Amazon, for violations of the Children’s Online Privacy Protection Act (COPPA), the FTC set its eyes on Microsoft. On June 5, 2023, Microsoft agreed to pay $20 million to settle alleged violations of COPPA. The FTC alleged that Microsoft, in connection with its Xbox online services, collected personal information from children under 13 years old in violation of COPPA, failed to inform parents of the personal information they collected, and retained children’s personal information for longer than necessary.
Congress enacted COPPA in 1998 to protect the safety and privacy of children by prohibiting the unauthorized or unnecessary collection of children’s personal information online. In 2000, the FTC promulgated the COPPA Rule, imposing requirements to maintain children’s safety on operators of online services that have actual knowledge they are collecting personal information from a child under 13 years old.
Xbox online services are designed to provide users with the ability to access and play games, as well as connect with millions of other gamers in the Xbox community through a console or personal computer. More than 120 million users are active monthly, ranging from under 13 years old to over 35 years old. COPPA requires operators to provide notice and obtain verifiable parent consent before collecting, using or disclosing personal information from children.
To begin the Xbox experience, users are required to create a Microsoft account and provide their email address, full name and date of birth. Until at least 2021, users were prompted to enter their telephone number and accept Microsoft’s service agreement and privacy statement which included a pre-checked box to “enhance online experiences by letting Microsoft Advertising use my account information.” It was not until after the additional personal information was collected that Microsoft requested parental permission for children whose birthdate indicated they were under 13 years old. The FTC argued that Microsoft should have obtained parental consent before requesting additional information such as the child’s phone number.
COPPA requires operators to provide parents with direct notice of the operator’s practice regarding the collection, use or disclosure of a child’s personal information before collecting their personal information. Here, the FTC found that notice was only provided after parents consented to their child’s account creation. Further, prior to April 2021, Microsoft’s notice lacked information regarding what categories of data Microsoft would collect and how that information would be used. Instead, parents were directed to the company’s privacy statement, which the FTC considered insufficient given the generic descriptions of Microsoft’s information practices.
Under COPPA, data should only be retained for as long as reasonably necessary to fulfill the purpose for which it was collected. From 2015 until at least October 2020, Microsoft indefinitely retained children’s personal information during account creation, even when the account process was not completed by a parent. Approximately 10 million individuals, including children, had their personal information retained longer than necessary despite COPPA’s mandate to delete the information from its records when verifiable parental consent had not been obtained after a reasonable time.
In an emailed statement, the company promised to improve its systems, blaming a “data retention glitch” for the violations. After rectifying the current accounts that are in violation of COPPA, Microsoft plans to develop a next-generation identity and age validation system.
The $20 million dollar settlement – FTC’s third COPPA action in just three weeks – serves as a reminder for other organizations to evaluate compliance with COPPA. Organizations should consider the following compliance tips to safeguard the privacy of children and avoid regulatory attention:
- Determine whether your organization’s products or services are directed to children, or knowingly collects personal information from children. If so, evaluate whether your policies comply with COPPA.
- Provide complete disclosures about their information collection practices and how the information will be used as it pertains to children.
- Obtain verifiable consent from parents and inform parents of their rights to review and/or limit the information collected from their child.
- Establish and implement a system to delete personal information collected from children so it may not be stored longer than reasonably necessary.
Bond attorneys regularly assist and advise clients on an array of data privacy and cybersecurity matters, including compliance with COPPA and other privacy authorities. If you have any questions about COPPA or FTC privacy enforcement, please contact an attorney in Bond's cybersecurity and data privacy practice.
*Special thanks to Summer Law Clerk Ariyana DeWitz for her assistance in the preparation of this memo. Ariyana is not yet admitted to practice law.
 This settlement was announced in the midst of the FTC’s unrelated efforts to block Microsoft’s proposed $68.7 billion acquisition of gaming industry giant, Activision Blizzard, citing antitrust concerns. At the time of this writing, Microsoft and the FTC are currently in federal court where the FTC is seeking a preliminary injunction and temporary restraining order to prevent Microsoft from closing the deal ahead of a formal legal challenge set to begin in August.