Last week, the Department of Justice with the Federal Trade Commission announced a $20 million dollar settlement with tech giant Microsoft for allegedly violating the Children’s Online Privacy Protection Act (COPPA). This is the third action taken by the FTC in the past month for alleged COPPA violations, coming on the heels of Edmodo and Amazon. The action provides insight to FTC enforcement of COPPA and may fundamentally impact companies that receive information from Microsoft.
At issue is Microsoft’s online service Xbox Live (recently rebranded Xbox Network) offered on their Xbox gaming console. The Xbox Network is an online service with a tiered payment system, where players can access or purchase certain online content and interact with other players.
In its complaint, the FTC alleged that Microsoft violated COPPA by failing to satisfy the notice and verifiable parental consent requirements set forth by COPPA. According to the FTC, during the Xbox Network sign-up process, Microsoft required players to provide their email addresses, first and last names, and their full of date of birth, all without Microsoft giving adequate notice or seeking parental consent. This process resulted in roughly 218,000 players indicating they were under the age of 13, which the FTC argued equated to Microsoft having actual knowledge that it collected personal information from children.
Per the complaint, in some instances where players identified as under the age of 13, Microsoft prompted these child players to “go get a parent” to sign into the parent’s own Microsoft account. According to the FTC, this process was not sufficient to satisfy COPPA’s notice or verifiable parental consent obligations.
The FTC also alleged that Microsoft configured default settings on the Xbox Network in a way that was not protective to children. Microsoft sought a lot of information from children, including account information, gamertags (pseudonymous identifiers unique to each player), profile photos, and “real” names.” Children could share personal information through the Xbox Network, such as through text-based posts, player-to-player communications, voice messages, video recordings and still images. Third party game and app developers were able to receive access to children’s personal information by default. And where parents or child users started but did not finish the account creation process, Microsoft indefinitely retained the associated information longer than reasonably necessary for the purpose for which it was collected.
The proposed order imposes a variety of requirements on Microsoft, including payment of a substantial $20 million dollar civil penalty, deletion of children’s personal information and accounts, maintenance of a data retention schedule, and ongoing compliance reporting. However, the most notable requirement relates to disclosures to third party game and app developers. Under the proposed order, Microsoft must, in each instance when disclosing personal information from a child’s account to any video game publisher, indicate to the publisher (such as through an API) that the user is a child under 13.
This disclosure requirement is likely to significantly impact video game publishers with respect to their COPPA compliance. Many video game publishers have historically taken the position that they are not subject to COPPA because their games are not directed toward children under 13, and they do not have actual knowledge of children playing the games as they do not ask for player birthdates. By receiving age information from Microsoft, these video game publishers will now have actual knowledge that they are receiving personal information from children under 13.
This order furthers the trend of regulators interpreting COPPA application and protections broadly. Gaming companies that previously did not believe they were subject to COPPA, should consider reevaluating that position. With the California Age Appropriate Design Code (AADC) only a year away, gaming companies will need to adapt their practices to offer greater protections to child players.
For more information about the video game industry and the impact of the California AADC on it, check out our recent blog post here.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”