Microsoft Xbox is the latest company to settle a multi-million dollar enforcement action with the Federal Trade Commission. Microsoft will pay a $20 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by collecting personal data for kids who signed up to use Xbox without telling their parents or getting their consent. The complaint also alleges that Microsoft Xbox violated Section 5 of the FTC Act.

“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in a June 5, 2023 news release. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

Personal information is defined as first and last name; home or other physical address; online contact information (e.g., email address); screen or user name; telephone number; social security number; persistent identifier (e.g., customer number, IP address, device serial number, etc.); photograph, video or audio file that includes a child’s image or voice; geolocation data; information about the child or parents collected online from the child that includes an identifier such as avatars generated from a child’s image, biometric data (e.g., iris and retina scans, voiceprint, fingerprint, etc.), health information, physiological responses, and vital signs.

The FTC complaint alleges that Microsoft Xbox violated COPPA in three primary ways:

1. They collected personal information from kids under age 13 without getting verifiable parental consent or notifying parents.
2. They failed to tell parents about the personal data collected, why it was collecting the data, and that they would share some of this information with third parties.
3. The company retained the kids’ personal data longer than was “reasonably necessary.” For example, between 2015 and 2020, Microsoft retained the personal information of children collected when they created an account, even if their parents failed to complete account setup.

Injunctive relief

In addition to the $20 million civil penalty, Microsoft must take additional steps to “bolster privacy protections” for children who use Xbox. These additional steps will also be required of third-party gaming developers with whom Microsoft shares the data of children. This includes avatars generated from a child’s image, and biometric and health information which are protected by the COPPA Rule.

Going forward, Microsoft must comply with the following rules:

• Advising parents who have not created separate accounts for their child that doing so will provide additional privacy protection for their child by default.
• Obtain parental consent for accounts created prior to May 2021 if the account holder is still a child.
• If parental consent is not obtained within two weeks, all personal information from children used to obtain parental consent will be deleted because it is no longer necessary.
• If the personal information of children is shared with third-party gaming developers, the developers must apply COPPA’s protections to that child.

Notice to adults

Another requirement of the proposed settlement is that Microsoft Xbox must send a notice to adults titled “Microsoft’s Xbox Parental Controls and Family Settings” within 45 days of the approved order. The notice must be sent to every adult Microsoft account holder not associated with a Child Microsoft Account before the date of the approved order. If the notice is sent outside the US, notices must be sent within 180 days.

Additional injunctive relief includes obtaining verifiable parental consent to collect and use data, delete personal information according to the settlement and injunctive relief schedule, establish and implement a system to delete data as required, document what information is being collected and why, and during account setup and registration, Microsoft must obtain the age of the user.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Xbox subscription model

In recent years, Microsoft has bolstered its gaming community – and revenue – by transitioning to a subscription model for gaming. They offer several subscription products including Xbox All Access, Xbox Game Pass, PC Game Pass, EA Play and Xbox Live Gold. The subscription model makes playing more games and getting early and exclusive access to popular games more affordable for gamers of all ages.

The settlement comes less than a week after the FTC settled a claim against Amazon for allegedly violating the COPPA Act by ignoring parents’ requests to delete their children’s information and voice recordings obtained from Alexa and for not being transparent with parents about their data deletion policies. Amazon also violated the FTC Act by misrepresenting how Alexa app users could delete their geolocation data and voice recordings, the FTC alleges. Amazon has agreed to a $25 million settlement in this action.

Insider Take

It is clear that the FTC is fed up, and they aren’t going to take it anymore. They are taking significant actions against data privacy violations, especially concerning children; subscription companies that use dark patterns and deceptive marketing practices to attract and retain subscribers; and anticompetitive behavior that includes acquisitions by dominant market players. While many of these cases are long and drawn out, the FTC and the Department of Justice are not shying away from enforcing the law of the land or imposing record-breaking settlements and fines to stop companies from taking advantage of their customers.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.