Behind the Headlines: Understanding The FTC’s Microsoft Case

The Xbox network, more popularly known and branded as Xbox Live, has been one of Microsoft's most successful and popular ventures of the past two decades. Available in 42 countries, Xbox Live has been Microsoft's answer to Sony's PlayStation Network, and thanks to its consistent revenues of more than $1 billion per year since 2010, it has proved highly lucrative.

However, Microsoft now faces a $20 million fine for breaching the Children's Online Privacy Protection Act (COPPA) provisions related to parental consent, privacy notices, and data retention practices by the Federal Trade Commission (FTC).

More than 200,000 accounts are said to have been impacted by this violation.

The proposed order, filed by the US Department of Justice, acting on behalf of the FTC, requires Microsoft to pay the fine and undertake concrete remedial measures to address the deficiencies identified in its data collection practices within its Xbox ecosystem. The district court must approve FTC’s proposed order before it can take effect.

What Allegedly Happened

Microsoft's alleged violation begins straight from the Xbox Live signup process. For users to participate, make an account, and access any features, they must create a Microsoft account using their first name, last name, email address, and date of birth. However, until late 2021, users were also required to provide their phone numbers.

Additionally, not only did Microsoft require all users to consent to its service agreement, but the agreement contained a pre-checked box that enabled Microsoft to send promotional content and share such users' data with third parties.

As per the FTC’s complaint, the aforementioned constitutes one of the primary offenses since Microsoft continued with these practices even after users had categorically stated that they were under 13.

The FTC complaint notes that Microsoft eventually contacted users' parents for consent. However, they did so after collecting data from the children, whereas the law requires direct notice to parents before a child’s personal data is collected, used, or disclosed.

As a result, the FTC alleges that Microsoft has violated COPPA provisions in three distinct ways:

• Collection of children under 13's data without prior notification to the parents and their consent;
• Failure to appropriately reveal what information Microsoft will collect from the children, why this information needs to be collected, and whether this information is shared with any third parties;
• Retaining the collected data for longer than necessary based on the stated purposes for data collection.

Notice Mismanagement

Parents should have been informed via two notices about the potential data collection related to their child's information.

The first is the Direct Notice under section 312.4(b) of the COPPA Rule, which required Microsoft to inform the parents about the child’s signup request and its data collection practices before collecting, using, storing, or sharing personal data.

However, Microsoft collected the users' personal information first and notified the parents only after the data collection.

Moreover, the direct notice provided by Microsoft was incomplete. It did not contain the necessary information related to all the additional information Microsoft would collect via Xbox Live, such as the users' photos, the User ID, and any Avatars they may have created.

The direct notice sent to the parents redirected them to the main Microsoft Privacy Statement, which lacked context about what data Microsoft would specifically collect, why it needed to be collected, and whether any third parties would have access to it.

Secondly, as per section 312.4(d) of COPPA Rule, Microsoft was required to provide an Online Notice of its information privacy practices “at each area of the Web site or online service where personal information is collected from children”.

Microsoft did not adequately fulfill this requirement as well since the privacy policy lacked any information about the requirements of COPPA, the organization's data collection practices, what data it collects, and how parents may request Microsoft to delete any collected information related to their child.

The deficiencies within the privacy policy further compounded Microsoft's alleged violation since not only did Microsoft proceed with collecting children's data without verifiable parental consent, but any collected consent lacked substance owing to the fact that the direct notice and online notice provided to them lacked the necessary information they should have had access to before giving their consent.

Data Retention and Deletion Requirements

As per section 312.10 of the COPPA Rule, organizations can only “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” The organization must delete the data as soon as the collected personal data is not necessary for the stated purpose. However, as per the FTC, Microsoft violated these data retention and deletion requirements in the 2015-20 period, where it retained data from instances where the account signup process hadn't been completed.

Lessons To Learn

For organizations subject to COPPA and other data privacy regulations, here are the important lessons to be learned:

1. Notice Management Is Critical

The most important takeaway of this episode should be just how crucial are appropriate privacy policies and notices. Organizations need to be more thorough and transparent about what data they collect, its purposes, and whether any collected information will be shared with any third parties.

Additionally, such notices must be regularly updated to reflect the organization's dynamic data collection, usage, and maintenance practices. Failure to do so raises the likelihood of a potential violation.

2. Definitions Matter

If there were any case to illustrate why most regulatory texts contain extensive definitions of key terms, this is the one. One of the FTC's main charges against Microsoft is the organization's failure to recognize the users' information within Xbox Live, such as their avatars, biometric information, gamertags, health data in the form of their vital signs, in addition to any other unique identifiers, as personal information.

No longer restricted to just the user's name and address, organizations hoping to comply with COPPA must now carefully re-evaluate the context of the data they collect and whether any of it may indeed be considered personal information.

3. COPPA Coverage

As the definition of the term "personal information" expands, so do the areas it covers. While traditionally, an organization may have expected their website or apps to be subject to such regulations, digital services such as Xbox Live are no exceptions, as this case highlights.

Similarly, COPPA requires both organizations that know that they're collecting data from children under 13 and those that are primarily directed toward children to undertake the relevant measures to gain parental consent and provide them with appropriate notice of the data collection practices.

This particular case should reiterate the importance of parental consent and notice management to video game developers whose games are designed to collect user information and will now most likely be informed of such by Microsoft as a result of the COPPA violation.

4. Default Settings

Pre-checked boxes have consistently been singled out by several regulations as opposed to the concept of "independent and freely given consent" as it tilts the likely decision of the user. Moreover, the FTC has published a list of mechanisms organizations may deploy to gain parents' consent.

Naturally, pre-checked boxes are not on that list, implying that any consent gained via the use of such a method would not qualify as freely given.

For organizations, this may seem like a fairly innocuous step, but the removal of pre-checked boxes can prove vital in ensuring their consent management framework is compliant with the COPPA provisions as well as any other major privacy regulation globally.

The FTC's main accusation against Microsoft is straightforward: Microsoft wasn't transparent about its data collection practices. More accurately, it wasn't transparent in how it was legally obliged to ensure that parents of the children appropriately consented to Microsoft's data collection.

However, this entire episode contains some vital lessons for most organizations subject to COPPA. The most important of these is the importance of publishing a transparent and accurate privacy notice.

How Can Securiti Help

Securiti, the leader in Privacy Management, can help you automate compliance with various privacy regulations. In this particular case, Securiti's Privacycenter.cloud solution enables organizations to adopt a dynamic and robotic approach to ensuring their privacy notices comply with relevant regulations. Thanks to an easy-to-use interface and a centralized dashboard, it offers organizations the chance to implement changes in real-time in addition to monitoring compliance across multiple jurisdictions. Additionally, in-built data mapping assessment enables organizations to identify risky processes when data has been collected or retained without consent, allowing you to take corrective actions and avoid non-compliance with privacy regulations.

Request a demo today and learn how Securiti can help your organization better comply with COPPA regulations.