Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Behind the Headlines: Understanding The FTC’s Microsoft Case

Contributors

Anas Baig

Product Marketing Manager at Securiti

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

This post is also available in: Brazilian Portuguese

The Xbox network, more popularly known and branded as Xbox Live, has been one of Microsoft's most successful and popular ventures of the past two decades. Available in 42 countries, Xbox Live has been Microsoft's answer to Sony's PlayStation Network, and thanks to its consistent revenues of more than $1 billion per year since 2010, it has proved highly lucrative.

However, Microsoft now faces a $20 million fine for breaching the Children's Online Privacy Protection Act (COPPA) provisions related to parental consent, privacy notices, and data retention practices by the Federal Trade Commission (FTC).

More than 200,000 accounts are said to have been impacted by this violation.

The proposed order, filed by the US Department of Justice, acting on behalf of the FTC, requires Microsoft to pay the fine and undertake concrete remedial measures to address the deficiencies identified in its data collection practices within its Xbox ecosystem. The district court must approve FTC’s proposed order before it can take effect.

What Allegedly Happened

Microsoft's alleged violation begins straight from the Xbox Live signup process. For users to participate, make an account, and access any features, they must create a Microsoft account using their first name, last name, email address, and date of birth. However, until late 2021, users were also required to provide their phone numbers.

Additionally, not only did Microsoft require all users to consent to its service agreement, but the agreement contained a pre-checked box that enabled Microsoft to send promotional content and share such users' data with third parties.

As per the FTC’s complaint, the aforementioned constitutes one of the primary offenses since Microsoft continued with these practices even after users had categorically stated that they were under 13.

The FTC complaint notes that Microsoft eventually contacted users' parents for consent. However, they did so after collecting data from the children, whereas the law requires direct notice to parents before a child’s personal data is collected, used, or disclosed.

As a result, the FTC alleges that Microsoft has violated COPPA provisions in three distinct ways:

  • Collection of children under 13's data without prior notification to the parents and their consent;
  • Failure to appropriately reveal what information Microsoft will collect from the children, why this information needs to be collected, and whether this information is shared with any third parties;
  • Retaining the collected data for longer than necessary based on the stated purposes for data collection.

Notice Mismanagement

Parents should have been informed via two notices about the potential data collection related to their child's information.

The first is the Direct Notice under section 312.4(b) of the COPPA Rule, which required Microsoft to inform the parents about the child’s signup request and its data collection practices before collecting, using, storing, or sharing personal data.

However, Microsoft collected the users' personal information first and notified the parents only after the data collection.

Moreover, the direct notice provided by Microsoft was incomplete. It did not contain the necessary information related to all the additional information Microsoft would collect via Xbox Live, such as the users' photos, the User ID, and any Avatars they may have created.

The direct notice sent to the parents redirected them to the main Microsoft Privacy Statement, which lacked context about what data Microsoft would specifically collect, why it needed to be collected, and whether any third parties would have access to it.

Secondly, as per section 312.4(d) of COPPA Rule, Microsoft was required to provide an Online Notice of its information privacy practices “at each area of the Web site or online service where personal information is collected from children”.

Microsoft did not adequately fulfill this requirement as well since the privacy policy lacked any information about the requirements of COPPA, the organization's data collection practices, what data it collects, and how parents may request Microsoft to delete any collected information related to their child.

The deficiencies within the privacy policy further compounded Microsoft's alleged violation since not only did Microsoft proceed with collecting children's data without verifiable parental consent, but any collected consent lacked substance owing to the fact that the direct notice and online notice provided to them lacked the necessary information they should have had access to before giving their consent.

Data Retention and Deletion Requirements

As per section 312.10 of the COPPA Rule, organizations can only “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” The organization must delete the data as soon as the collected personal data is not necessary for the stated purpose. However, as per the FTC, Microsoft violated these data retention and deletion requirements in the 2015-20 period, where it retained data from instances where the account signup process hadn't been completed.

Lessons To Learn

For organizations subject to COPPA and other data privacy regulations, here are the important lessons to be learned:

1. Notice Management Is Critical

The most important takeaway of this episode should be just how crucial are appropriate privacy policies and notices. Organizations need to be more thorough and transparent about what data they collect, its purposes, and whether any collected information will be shared with any third parties.

Additionally, such notices must be regularly updated to reflect the organization's dynamic data collection, usage, and maintenance practices. Failure to do so raises the likelihood of a potential violation.

2. Definitions Matter

If there were any case to illustrate why most regulatory texts contain extensive definitions of key terms, this is the one. One of the FTC's main charges against Microsoft is the organization's failure to recognize the users' information within Xbox Live, such as their avatars, biometric information, gamertags, health data in the form of their vital signs, in addition to any other unique identifiers, as personal information.

No longer restricted to just the user's name and address, organizations hoping to comply with COPPA must now carefully re-evaluate the context of the data they collect and whether any of it may indeed be considered personal information.

3. COPPA Coverage

As the definition of the term "personal information" expands, so do the areas it covers. While traditionally, an organization may have expected their website or apps to be subject to such regulations, digital services such as Xbox Live are no exceptions, as this case highlights.

Similarly, COPPA requires both organizations that know that they're collecting data from children under 13 and those that are primarily directed toward children to undertake the relevant measures to gain parental consent and provide them with appropriate notice of the data collection practices.

This particular case should reiterate the importance of parental consent and notice management to video game developers whose games are designed to collect user information and will now most likely be informed of such by Microsoft as a result of the COPPA violation.

4. Default Settings

Pre-checked boxes have consistently been singled out by several regulations as opposed to the concept of "independent and freely given consent" as it tilts the likely decision of the user. Moreover, the FTC has published a list of mechanisms organizations may deploy to gain parents' consent.

Naturally, pre-checked boxes are not on that list, implying that any consent gained via the use of such a method would not qualify as freely given.

For organizations, this may seem like a fairly innocuous step, but the removal of pre-checked boxes can prove vital in ensuring their consent management framework is compliant with the COPPA provisions as well as any other major privacy regulation globally.

The FTC's main accusation against Microsoft is straightforward: Microsoft wasn't transparent about its data collection practices. More accurately, it wasn't transparent in how it was legally obliged to ensure that parents of the children appropriately consented to Microsoft's data collection.

However, this entire episode contains some vital lessons for most organizations subject to COPPA. The most important of these is the importance of publishing a transparent and accurate privacy notice.

How Can Securiti Help

Securiti, the leader in Privacy Management, can help you automate compliance with various privacy regulations. In this particular case, Securiti's Privacycenter.cloud solution enables organizations to adopt a dynamic and robotic approach to ensuring their privacy notices comply with relevant regulations. Thanks to an easy-to-use interface and a centralized dashboard, it offers organizations the chance to implement changes in real-time in addition to monitoring compliance across multiple jurisdictions. Additionally, in-built data mapping assessment enables organizations to identify risky processes when data has been collected or retained without consent, allowing you to take corrective actions and avoid non-compliance with privacy regulations.

Request a demo today and learn how Securiti can help your organization better comply with COPPA regulations.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
DSPM vs. CSPM – What’s the Difference?
While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is SSPM? (SaaS Security Posture Management) View More
What is SSPM? (SaaS Security Posture Management)
This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...
View More
“Scraping Almost Always Illegal”, Netherlands DPA Declares
Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New