On June 5, United States’s Federal Trade Commission (FTC) told tech-giant Microsoft to pay USD 20 million to settle the charges levelled against them for collecting personal information from children illegally without their parent’s consent. The company has agreed to pay the amount according to FTC.
Recently FTC also charged Amazon’s Alexa on similar grounds of violating children’s privacy, for which the company will have to pay USD 25 million.
As per the press release by FTC, the tech company have violated the Children’s Online Privacy Protection Act, “Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information”.
The Director of the FTC’s Bureau of Consumer Protection, Samuel Levine, states, “Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids”. He added, “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA”.
The Department of Justice filed the proposed order on behalf of the FTC. Microsoft will have to take a number of actions to strengthen privacy safeguards for children using the Xbox system, “For example, the order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. In addition, the order makes clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data”. Before the order can take effect, a federal court must approve it.
According to the COPPA Rule, online services and websites are directed to notify parents of children under 13 about the personal information they collect and acquire verifiable parental consent before collecting and using any personal information collected from children.
As per the complaint, “…From 2015-2020, Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfil the purpose for which it was collected”. It adds, “Microsoft failed to fully comply with COPPA’s notice provisions”.
Apart from the monetary penalty of USD 20 million, Microsoft will also have to:
“Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default.
Obtain parental consent for accounts created before May 2021 if the account holder is still a child.
Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfil the purpose for which it was collected.
Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child”.
Many large corporations are being called out for playing with their customers’ privacy concerns. Last week on May 31, the FTC and the Department of Justice ordered Amazon to pay a fine of USD 25 million for violating Children’s Online Privacy Protection Act Rule (COPPA Rule). As per the complaint, “Amazon prevented parents from exercising their deletion rights under the COPPA Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes while putting data at risk of harm from unnecessary access”.
Last month on May 22, FTC ordered education technology provider Edmodo to pay USD 6 million for violating COPPA guidelines. FTC states that Edmodo “…Unlawfully used children’s personal information for advertising and outsourcing compliance to school districts”. The education provider collected personal data from children without obtaining their parent’s consent.
