Last week, the Department of Justice and the Federal Trade Commission announced a 20 million dollar settlement with Microsoft for allegedly violating the Children's Online Privacy Protection Act (COPPA). This is the third action taken by the FTC in the past month for alleged COPPA violations, coming on the heels of proceedings against Edmodo and Amazon. The action provides insight into FTC enforcement of COPPA and may fundamentally impact companies that receive information from Microsoft. Here's a summary of the Microsoft case and its impact on game publishers, developers, and distributors.
The Microsoft Action
At issue is Microsoft's online service Xbox Live (recently rebranded Xbox Network), offered on their Xbox gaming console. The Xbox Network is an online service with a tiered payment system where players can access or purchase certain online content and interact with other players.
In its complaint, the FTC alleged that Microsoft violated COPPA by failing to satisfy the notice and verifiable parental consent requirements set forth by COPPA. According to the FTC, during the Xbox Network sign-up process, Microsoft required players to provide their email addresses, first and last names, and full of date of birth, all without Microsoft giving adequate notice or seeking parental consent. This process resulted in roughly 218,000 players indicating they were under the age of 13. As a result, the FTC argued that Microsoft had actual knowledge that it collected personal information from children.
The FTC also alleged that in some instances where players identified as under the age of 13, Microsoft prompted these child players to "go get a parent" to sign into their parent's own Microsoft account. According to the FTC, this process was not sufficient to satisfy COPPA's notice or verifiable parental consent obligations.
The FTC also alleged that Microsoft configured default settings on the Xbox Network in a way that did not protect children. Microsoft sought a great deal of information from children, including account information, gamertags (pseudonymous identifiers unique to each player), profile photos, and "real" names. Children could share personal information through the Xbox Network, such as through text-based posts, player-to-player communications, voice messages, video recordings, and still images. Third-party game and app developers were able to receive access to children's personal information by default. And where parents or child users started but did not finish the account creation process, Microsoft indefinitely retained the associated information longer than reasonably necessary for the purpose for which it was collected.
Penalties
The proposed order imposes a variety of requirements on Microsoft, including a 20 million dollar civil penalty, deletion of children's personal information and accounts, maintenance of a data retention schedule, and ongoing compliance reporting. However, the most notable requirement relates to disclosures to third-party game and app developers. Under the proposed order, Microsoft must, in each instance when disclosing personal information from a child's account to any video game publisher, indicate to the publisher (such as through an API) that the user is a child under 13.
Impact on Video Game Publishers
This disclosure requirement is likely to significantly impact video game publishers with respect to their COPPA compliance. Many video game publishers have historically taken the position that they are not subject to COPPA because their games are not directed toward children under 13, and they do not have actual knowledge of children playing the games as they do not ask for player birthdates. By receiving age information from Microsoft, these video game publishers will now have actual knowledge that they are receiving personal information from children under 13.
This order furthers the trend of regulators interpreting COPPA applications and protections broadly. Gaming companies that previously did not believe they were subject to COPPA should consider reevaluating that position. With the California Age Appropriate Design Code (AADC) only a year away, gaming companies will need to adapt their practices to offer greater protections to child players.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
