The Federal Trade Commission (FTC) has settled several high-profile Children’s Online Privacy Protection Act (COPPA) enforcement cases in 2023, including cases against Microsoft, Amazon, and Fortnite-maker, Epic Games. We’ve analyzed the cases to tease out key takeaways for US businesses to help improve your COPPA practices.
Recent COPPA Enforcement in the US
Microsoft’s COPPA Settlement – $20 Million
Microsoft will pay $20 million to settle charges that it violated the COPPA when it collected children’s data without parental consent and retained that data. It will also be required to boost its children’s privacy practices.
The claim arose from Microsoft’s poor privacy practices relating to its Xbox gaming system. Microsoft’s sign-up process asked users to provide their email address, name, date of birth and, prior to late 2021, their phone number. Despite some users flagging that they were children under 13, Microsoft collected and retained this information without requesting parental consent.
Under the settlement order, Microsoft will also be required to:
- Provide additional notices to parents who have not created a separate account for their child that doing so will provide privacy protections for their child/ren under 13 by default;
- Obtain parental consent for accounts created before May 2021 (where the user is still a child today);
- Establish and implement compliant data retention and deletion processes for children’s data.
- Implement systems that notify publishers when disclosed information relates to a child and that require publishers to apply COPPA protections.
Interestingly, the order also clarifies that avatars generated from a child’s image fall under the COPPA.
Amazon’s COPPA Settlement – $25 Million
Amazon was accused of ‘prominently and repeatedly’ assuring users that voice recordings collected through the Alexa voice assistant and geolocation information collected through the app could be deleted. However, Amazon retained the information for years to use it to improve its Alexa algorithm.
This was a COPPA issue because Amazon collected voice recordings from children and stored them indefinitely. When parents asked Amazon to delete the information, it kept transcripts of what kids said.
In addition to the $25 million penalty, Amazon will be required to delete the data and inactive children’s Alexa accounts. It must also implement significant changes to its privacy notices and data retention and deletion processes.
Epic’s COPPA Settlement – $275 Million (The Largest Ever)
The FTC settled its claim against Epic Games, Inc – the company behind the immensely popular game Fortnite – for $520 million. This was comprised of $275 million for COPPA violations and $245 million in refunds for customers who were tricked (through deceptive dark patterns) into making purchases. Each of these settlements was for a record-breaking sum.
Regarding the COPPA violations, the FTC alleged that Epic:
- Collected personal information from children under 13 without notifying their parents or obtaining their parents’ verifiable consent; and
- Enabled real-time voice and text chat communications for children and teens by default, in violation of the prohibition against unfair practices.
In addition to the financial penalty, Epic must also
- Delete previously collected personal data for children under 13 unless their parents provide affirmative consent for Epic to keep it.
- Establish and implement a privacy program that addresses the issues identified by the FTC. This program will be subject to regular independent audits.
“The Justice Department takes very seriously its mission to protect consumers’ data privacy rights,” said Associate Attorney General Vanita Gupta. “This proposed order sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.”
Key Takeaways for US Businesses
COPPA is a current enforcement priority for the FTC and DOJ. Based on the above settlements, US businesses should strive to implement or improve the following processes to promote COPPA compliance:
- If your business operates a child-directed website, it is critical that you obtain verifiable consent from parents before collecting personal information from children under 13 – consider asking for age at the outset so you know right away whether you need to collect parental consent or not
- Collect verifiable parental consent before generating avatars for children.
- Make sure you’re providing notice to parents about what types of information you are collecting and be aware that this generally requires two forms of notice – an online notice and a direct notice to parents.
- Establish and maintain robust data deletion processes to ensure you delete children’s data within a reasonable period.
If you need to improve your privacy compliance, reach out. Our attorneys would love to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.