Never a Dull Moment in Kids’ Privacy: The FTC Goes After Xbox

Written By KEN SCHWARTZ

Mere months after making waves with a historic $520 million penalty against Epic Games (which we wrote about previously here), the FTC has followed up with another $20 million penalty against Microsoft in connection with its Xbox Live service. Again, the complaint here primarily focuses on alleged Children’s Online Privacy Protection Act (COPPA) violations, which the FTC cataloged after a lengthy investigation. If $20m seems like a drop in the bucket for a company as large as Microsoft, that’s because these violations are perhaps not as shocking as in other enforcements we’ve seen. But even if the penalty is smaller, there is still a great deal to take away from this settlement, especially if you are a developer or publisher of console games.

The Investigation

The FTC complaint covers a lot of ground chronologically, referencing conduct as far back as 2015. This was a long-running investigation, and the FTC acknowledges that Microsoft fixed the compliance issues brought to its attention while the investigation was in progress. It’s also clear that Microsoft put serious time and effort into building a COPPA-compliant program, and the FTC complaint does acknowledge some things Microsoft did right, such as involving parents in the registration process for any child who self-identified as under 13 during sign-up and disabling profile sharing and certain types of communications for child accounts by default. Still, there were some slip-ups, such as:

  • Unnecessary data collected prior to parental consent: After the child indicated they were under 13 but before the parental consent portion of the registration flow, Microsoft asked the child to provide their phone number, accept Microsoft’s Services Agreement and Privacy Statement, and decide whether or not Microsoft could send them promotional offers or share their information with advertisers (note, these were pre-checked boxes). The FTC argued there was no reason a child should be asked to provide these types of information or consents before their parent had signed off.

  • Insufficient parental notice: Until it was updated, Microsoft’s notice to parents was allegedly incomplete and confusing. The FTC argued that the notice provided to parents lacked disclosures that Microsoft might collect images containing the child’s likeness as well as audio and video recordings of the child. Likewise, Microsoft failed to adequately disclose with whom it shared the child’s information, specifically to third-party game publishers. Simply pointing parents to a general privacy statement was deemed insufficient.

  • Accidental data retention: due to what Microsoft is calling a “glitch,” the company accidentally retained the personal information from approximately 10 million individuals, including children, who started but did not finish their account creation process. Microsoft had a policy to delete the data after 14 days, but that policy was not followed in this case.  

Key Takeaways

If you’re a video game developer or publisher, there are a couple main takeaways from this settlement.

  1. Triple-check all your kid-oriented registration flows, consents, and notices. Despite the amount of effort that Microsoft clearly went through to protect children on its platform, there were still flaws and compliance issues that the FTC uncovered over the course of its investigation. Companies need to walk through each step of their registration flow and note when and where personal data is collected, especially when minors are involved. Companies that serve children should draft bespoke, comprehensive disclosures to parents, ideally separate from a privacy policy, that explain in plain language what data will be collected from their children and to whom it will be shared.

  2. Have a plan for handling incoming age signals from platforms. Arguably the most impactful part of this settlement for any game maker who publishes on console is the FTC’s remedy. Going forward, Microsoft must “notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.”

    This is huge – it means that every single publisher on Xbox, regardless of their game’s age rating or previous marketing efforts, will now obtain actual knowledge that some of their players are children, and thus will have to comply with COPPA.  Put another way, even if you are a publisher who takes every precaution to avoid marketing your game to kids, and even if your game would not otherwise be seen as appealing to kids, you still need to worry about COPPA following this settlement, because your COPPA obligations kick in as soon as you receive actual knowledge from Microsoft that any specific player is a child.

    Will publishers of adult-directed games simply ban these children from online play? What if these children have already made purchases? This may ultimately be the most significant impact of this case on the games industry, and it’s likely other console platforms will follow suit as well.

  3. A note on FTC enforcement priorities. In the past, the common feature with most FTC enforcements in the gaming industry was that kids’ data was being used or shared in a way that was causing real harm – exposing them to harassment, leading to exploitation, or leading to them getting bombarded with invasive targeted ads or tricked into making unwanted purchases. This case is a bit different, though. Even with respect to the data that Microsoft accidentally retained from people who didn’t complete their account registrations, “The data was never used, shared, or monetized” according to Microsoft’s statement. Yes, there were compliance issues in the registration flow, with phone numbers and consents collected improperly and parental notices that were insufficient, but the actual harm to kids is less obvious here than in other cases. What can we make of this?

    Remember that this investigation covered years of activity, and in 2015 moral panic around kids’ use of video games was especially high. Xbox Live was practically synonymous with viral videos of children screaming obscenities over voice chat while playing online shooters – it’s clear that parents were (and remain) concerned about this behavior and were looking for the platforms to take more responsibility.

    The takeaway for the video game industry is simple: listen when parents complain. If your game is perceived as harming kids for any reason, then you run a very real risk of an FTC investigation using privacy as their “hook” to go after any number of consumer harms. Once that investigation starts, it's more likely than not the regulator will find some fault in your program, even one caused by an accidental “glitch.” Ultimately, the best way to avoid a regulatory enforcement is to avoid being on the regulator’s radar in the first place. Promptly addressing complaints from players, especially from parents with respect to their children, is still the best way to reduce regulatory risk.

KEN SCHWARTZ
Previous

Starfield, Mods, and Derivative Works - an In-Depth Look

Next

Epic v. Apple: So… What Now?