COPPA Battlegrounds: The Quest to Uncover the Secrets of the FTC’s Kids’ Privacy Actions

At ESRB, the non-profit, self-regulatory body for the video game industry, kids’ privacy is serious business. We do take breaks, though, from reviewing privacy policies, preparing compliance assessments, and absorbing the onslaught of privacy developments. Some of us even play and design video games when we’re not working. We are the Entertainment Software Rating Board after all!

So, for a little fun, we decided to create an imaginary video game – COPPA Battlegrounds. Join the ESRB Privacy Certified team as we dive deeply into the ongoing saga of the Federal Trade Commission’s kids’ privacy enforcement actions – cases that have resulted in hundreds of millions of dollars in fines and landmark legal remedies. Venture into new privacy territory, unlocking the mysteries of “personal information,” “privacy by default,” “data retention,” and more! Collect XPs as you explore strategies and best practices to protect young gamers’ privacy.

The Players

The “COPPA Controller”: The Federal Trade Commission (FTC) is the U.S. government agency charged with protecting consumers and competition. It is the chief federal agency that works to protect consumer privacy. Over the years, it has brought hundreds of privacy and data security cases to protect consumers and their data.

The “Digital Defendants”: Several well-known tech companies have been hit with FTC actions alleging violations of children’s privacy law in the past half year. Two – Epic Games and Microsoft Xbox – are popular video game publishers. Amazon, Meta, and Edtech company, Edmodo, are also in the line-up.

The Weapons and Equipment

The “Sword of COPPA”: The Children’s Online Privacy Protection Act of 1998 (COPPA) and its implementing COPPA Rule (updated in 2013) provide the FTC with a powerful weapon to protect the privacy of children under the age of 13. The law and rule (together, COPPA) require companies that offer services “directed to children,” or that have knowledge that kids under 13 are using their services, to provide notice of their data practices. They must also obtain verifiable parental consent (VPC) from parents before collecting personal information from children. COPPA also contains strong substantive protections, mandating that companies minimize the data they collect from children, honor parents’ data deletion requests, and implement strong security safeguards. To date, the FTC has brought nearly 40 COPPA enforcement actions.

The “Section 5 Superweapon”: The FTC’s true superweapon comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. Since the advent of the internet, the FTC has used Section 5 to address a wide range of issues that affect people online, including the privacy of people purchasing and playing video games.

Policy Statement “Power-ups”: From time to time, the FTC releases policy statements that explain how the agency applies the laws it enforces. These potent statements put companies on notice that they will face legal action if they ignore the FTC’s prescriptions. In May, the FTC issued a Policy Statement on Biometric Information, which sets out a list of unfair practices relating to the collection and use of such data. Earlier, the FTC issued a Policy Statement on COPPA and EdTech that emphasized COPPA’s limits on companies’ ability to collect, use, and retain children’s data.

The Backstory

The FTC’s quest to secure a safer online environment for kids and their personal information has been ongoing since Congress passed COPPA in 1998. Previous blockbuster titles in the COPPA franchise include the FTC’s landmark 2019 settlement with Google/You Tube and the 2018 VTech and Musical.ly/TikTok actions.

COPPA has been extremely effective in giving parents information about and control over their kids’ data. There’s been an emerging consensus, however, that the legal framework for children’s privacy should be updated to include teenagers and meet the challenges of social media, mobility, ad tech, and immersive technologies – issues that weren’t present when Congress enacted the law 25 years ago. Despite the introduction of several bills in Congress to update COPPA, none have yet become law. The FTC therefore has proposed several new ideas to protect the privacy of not only children under the age of 13 but teens too. These are now playing out in the FTC’s enforcement actions.

 Multiplayer Actions

During the past half year or so, the FTC has announced four new COPPA actions, plus a an order against Meta/Facebook relating to a previous settlement. For video game companies, two stand out: the Epic Games/Fortnite settlement (see our earlier blog) and the Microsoft/Xbox Live settlement, announced in June. The FTC’s settlements with Amazon/Alexa and Edmodo also provide some clues to unlocking the secrets of the FTC’s COPPA enforcement mode. Consistent with ESRB Privacy Certified’s focus on privacy compliance in video games, we’ll focus our analysis on the two gaming cases. But we’ll add some insights from the NPCs (here, nonplayable “cases”), too.

Epic Games/Fortnite

Late last year, the FTC filed a two-count complaint and proposed settlement order against Epic Games. It alleged that Epic knew its massively popular game Fortnite was “directed to children” and unlawfully collected personal data from them without VPC. The FTC also charged Epic with violating the FTC Act by using unfair “on by default” voice and text chat settings that led to children and teens being bullied, threatened, and harassed within Fortnite. Epic settled with the FTC, agreeing to pay a $275 million civil penalty and to standard injunctive relief. (In the privacy area, this includes monitoring, reports, a comprehensive privacy plan, and regular, independent audits.) The final court Order entered in February also required Epic to implement privacy-protective default settings for children and teens. It also required the company to delete personal information previously collected from children in Fortnite unless the company obtains parental consent to retain such data or the user identifies as 13 or older.

Microsoft/Xbox Live

In the beginning of June, the FTC filed a one-count complaint and proposed settlement order against Microsoft alleging that its Xbox Live online service violated COPPA in three ways: (i) by collecting personal information (i.e., email address, first and last name, date of birth, and phone number) from kids under 13 before notifying their parents and getting VPC; (ii) by failing to provide clear and complete information about its data practices in COPPA’s required notices, i.e., that it didn’t tell parents that it would disclose Xbox’s customer unique persistent identifier to third-party game and app developers; and (iii)  by holding on to kids’ data for years even when parents did not complete the account creation process.

Microsoft, which has long had a comprehensive privacy program, settled with the FTC for $20 million. It agreed to implement new business practices to increase privacy protections for Xbox users under 13. For example, the Order requires Microsoft to tell parents that a separate child account will provide significant privacy protections for their child by default. The company also must maintain a system to delete, within two weeks from the collection date, all personal information collected from kids for the purpose of obtaining parental consent. In addition, Microsoft must honor COPPA’s data deletion requirements by deleting all other personal data collected from children after it no longer needs it for the purpose collected.

Unearthing the Seven COPPA Revelations

Beyond the allegations and remedies of the enforcement actions, there’s a wealth of information about the FTC’s kids’ privacy priorities and practices you might want to adopt – or avoid – if you want to stay out of the sites of the COPPA Controller. Here are COPPA Battlegrounds seven lessons for COPPA compliance based on the FTC’s recent kids’ privacy actions:

1. Sequence your game play to obtain VPC before you collect ANY personal information from a child: The FTC’s complaint in the Xbox action emphasized that – even though Microsoft had a VPC program in place – it violated COPPA by not obtaining parental consent before it collected any personal information from kids besides their data of birth. Xbox did require children to involve their parents in the registration process, but the FTC found that Microsoft’s initial collection of kids’ email addresses, their first and last name, and phone number before obtaining consent violated COPPA’s VPC requirements. The FTC also blasted Microsoft for requiring kids to agree to the company’s service agreement, which, until 2019, included a pre-checked box allowing Microsoft to send them promotional messages and to share user data with advertisers. The FTC’s approach indicates that they will look closely at companies’ verifiable parental consent sequences, and that they will strictly enforce COPPA’s prohibition on collecting any personal information before obtaining VPC (unless an exception to VPC exists).

2. The FTC views COPPA’s “actual knowledge” standard broadly and so should you: When the FTC announced its Epic Games settlement, we reminded companies that you can’t disclaim COPPA by declaring that you don’t process children’s information or by ignoring evidence that children are playing your games. Now, with the Xbox Live settlement, the FTC has affirmed that it will enforce COPPA against any company with “actual knowledge” that the company is handling children’s personal information, regardless of whether that company has directed its service to children intentionally. Significantly, the settlement requires Microsoft – when it discloses personal information about children to other video game publishers – to tell them that the user is a child. The FTC’s requirement for Microsoft to share information about children on its platform with third parties is a game-changing move. In the FTC’s words, “[I]t will put [third-party] publishers on notice that they, too, must apply COPPA protections to that child.”

3. Your COPPA notices must be clear, understandable, and complete: The FTC emphasized that it’s not enough under COPPA’s notice provisions to summarize your collection, use, and disclosure practices generally. Instead, your direct notice must be complete. The FTC faulted Microsoft for failing to tell parents about its collection of personal information children shared through their profile or Xbox Live usage, such as their “gamertags,” photos, which kids used to create avatars, and voice recordings from video messages. The agency also alleged that Microsoft’s notice failed to inform parents that it created persistent identifiers for children, which it combined with other information, and shared with third-party game and app developers. Going forward, it’s important for companies to specify, in a clear and complete way, their practices in the notices required by COPPA, and not just provide parents with a link to a densely worded privacy policy.

4. Privacy by default is not a fad: In Epic Games, the FTC focused for the first time not just on “privacy by design” but on “privacy by default,” finding that Epic did not have “privacy-protective” default settings in Fortnite that limited kids’ contact with strangers and otherwise protected their privacy. The FTC went further in Xbox Live, emphasizing that, even though Xbox had default settings that only allowed a child to disclose their activity feed or otherwise communicate with parent-approved “friends,” Microsoft configured other defaults in a way that did not protect children sufficiently. As the FTC emphasized in a blog about the Amazon case, “[C]ompanies that ignore consumers’ rights to control their data do so at their peril . . . The upshot is clear: Any company that undermines consumer control of their data can face FTC enforcement action.”

5. Take your data minimization and retention/deletion obligations seriously: The FTC’s recent cases also highlight COPPA’s substantive provisions on data minimization and data retention. The COPPA Rule prohibits conditioning a child’s participation in a game on the child “disclosing more personal information than is reasonably necessary to participate in such activity” and allows companies to keep it “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” In the Edmodo complaint, for example, the agency said that Edmodo violated COPPA by using the personal information it collected for advertising instead of limiting it to educational purposes.

In the Xbox Live case, the agency chided Xbox for holding onto kids’ data when the parental verification process was incomplete, sometimes for years. Although Microsoft described this as a “technical glitch,” and explained that this data “was never used, shared, or monetized,” the FTC doubled down on its concerns with company data retention practices that violate COPPA. Indeed, in the Amazon Alexa case, the FTC charged that Amazon made it difficult for parents to exercise their right, under COPPA, to delete their children’s voice recording data. It further alleged that Amazon disregarded parents’ deletion requests, retained kids’ voice recordings indefinitely, and misled parents about its data deletion practices (e.g., by retaining copies of transcripts of voice recordings). The FTC is wielding the “Sword of COPPA” to press for meaningful data minimization, purpose limitation, and data retention/deletion practices.

6. Be especially careful when dealing with kids’ biometric data, algorithms, and machine learning: The FTC’s Xbox Live settlement covers biometric information like avatars generated from a child’s image and emphasizes COPPA’s strict limitations on the retention of this type of data from kids. In the Amazon case, the agency was clearly troubled by Amazon’s retention of kids’ voice recordings, which count as biometric info, indefinitely. One of the FTC Commissioners emphasized this point, stating that “Claims from businesses that data must be indefinitely retained to improve algorithms do not override legal bans on indefinite retention of data.” Consider yourself warned!

7. Privacy Innovation Can Help You Comply with COPPA: Not all the privacy-protective action in COPPA Battlegrounds comes from the FTC. Even before the settlement, Epic Games announced that it was creating “Cabined Accounts” to provide safe, tailored experiences for younger players. Following the FTC’s action, Microsoft unveiled its plans to test “next-generation identity and age validation” methods to create a “convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences.” Xbox explained that the entire games industry can benefit from advancing safe and innovative digital experiences that are accessible, simple to use, and benefit all players. We agree! Many ESRB Privacy Certified members are developing new strategies and tools to enhance kids’ privacy. Achievement unlocked!

The Final Conquest

Congratulations on completing the breakout version of COPPA Battlegrounds! You can now take your kids’ privacy program to the next level. Contact us at [email protected] if you’d like to discuss how your company can prevail in COPPA Battlegrounds – and its inevitable sequels.

As senior vice president of ESRB Privacy Certified (EPC), Stacy Feuer ensures that member companies in the video game and toy industries adopt and maintain lawful, transparent, and responsible data collection and privacy policies and practices. She oversees compliance with ESRB’s privacy certifications, including its “Kids Certified” seal, which is an approved Safe Harbor program under the Federal Trade Commission’s Children’s Online Privacy Protection Act (COPPA) Rule, and the general “Privacy Certified” seal.