The federal government is putting tech companies on notice that it plans to go after them if they violate federal rules protecting children’s privacy. The Federal Trade Commission (FTC) settled cases with Amazon on May 31 and Microsoft on June 5 dealing with violations of the Children’s Online Privacy Protection Act Rule (COPPA).
Amazon Required to Pay $25 Million
Amazon boasts that it “builds its devices with your privacy in mind.” But the company does not always live up to its promises.
The FTC’s lawsuit charged the retail giant with violating COPPA by keeping children’s voice recordings forever and ignoring parents’ requests to delete them.
Amazon “prominently and repeatedly” assured its users, including parents, that they could delete voice recordings collected from its Alexa voice assistant and geolocation information collected by the Alexa app, according to the federal complaint. The company broke its promises, the lawsuit alleged, when it kept sensitive voice and geolocation data for years and used the information “it unlawfully retained” to help improve the Alexa algorithm.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
The COPPA Rule requires the operators of commercial websites or online services directed to children under 13 years old to notify parents about the information they collect from children, obtain parental permission to collect that data, and allow parents to have that information deleted at any time. The rule also prohibits the service from keeping the data collected from children under 13 for longer than is “reasonably necessary to fulfill the purpose for which the information was collected.”
The FTC said Amazon failed to create an effective system to ensure that it honored data deletion requests and to give parents meaningful notice about deletion. “Even when Amazon discovered its failures to delete geolocation data,” the commission said, “Amazon repeatedly failed to fix the problems.”
Amazon insists it did not violate the law, but in a statement to Checkbook explained why it settled this case:
“At Amazon, we take our responsibilities to our customers and their families very seriously. We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. While we disagree with the FTC’s claims and deny violating the law, this settlement puts the matter behind us. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”
Amazon has agreed to pay a $25 million civil penalty, change its business practices, and institute strong privacy safeguards. These proposed provisions would:
• Prohibit Amazon from using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product.
• Require the company to delete inactive children’s Alexa accounts.
• Require Amazon to notify users of its retention and deletion practices and controls, and prohibit misrepresenting its privacy policies.
• Mandate the creation and implementation of a privacy program related to the company’s use of geolocation information.
Josh Golin, executive director of Fairplay, a nonprofit dedicated to helping kids thrive in an increasingly commercialized culture, praised the FTC for bringing this case.
“It’s just wrong to give parents the illusion that they have some control when you’re actively undermining their intent and what they want to do with their children’s data. And we need to respect parents as gatekeepers and as guardians for their children,” Golin said.
This case will do more than hold Amazon accountable, Golin told Checkbook. He believes it sends a clear message to other online companies that the FTC is watching, and they need to follow the law by deleting information collected from children after they’ve used it for the original purpose.
Microsoft Agrees to Pay $20 Million Penalty
The FTC charged Microsoft with violating COPPA by collecting personal information from children who created an Xbox account without notifying their parents or obtaining parental permission, and then by “illegally” retaining that personal information.
Xbox users can sign up to play games or chat with other players through Xbox Live. To create their account, Xbox requires providing full name, email address, and birthdate. In its complaint, the FTC alleged that even when a user indicated they were under 13 years old, they were also asked (until late 2021) to provide additional personal information, including a phone number. Microsoft did not require anyone who indicated they were under 13 to involve a parent in completing the account creation process until after they provided this personal information, the lawsuit alleges.
Microsoft did not fully comply with COPPA’s parental notice provisions, the FTC claims, by not disclosing all the information it collected about children, such as the child’s profile picture.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” the FTC’s Levine said. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
In a post on the Xbox website, Dave McCarthy, corporate vice president of Xbox Player Services, said, “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”
In addition to the monetary penalty, Microsoft has agreed to change its business practices. It now will:
• Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default.
• Obtain parental consent for accounts created before May 2021 if the account holder is still a child.
• Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent (if it has not obtained parental consent), and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected.
• Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
Protect Yourself
The FTC encourages parents to customize the privacy settings on digital devices, when possible, especially those used by children. If a device or an app doesn’t need the info it collects, such as the user’s location, turn off that feature. If the device or app does need it, consider limiting access to only when the device or app is in use.
More Info from the FTC:
Protecting Your Child’s Privacy Online
Complying with COPPA: Frequently Asked Questions
Related from Checkbook: Identity Theft: Are You Protecting Your Kids?
Herb Weisbaum, The ConsumerMan, is a contributing editor at Checkbook.org, a nonprofit organization with a mission to help consumers get good service and low prices. It does this by providing unbiased ratings, advice, and price information. Checkbook is supported by consumers and takes no money from the service providers it evaluates.