In three separate cases, the FTC brought claims that companies collecting children’s information violated the Children’s Online Privacy Protection Act (COPPA), requiring the companies to comply with COPPA, delete inactive data, provide notices to parents, and pay millions in fines. The cases make clear that the FTC expects companies to comply with COPPA across industries and is increasingly focused on data retention.
Among other requirements, the COPPA Rule requires operators of online services to provide notice of its collection practices to and obtain verifiable consent from parents before collecting personal information from children under the age of 13 and allow parents to demand the deletion of that information at any time. Even absent a deletion request, online services may not retain information collected from children for longer than is reasonably necessary to provide the service.
Most recently, the FTC alleged that Microsoft knowingly collected personal information from children before notifying parents and obtaining parental consent. According to the Commission, after users indicated they were under 13, but before getting parental consent Microsoft’s Xbox platform collected personal information (like a phone number) from such users and prompted them to accept Microsoft’s Services Agreement and Privacy Statement – which included pre-checked boxes that stated “Send me promotional offers from Microsoft” and “Enhance my online experiences by letting Microsoft Advertising use my account information.” Microsoft also purportedly failed to tell parents that it disclosed some of this information to third parties, such as game developers. In addition, the FTC alleged that in many instances, Microsoft indefinitely retained children’s personal information collected during such account creation, even when the account process was not completed.
Among other requirements, the proposed order requires Microsoft to delete all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent within two weeks. Microsoft also must notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
The Microsoft case follows closely on the heels of another COPPA case against a tech giant. The FTC alleged that Amazon retained children’s voice recordings and transcripts collected through voice enabled devices (like Echo), indefinitely, unless a parent actively deleted them. Even upon a deletion request, Amazon supposedly failed to fully honor such requests because it continued to retain the users’ voice transcript information and geolocation information for its own use, such as improving its algorithm. The FTC argued that users’ information—including information from children—was retained for longer than reasonably necessary to fulfill the purpose for which it was collected. The FTC’s complaint also highlighted the discrepancy between Amazon’s public statements touting Alexa’s privacy features and the company’s practice of having the default setting save users’ voice recordings and transcripts (even when a user no longer used their Alexa profile) and failing to delete users’ geolocation data upon request.
In addition to charging Amazon with COPPA violations and engaging in deceptive practices, the FTC contended that Amazon’s practices were also unfair because its retention of data after users requested deletion caused “users [to] suffer injuries to their privacy due to the unauthorized use of their information.” This suggests the FTC is willing allege pure privacy harms to bring an unfairness count, even where users suffer no financial, physical, social, reputational, or other more common harms associated with an unfairness claim.
As part of the proposed order, Amazon is prohibited from using any children’s personal information, including Alexa app geolocation information and voice information, once that information is subject to a deletion request. The company must also delete personal information associated with child profiles that have been inactive for 18 months or more.
These cases align with a case brought by the FTC against an ed tech provider, Edmodo. Here, the FTC alleged that Edmodo violated COPPA by retaining personal information collected online from children indefinitely, and had gathered 36 million student accounts, even though only one million student accounts were actively using the platform.
The proposed order included a requirement that Edmodo maintain and adhere to a schedule that deletes children’s information within one year after the termination of its agreement with a school or within one year after the information was generated for information not collected under direct control of a school.
According to the FTC, Edmodo failed to obtain adequate consent under COPPA before collecting personal information from children—either from schools themselves or by relying on schools or teachers to get consent from parents. The agency found Edmodo’s process deficient under COPPA because Edmodo never sufficiently provided the school or teacher with direct notice of its practices, thereby preventing schools from providing authorization on behalf of parents or having information to obtain consent from parents. In its complaint, the FTC also claimed that schools and teachers could not have provided consent for all of Edmodo’s processing because school consent is limited to educational purposes and Edmodo was, allegedly, using children’s personal information for advertising purposes. In its policy statement released last May, the FTC highlighted compliance matters it would focus on when investigating potential ed tech violations of COPPA.
These cases highlight the Commission’s continued focus on children’s privacy, including aspects that the agency has not enforced on before—such as education technology and retention of children’s data for product improvement. Because certain of COPPA’s standards are amorphous and the law imposes strict liability on violators, enforcers can flex the statute to take action to address other policy priorities. Commissioner Bedoya said as much in his statement accompanying the Amazon decision, which focuses on “send[ing] a message” to “the tech industry as a whole,” which he said is racing to amass data for large language models. Under COPPA, at least, indefinite data retention for these purposes is a nonstarter.