FTC fines Microsoft over children’s privacy
June 12, 2023
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
FTC fines Microsoft over children’s privacy
The Federal Trade Commission announced that Microsoft will pay a $20 million fine for alleged violations of the Children’s Online Privacy Protection Act. Specifically, the FTC alleged that Microsoft’s Xbox gaming products required users to provide a date of birth and personal information when creating an account and retained the personal information of users under 13 longer than reasonably necessary when parents did not complete the parental consent process. Additionally, Microsoft allegedly failed to fully disclose to parents all the information it collected from children.
TAKEAWAY FOR PUBLISHERS
The FTC’s proposed order includes a requirement that Microsoft notify third-party video game publishers (such as through an API) when it discloses personal information from children (such as the child’s gamertag, persistent identifiers, and usage data) that the user is a child, triggering COPPA compliance requirements from not only Microsoft, but also the third-party publishers.
FTC files amended Kochava complaint
The Federal Trade Commission filed an amended complaint in its case against digital marketing and analytics company Kochava after a federal judge found that the FTC’s original complaint (filed in August 2022) failed to make sufficient allegations for an unfairness claim under the FTC Act. Kochava will have until July 5, 2023 to respond to the amended complaint, which is not publicly available.
The FTC’s original complaint alleged that Kochava engaged in unfair practices in violation of the FTC Act by selling customized data feeds with precise geolocation data collected from consumer mobile devices.
The FTC alleged that, because the data, in some cases, reveals consumer visits to sensitive locations, such as locations associated with medical care, reproductive health, religious worship, mental health, or shelters for the homeless or domestic violence survivors, Kochava’s actions are likely to cause substantial injury to consumers. It alleged that consumers cannot reasonably avoid this injury themselves and that is not outweighed by countervailing benefits to consumers or competition.
In May 2023, the judge found found that the FTC did not sufficiently allege a likelihood of substantial consumer injury, because it only alleged harms (stigma, discrimination, physical violence, and emotional distress based on the tracking of movements to and from sensitive locations) that are theoretically possible, not that consumers are suffering or likely to suffer such harms. The judge also found that the FTC failed to allege the severity of harms sufficient to make a claim for invasion of privacy.
The FTC was given 30 days to file an amended complaint to fix such insufficiencies, which the FTC filed within such time.
Legislative updates in Florida and Nevada
The Florida Governor signed SB 262 into law, implementing the Florida Digital Bill of Rights (applying comprehensive privacy requirements to certain larger businesses, as well as certain requirements for the sale of sensitive information to a broader scope of businesses) and Protection of Children in Online Spaces Act (resembling, in some respects, the California Age Appropriate Design Code). Meanwhile, the Nevada legislature passed and sent to the Governor SB370, a health data bill resembling, in some respects, the Washington My Health My Data Act, albeit without a private right of action.
Florida is the tenth state to pass a comprehensive privacy law (although some may not label it as such, given the high thresholds for application of comprehensive requirements), following California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana.
US and UK Commit in Principle to US-UK Data Bridge
As part of a larger “Atlantic Declaration”, the United States and the United Kingdom announced that the countries have committed in principle to establish a U.S.-UK Data Bridge “to facilitate data flows between the countries while ensuring strong and effective privacy protections”. The countries announced that they are working swiftly to finalize their respective assessments and implement the framework.
The US and UK will each need to go through various approval processes and administrative steps before the framework can be finalized, but once it is implemented, it will enable a streamlined process for the transfer of personal data between the countries.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
California Attorney General Bonta announced a settlement with Doordash based on...
Explore the intricate landscape of Consent or Pay models...
A blog post from the FTC reminded companies that simply changing...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.