FTC fines Microsoft over children’s privacy

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

FTC fines Microsoft over children’s privacy

The Federal Trade Commission announced that Microsoft will pay a $20 million fine for alleged violations of the Children’s Online Privacy Protection Act. Specifically, the FTC alleged that Microsoft’s Xbox gaming products required users to provide a date of birth and personal information when creating an account and retained the personal information of users under 13 longer than reasonably necessary when parents did not complete the parental consent process. Additionally, Microsoft allegedly failed to fully disclose to parents all the information it collected from children. 

TAKEAWAY FOR PUBLISHERS

 The FTC’s proposed order includes a requirement that Microsoft notify third-party video game publishers (such as through an API) when it discloses personal information from children (such as the child’s gamertag, persistent identifiers, and usage data) that the user is a child, triggering COPPA compliance requirements from not only Microsoft, but also the third-party publishers. 

FTC files amended Kochava complaint

The Federal Trade Commission filed an amended complaint in its case against digital marketing and analytics company Kochava after a federal judge found that the FTC’s original complaint (filed in August 2022) failed to make sufficient allegations for an unfairness claim under the FTC Act. Kochava will have until July 5, 2023 to respond to the amended complaint, which is not publicly available. 

BACKGROUND

The FTC’s original complaint alleged that Kochava engaged in unfair practices in violation of the FTC Act by selling customized data feeds with precise geolocation data collected from consumer mobile devices.

The FTC alleged that, because the data, in some cases, reveals consumer visits to sensitive locations, such as locations associated with medical care, reproductive health, religious worship, mental health, or shelters for the homeless or domestic violence survivors, Kochava’s actions are likely to cause substantial injury to consumers. It alleged that consumers cannot reasonably avoid this injury themselves and that is not outweighed by countervailing benefits to consumers or competition.

In May 2023, the judge found found that the FTC did not sufficiently allege a likelihood of substantial consumer injury, because it only alleged harms (stigma, discrimination, physical violence, and emotional distress based on the tracking of movements to and from sensitive locations) that are theoretically possible, not that consumers are suffering or likely to suffer such harms. The judge also found that the FTC failed to allege the severity of harms sufficient to make a claim for invasion of privacy.

The FTC was given 30 days to file an amended complaint to fix such insufficiencies, which the FTC filed within such time.  

Legislative updates in Florida and Nevada

The Florida Governor signed SB 262 into law, implementing the Florida Digital Bill of Rights (applying comprehensive privacy requirements to certain larger businesses, as well as certain requirements for the sale of sensitive information to a broader scope of businesses) and Protection of Children in Online Spaces Act (resembling, in some respects, the California Age Appropriate Design Code). Meanwhile, the Nevada legislature passed and sent to the Governor SB370, a health data bill resembling, in some respects, the Washington My Health My Data Act, albeit without a private right of action. 

TAKEAWAY

Florida is the tenth state to pass a comprehensive privacy law (although some may not label it as such, given the high thresholds for application of comprehensive requirements), following California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana. 

UK

US and UK Commit in Principle to US-UK Data Bridge

As part of a larger “Atlantic Declaration”, the United States and the United Kingdom announced that the countries have committed in principle to establish a U.S.-UK Data Bridge “to facilitate data flows between the countries while ensuring strong and effective privacy protections”. The countries announced that they are working swiftly to finalize their respective assessments and implement the framework.

TAKEAWAY

 The US and UK will each need to go through various approval processes and administrative steps before the framework can be finalized, but once it is implemented, it will enable a streamlined process for the transfer of personal data between the countries.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.