Multimillion dollar settlements against
Those cases, as well as a deal with educational-tech platform Edmodo, actualize a commitment the FTC made last year to enforce the “full breadth” of the federal Children’s Online Privacy Protection Act. The 1998 statute requires online businesses to adhere to a set of guidelines that aim to give parents direct control over how data about their children under age 13 is collected and retained.
The commission has already brought more COPPA enforcement actions this year than in any other since Democratic Chair Lina Khan took charge in 2021, according to a Bloomberg Law analysis of agency data. That uptick comes as new agency rulemaking for the law remains stalled and legislative updates are uncertain.
The recent settlements demonstrate the agency’s increased familiarity with COPPA as it starts enforcing more technical violations, such as improper storage of kids’ data, and they serve as a useful reference to avoid potential FTC scrutiny, lawyers and former agency officials said.
“These cases as a group are the most important manifestation of that commitment,” said former FTC Chair William Kovacic, who led the agency during the George W. Bush administration.
“It’s important to have a smaller enterprise in the focus for enforcement as well as well known globally recognized enterprises,” added Kovacic, now a law professor at George Washington University. “Collectively, that’s an effective way to deliver on the strategy and priorities that the commission set for itself.”
Data ‘Violations’
This week, Microsoft agreed to pay $20 million to settle FTC claims that it collected and kept identifying data of Xbox Live users who were under 13 without parental permission.
The company, which owns the developer of the Minecraft video game popular with kids, attributed the issue to a “data retention glitch.”
Amazon last week reached a $25 million settlement with the agency, which accused its Alexa-enabled speakers of retaining children’s voice recordings indefinitely and failing to fully allow parents to delete the data.
The e-commerce and technology giant denied violating COPPA and said it disagrees with the agency’s claims in a statement to Bloomberg Law.
California-based Edmodo, which shuttered its US business last year, faces a $6 million FTC fine for using kids’ data for advertising without proper consent, if the company resumes operating in the US. The agency alleged the edtech company didn’t provide information about its data collection practices to schools and teachers, and improperly relied on them to provide tracking consent on behalf of parents.
Entities of all sizes that collect kids’ data should take note that the latest COPPA settlements don’t just target some of the biggest tech companies, said Melissa Krasnow, a partner practicing in privacy compliance at VLP Law Group LLP.
“Even if you’re a small provider, even if you cease to do business in the US, they will still come after you for things you’ve done before that were out of compliance,” Krasnow said.
Microsoft and Edmodo didn’t return requests for comment.
Shifting Priorities
More recent FTC enforcement indicates the agency appears to have shifted away from factoring in as heavily a company’s compliance efforts when it decides to bring a COPPA enforcement action, said Tyler Newby, a Fenwick & West LLP partner who advises clients on complying with the kids’ privacy law.
“Where in the past, actual harm resulting from a technical violation had more bearing on whether there would be an enforcement action or what the penalty would be, I think that’s not the case now,” he said. “I think they are more enforcing it on a more pure strict liability basis with less regard for intent to comply.”
Keeping clients abreast of changes to their compliance program can prove challenging, however, because the FTC hasn’t revised the rules that dictate its enforcement of the law since 2013, he said.
In 2019, the agency launched a review and sought public comments about the effectiveness of its COPPA enforcement. However, it has yet to issue a proposed rule.
The absence of updated guidance, Newby said, can lead to a lack of clarity in the tech industry about what to expect from the FTC.
An agency spokesperson said in an email to Bloomberg Law that it had no updates on potential rulemaking.
“Our recent COPPA actions should send a strong message to the marketplace that the FTC will use every tool at its disposal to ensure companies protect and secure sensitive personal data they collect—particularly data they collect from children,” the FTC spokesperson said.
Future Regulations?
Kovacic, the former FTC chair, said the information gleaned from settlements with the likes of Edmodo and Microsoft often serves as the basis for eventual rule changes.
“Doing detailed work on individual matters gives you insight into how the larger framework is operating,” he said.
Agency officials may now have better grasp on how edtech companies set agreements with schools after investigating Edmodo, for example, he said.
The edtech provider was accused by the FTC of unfairly burdening schools with COPPA compliance obligations it was supposed to meet.
The agency’s recent actions could also spur state attorneys general to take a closer look at privacy compliance in their area, Krasnow said.
Updating Privacy Compliance
Companies likely already have compliance programs established if they collect consumer data, but should scrutinize them against the COPPA violations presented by the agency in its latest enforcement actions, Kovacic said.
“One theme that comes through is you can’t use personal information acquired for the purpose of the educational mission to pitch ads to children, unless you’ve gotten the direct approval of their parents,” Kovacic said.
Newby said attorneys can also use the agency’s complaints as a resource for updating privacy compliance advice while they wait for updated rules.
Since the Edmodo settlement was announced, he’s been advising clients to make sure they have a standalone privacy notice wherever they’re collecting children’s data online.
“FTC is very clear that simply pointing at a hyperlink to a general privacy policy in the terms of service requirement does not satisfy the direct notice requirement, and that there needs to be a more clear standalone children’s privacy notice,” Newby said.
Krasnow of VLP added that edtech companies and school districts also could reassess their contractual agreements to ensure the responsibilities for obtaining proper consent complies with COPPA.
For all three companies, the agency took issue with how they approached COPPA’s parental consent provision.
Data collectors should study carefully their compliance with each provision highlighted in the enforcement actions, Kovacic said.
“Having a nominal compliance framework in place is not enough unless it actually delivers the right results,” he said.
