Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.

 “Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will be required to take several steps to bolster privacy protections for child users of its Xbox system. For example, the order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. In addition, the order makes clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data. The order must be approved by a federal court before it can go into effect.

The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and to obtain verifiable parental consent before collecting and using any personal information collected from children. According to a complaint also filed by DOJ, Microsoft violated the COPPA Rule’s notice, consent and data retention requirements.

Microsoft’s Xbox gaming products allow users to play and chat with other players through its Xbox Live service. To access and play games on an Xbox console or use any of the other Xbox Live features, users must create an account, which requires users to provide personal information including their first and last name, email address and their date of birth. Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint.

It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent. The child’s parent then had to complete the account creation process before the child could get their own account. According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.

After a child makes an account, they can create a profile that will include their “gamertag,” which is the primary identifier visible to the user and other Xbox Live users, and can also upload a picture or include an avatar, which is a figure or image that represents the user. According to the complaint, Microsoft combined this information with a unique persistent identifier it creates for each account holder, even children, and could share this information with third-party game and app developers. Microsoft allowed—by default—all users, including children to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt out if they don’t want their children to access them.

According to the complaint, Microsoft failed to fully comply with COPPA’s notice provisions. For example, Microsoft failed to disclose to parents all the information it collected, such as a child’s profile picture.

In addition to the monetary penalty, Microsoft will be required under the proposed order to:

• Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
• Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
• Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
• Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.

The Commission voted 3-0 to refer the complaint and proposed federal order to the Department of Justice. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Western District of Washington state.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

The lead FTC attorneys on this matter are Megan Cox and Peder Magee from the FTC’s Bureau of Consumer Protection.

This is the Commission’s third COPPA action within the last few weeks, following an announcement in mid-May against ed tech provider Edmodo and one last week involving Amazon.

The United States District Court for the Middle District of Florida, Ocala Division, issued an order permanently banning defendant Frank Romero from offering for sale or selling any protective goods or services, after granting the FTC’s motion for summary judgment.

The order also includes two monetary judgments against Romero, who has done business under the names Trend Deploy and Uvenux. The first judgment is for $989,483.69, to be returned to consumers harmed by Romero’s violations of the FTC Act and the Commission’s Mail Order Rule. The court also entered a second civil penalty judgment of $2,562.21 for Romero’s violations of the FTC Act with regards to the COVID-19 Consumer Protection Act.

In a complaint filed in June 2021, the FTC alleged that Romero preyed upon consumers’ fear of COVID-19 by advertising the availability and quick delivery of PPE, including N95 facemasks, even though he had no basis to make those promises.

The complaint stated that Romero failed to deliver PPE on time (if at all), failed to notify consumers of delayed shipments, failed to offer the cancellations and refunds required by the Commission’s Mail Order Rule, and failed to honor refund requests. When Romero eventually did deliver the products, he often sent supplies that were inferior in quality to what consumers ordered. Based on this conduct, the complaint alleged that Romero’s deceptive and unfair conduct violated the Mail Order Rule, the FTC Act, and the FTC Act with regards to the COVID-19 Consumer Protection Act.

The court found Romero violated the Mail Order Rule, the FTC Act, and the FTC Act with regards to the COVID-19 Consumer Protection Act. In issuing the order for permanent injunction, the court wrote that Romero “ha[d] no reasonable basis to expect he would be able to ship ordered merchandise to the buyer within the times he … stated within his solicitations,” “fail[ed] to ship goods within the timeframe required by [the Mail Order Rule],” “fail[ed] to allow consumers to consent to a delay in shipping or to cancel their orders and receive a prompt refund,” and “fail[ed] to provide consumers with a prompt refund” upon their request.

The court also found Romero violated the FTC Act because he lacked a reasonable basis for his claims about: 1) when his facemasks would ship, 2) whether his facemasks were certified by the National Institute for Occupational Safety and Health or the Food and Drug Administration, and 3) the filtration efficiencies possessed by his facemasks. Notably, the court found Romero lacked a reasonable basis to claim the masks he sold were proper N95 facemasks.

The final judgment and order for permanent injunction was issued by the U.S. District Court for the Middle District of Florida, Ocala Division, on May 15, 2023. The staff members on this case are Christopher Erickson and Michael Mora in the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has finalized its order against motocross and ATV parts maker Cycra and its officer, Chad James, for falsely claiming that the company’s products were manufactured in the U.S. The FTC’s order, first announced in April, 2023 would stop Cycra and James from making deceptive claims about products being “Made in USA” and require them to pay a monetary judgment.

The FTC’s order against Cycra and James includes a number of requirements about the claims the defendants make:

• Restriction on unqualified claims: The company will be prohibited from making unqualified U.S.-origin claims for any product, unless it can show that the product’s final assembly or processing—and all significant processing—takes place in the U.S., and that all or virtually all ingredients or components of the product are made and sourced in the U.S.
• Requirement for qualified claims: The company is required to include in any qualified Made in USA claims a clear and conspicuous disclosure about the extent to which the product contains foreign parts, ingredients or components, or processing.
• Requirement for assembly claims: The company must also ensure, when claiming a product is assembled in the U.S., that it is last substantially transformed in the U.S., its principal assembly takes place in the U.S., and U.S. assembly operations are substantial.

The order includes a monetary judgment of $872,577, which is partially suspended based on an inability to pay. Cycra and James will be required to pay $221,385.66.

The Commission vote to finalize the order was 3-0. The lead staff attorney on this matter was Julia Solomon Ensor in the Bureau of Consumer Protection.

The Federal Trade Commission and the Department of Justice will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceived parents and users of the Alexa voice assistant service about its data deletion practices.  

According to a complaint filed by the Department of Justice on behalf of the FTC, Amazon prevented parents from exercising their deletion rights under the COPPA Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes, while putting data at risk of harm from unnecessary access.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”

Under the proposed federal court order also filed by DOJ, Amazon will be required to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. The proposed order must be approved by the federal court to go into effect.

According to the complaint, Amazon prominently and repeatedly assured its users, including parents, that they could delete voice recordings collected from its Alexa voice assistant and geolocation information collected by the Alexa app. The company, however, failed to follow through on these promises when it kept some of this information for years and used the data it unlawfully retained to help improve its Alexa algorithm, according to the complaint.

Amazon, one of the world’s biggest retailers, collects vast amounts of data about consumers ranging from their geolocation data via the company’s Alexa app to their voice recordings collected by Amazon’s Alexa voice assistant service. The company claims that its Alexa service and Echo devices are “designed to protect your privacy” and that parents and other users can delete geolocation data and voice recordings.

Amazon also offers Alexa-enabled devices and services targeted to children and collects personal data, including voice recordings, from children. Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted, according to the complaint. And even when a parent sought to delete that information, the FTC said, Amazon failed to delete transcripts of what kids said from all its databases.

The COPPA Rule requires, among other things, that an operator of a commercial website or online service directed to children under 13 years of age notify parents about the information they collect from children, obtain parents’ consent for the collection of that data, and allow them to delete that information at any time. In addition, such a service is prohibited from retaining the information collected from children under 13 for longer than is reasonably necessary to provide the service.

Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and to improve Alexa’s speech recognition and processing capabilities, according to the complaint. Children’s speech patterns and accents differ from those of adults, so the unlawfully retained voice recordings provided Amazon with a valuable database for training the Alexa algorithm to understand children, benefitting its bottom line at the expense of children’s privacy.

The FTC said the company failed to put in place an effective system to ensure that it honored users’ data deletion requests and to give parents meaningful notice about deletion. Even when Amazon discovered its failures to delete geolocation data, the FTC said that Amazon repeatedly failed to fix the problems.

Proposed Order

In addition to the data deletion requirement in the proposed order, Amazon will be required to pay a $25 million civil penalty. Other provisions of the proposed order:

• Prohibit Amazon from using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product;
• Require the company to delete inactive Alexa accounts of children;
• Require Amazon to notify users about the FTC-DOJ action against the company;
• Require Amazon to notify users of its retention and deletion practices and controls;
• Prohibit Amazon from misrepresenting its privacy policies related to geolocation, voice and children’s voice information; and
• Mandate the creation and implementation of a privacy program related to the company’s use of geolocation information.

The Commission voted 4-0 to refer the complaint to the Department of Justice for filing. The Commission vote closed on a date prior to Commissioner Christine S. Wilson’s departure from the agency. She issued a concurring statement on the matter before departing the agency. Commissioner Alvaro Bedoya also issued a separate statement, joined by FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter. 

The Department of Justice filed the complaint and the stipulated order in the U.S. District Court for the Western District of Washington.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter are Elisa Jillson, Andy Hasty, and Julia Horwitz from the FTC’s Bureau of Consumer Protection.

Today’s announcement underscores the FTC’s commitment to protecting not only children’s privacy but the privacy of all consumers. Earlier today, the FTC announced an action against Amazon’s subsidiary, Ring, over charges that the home security camera company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.

The Federal Trade Commission charged home security camera company Ring with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

California-based Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, video-enabled home security cameras, doorbells, and related accessories and services. The company has marketed its products as offering greater home security and providing its users with peace of mind. For example, in promoting its indoor security cameras, which can be placed in individual rooms, Ring touts the ability of purchasers to “See your home. Away from home” alongside a picture of a Ring camera monitoring a child’s bedroom.

In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

Security failures

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats—“credential stuffing” and “brute force” attacks—despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing—for example, by cycling through breached credentials or entering well-known passwords—hundreds or thousands of times to gain access to an account.

Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics—such as multifactor authentication—until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.

As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.

In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.

The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter are Elisa Jillson, Andy Hasty, and Julia Horwitz from the FTC’s Bureau of Consumer Protection.

A federal court sided with the Federal Trade Commission, ruling that James D. Noland, Jr. illegally owned and operated two pyramid schemes—Success By Health (SBH) and VOZ Travel—in violation of the FTC Act and that Noland violated a previous federal court order barring him from pyramid schemes and from misrepresenting multilevel marketing participants’ income potential.

The FTC sued Noland (also known as Jay Noland, J.D. Noland, and J. Noland), his wife Lina Noland, Scott Harris, and Thomas Sacca, in connection with SBH in January 2020 and added charges related to VOZ Travel in September 2020. The FTC alleged that they operated the businesses as pyramid schemes, making outlandish claims that “the masses” could be making more than $1 million each month by following Noland’s system, when in fact very few consumers made any money, and most lost significant sums. 

In its ruling, the U.S. District Court for the District of Arizona found that the Nolands, Harris, and Sacca violated the FTC Act by operating SBH and VOZ Travel as pyramid schemes and using false promises of “financial freedom.” In addition, the court found Harris and Sacca were aware of the order against Noland stemming from a prior FTC case, and thus, they and Noland were in contempt of that order. In its ruling, the court cited the “sheer volume of deceptive tactics and statements associated with” both SBH and VOZ Travel.

“The court’s order holding these defendants in contempt and barring them from the multilevel marketing business should send a strong message that FTC orders should not be ignored,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC will not hesitate to act with the full force of the law to protect the American public and hold recidivists accountable.”

The court also noted that Harris told an audience at one private SBH marketing event, “Is this one of those pyramid things? Hell, yeah it is. If it wasn’t, I wouldn’t be doing it. Do I look dumb enough to go get a job again?”

In addition, the court ruled that the defendants’ false claims about Noland’s own wealth in selling the pyramid schemes were “outrageous.” Noland, for example, told SBH and VOZ Travel members, “I’ve been financially free, completely time and money free since I was 36.”  In fact, as the court found, at the age of 36, Noland “was living (or was about to start living) off credit cards.” 

Additionally, although Noland told SBH and VOZ members he was a multi-millionaire, the court explained that “[i]n his January 2020 sworn financial statement, Noland reported he had a negative net worth.” Similarly, at a deposition in this case, “Noland was unable to identify a time he ever had a positive net worth.”

The defendants used these and other false claims to boost their promises that SBH affiliates would achieve their own financial freedom, like becoming millionaires, or having an income stream of $20,000 per month. Instead, the court found “the great majority of SBH affiliates were net losers” of money, and “the few who may have eked out a net positive outcome did not obtain anything close to the ‘financial freedom’ that was being offered.”  The court, for example, found that one “top retailer” in SBH earned less from those sales “than what an individual would earn from a full-time minimum wage job.”

The court’s ruling permanently bans Noland, his wife Lina Noland, Harris and Sacca from any participation in multi-level marketing. In its ruling, the court said they “…have found themselves to be utterly incapable of operating an MLM business in a lawful manner.”

The ruling also imposes a $7.3 million judgment on Noland, Harris, and Sacca, the full amount sought by the FTC. Any amount recovered by the FTC will be used to redress consumers. The court also found that the defendants committed multiple “acts of dishonesty,” including “destroying evidence, violating court orders, giving false under-oath testimony, and taking no accountability for the misconduct after being caught.”

The FTC’s suit against SBH and VOZ Travel also named a number of corporate entities behind the two pyramid schemes; the case against those entities is ongoing. The FTC has extensive information and guidance for consumers about multi-level marketing and pyramid schemes on its website, as well as guidance for businesses.