译者 | 李凡 中国人民大学硕士
一审 | 陈思源 北京大学硕士 
二审 | 张亦衡 南加州大学本科
编辑 | 戚琳颖 大连海事大学本科
责编 | 李薇 浙江工商大学本科
微软因非法收集儿童数据遭美国联邦贸易委员会起诉
目录
I. Overview 案情概要
II. Principal legal basis 主要法律依据
III. Outcome of case 案件结果
I. Overview 
案情概要
In connection with its Xbox Live online service and related products, Defendant Microsoft Corporation (“Microsoft” or “Defendant”) collected personal information from children under the age of 13 (hereinafter “children”) without complying with the COPPA Rule’s requirements. Defendant collected personal information from children before notifying parents and obtaining parental consent. Defendant also failed to tell parents about åwhat information it collected from children, and why, and failed to notify parents that it discloses some of this information to third parties. In addition, Defendant retained personal information from children longer than necessary, putting children’s data at risk for uses outside parents’ reasonable expectations and for compromise by unauthorized third parties.
美国联邦贸易委员会(Federal Trade Commission, 以下简称“FTC” )依据《儿童在线隐私保护法》( Children's Online Privacy Protection Rule,以下简称“COPPA”)对微软就其非法收集儿童数据行为提起诉讼。本案起诉至美国华盛顿州西区联邦地区法院。现双方达成和解。微软将支付2000万美元的和解金,以换取FTC放弃对该公司违反COPPA的指控。在其Xbox Live在线服务和相关产品中,被告微软公司(以下简称“微软”或“被告”)未遵守COPPA规则的要求,向13岁以下儿童(以下称为“儿童”)收集了个人信息。被告在未通知父母并获得父母同意之前就从儿童处收集了个人信息。被告也未告知父母从儿童处收集了什么信息以及为何收集,且在未通知父母的情况下将部分信息披露给第三方。此外,被告对来自儿童的个人信息的保留超过了必要时间,使儿童的数据存在被用于超出父母合理预期的用途的风险,并可能被未经授权的第三方侵害。
Microsoft’s Xbox gaming products allow users to play and chat with other players through its Xbox Live service. To access and play games on an Xbox console or use any of the other Xbox Live features, users must create an account, which requires users to provide personal information including their first and last name, email address and their date of birth. Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint.
微软的Xbox游戏产品允许用户通过其Xbox Live服务与其他玩家进行游戏和聊天。要想在Xbox控制台上进行游戏或者使用其他任何Xbox Live的功能,用户必须创建一个账户。该账户要求用户提供包括名字和姓氏、电子邮件地址和出生日期在内的个人信息。根据指控,在2021年年底之前,即使用户表示其未满13岁,他们也被要求额外提供包括电话号码在内的个人信息,并同意微软的服务协议和广告政策。直到2019年年底之前,这些协议和政策包括一个默认勾选的复选框,允许微软发送推广信息并与广告商共享用户数据。
It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent. The child’s parent then had to complete the account creation process before the child could get their own account. According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.
直到用户提供了这些个人信息之后,微软才要求任何表明其未满13周岁的用户的父母参与进来。儿童的父母必须完成账户创建程序,儿童才能获得自己的账户。根据指控,2015年至2020年间,即使父母未完成创建过程,微软仍然保留了从儿童创建账户过程中收集到的数据,有时甚至保留了多年。COPPA禁止保留儿童个人信息的时间超过实现其被收集的目的的合理必要时间。
After a child makes an account, they can create a profile that will include their “gamertag,” which is the primary identifier visible to the user and other Xbox Live users, and can also upload a picture or include an avatar, which is a figure or image that represents the user. According to the complaint, Microsoft combined this information with a unique persistent identifier it creates for each account holder, even children, and could share this information with third-party game and app developers. Microsoft allowed—by default—all users, including children to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt out if they don’t want their children to access them.
儿童在创建账户后,他们可以创建包括他们的“玩家代号”在内的个人资料。“玩家代号”是用户和其他Xbox Live玩家都可见的主要标识。他们还可以上传照片或建立虚拟形象,即代表用户的人物或图像。根据指控,微软将这些信息与它为每个账户持有人(包括儿童)创建的唯一持久的标识相结合,并且与第三方游戏和应用开发商共享信息。在默认设置下,微软允许包括儿童在内的所有用户在使用Xbox Live时使用第三方游戏和应用程序。如果父母不希望他们的孩子访问这些游戏和应用程序,则需要采取额外步骤选择退出。
(图片来源于网络)
II. Principal legal basis
主要法律依据
Congress enacted COPPA in 1998 to protect the safety and privacy of children by prohibiting the unauthorized or unnecessary collection of children’s personal information online by operators of Internet websites and online services. COPPA directed the Commission to promulgate a rule implementing COPPA. The Commission promulgated the COPPA Rule on November 3, 1999, under Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553. The Rule went into effect on April 21, 2000. The Commission promulgated revisions to the Rule that went into effect on July 1, 2013. Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
1998年,美国国会颁布了《儿童在线隐私保护法案》(COPPA),旨在通过禁止互联网网站和在线服务运营商未经授权或不必要地收集儿童个人信息,保护儿童的安全和隐私。COPPA指示委员会颁布一项实施COPPA的规则。委员会于1999年11月3日根据COPPA第1303(b)节,15 U.S.C. § 6502(b),和《行政程序法》第553节,5 U.S.C. § 553,颁布了COPPA规则。该规则于2000年4月21日生效。委员会颁布的规则修订版于2013年7月1日生效。根据COPPA第1303(c)节,15 U.S.C. § 6502(c),以及FTC法案第18(d)(3)节,15 U.S.C. § 57a(d)(3),违反该规则构成商业中或影响商业的不公平或欺骗行为,违反了FTC法案第5(a)节,15 U.S.C. § 45(a)。
(图片来源于网络)
The COPPA Rule applies to any operator of a commercial website or online service directed to children and to any operator of a commercial website or online service that has actual knowledge that it is collecting or maintaining personal information from children. The Rule requires an operator to meet specific requirements before collecting online, using, or disclosing personal information from children, including but not limited to:
COPPA规则适用于任何针对儿童的商业网站或者在线服务的运营商,以及任何实际知道其正在收集或维护儿童个人信息的商业网站或在线服务的运营商。该规则要求运营商在网络上收集、使用以及披露来自儿童的个人信息时,应满足特定条件,包括但不限于:
a. Providing clear, understandable, and complete notice of its information practices, including specific disclosures, directly to parents;
a. 以清晰、可理解的和完整的通知的方式直接告知家长其关于信息的做法,包括具体披露情况;
b. Posting a prominent and clearly labeled link to an online notice of its information practices with regard to children at specific locations of the website or online service and including in that notice specific disclosures set forth in the Rule, including what information the operator collects from children online, how it uses such information, and its disclosure practices for such information;
b. 在网站或者在线服务页面的特定位置发布醒目和清晰标识出的链接,通过该链接可查看关于儿童的信息实践告知。该告知中应当包COPPA规则中提出的特定的披露情形,包括运营商从儿童处收集的在线信息的内容、使用方式以及披露情况。
c. Obtaining verifiable parental consent before collecting, using, and/or disclosing personal information from children; and
c. 在收集、使用和(或)披露儿童个人信息之前获得确切的家长同意;以及
d. Retaining personal information collected from children online only as long as is reasonably necessary to fulfill the purpose for which the information was collected.
d. 仅在实现收集信息的目的所需的的合理必要的期限内保留收集的儿童个人信息。
Defendant Failed to Provide Notice and Obtain Verifiable Parental Consent Before Collecting Personal Information from Children
FTC认为:
被告未在收集儿童个人信息时进行提示并征得确切的家长同意
Section 312.4(a) of the COPPA Rule requires covered operators to provide notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. As described in Paragraph 15, Defendant learned that certain users were children after they provided their birthdates in the first step of the account creation process but went on to request phone numbers from the children, before seeking to involve a parent.
COPPA 规则 312.4(a) 要求符合条件的运营商在收集、适用或者披露儿童个人信息时提示并征得确切的家长同意。微软知道特定用户是儿童,因为他们在创建账户的第一步提供了出生日期。但是,微软仍然在家长参与之前要求儿童填写电话号码。
Nothing in the Rule permits an operator to collect a child’s telephone number, as opposed to online contact information, without first obtaining verifiable parental consent. 16 C.F.R. § 312.5(c)(1) and (6).
与在线联系信息相反,规则中的任何部分都未允许运营商在未经确切的家长同意之前收集儿童电话号码。16 C.F.R. § 312.5(c)(1) and (6)。
Defendant’s Post-Collection Notice and Verifiable Parental Consent Process Were Deficient.
被告收集后通知和确切的家长同意程序存在缺陷。
After collecting personal information from the child in violation of the Rule, Defendant suggested that the child seek parental involvement. Through at least April 2021, Defendant then provided a limited notice of its information practices. This notice failed, however, to meet the requirements of the Rule. 16 C.F.R. § 312.4. Defendant’s failure to ensure parents received adequate notice about its collection, use, and disclosure practices concerning children’s personal information violated the COPPA Rule.
在违反规则收集儿童的个人信息后,被告建议儿童寻求父母的参与。至少到2021年4月,被告在该步骤中就其信息实践提供了有限的通知。该通知未能满足规则的要求。16 C.F.R. § 312.4。被告未能确保父母收到有关其收集、使用和披露儿童个人信息的充分通知,这违反了 COPPA 规则。
(图片来源于网络)
Section 312.4(a) of the COPPA Rule requires that notice to parents “must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials.” Section 312.4(b) requires covered operators to make reasonable efforts to ensure that a parent of a child receives direct notice of the operator’s practices with regard to the collection, use, or disclosure of personal information from children before collecting personal information from children.
COPPA 规则第312.4(a)节要求给家长的通知“必须清晰、易懂、完整,并且不得包含不相关、令人困惑或者矛盾的材料。”第312.4(b)节要求涵盖的运营商采取合理的努力,以确保在收集儿童个人信息之前,儿童的父母收到关于该收集、适用或披露儿童个人信息行为的直接通知。
Through at least April 2021, Defendant’s notice failed to include the information required by Section 312.4(b) of the COPPA Rule. For example, the direct notice failed to describe Defendant’s collection and use practices with regard to personal information collected from children and instead directed parents to the company’s online notice of its information practices (the “Privacy Statement”). The direct notice also did not disclose to parents that Defendant intended to collect such personal information as images that could contain a child’s likeness.
至少在2021年4月之前,被告的通知未能包含 COPPA 规则第312.4(b)节中要求包括的信息。例如,被告的通知未能描述其对儿童个人信息的收集和使用行为,而是将父母引导至公司的信息实践通知(“隐私声明”)。被告的通知也未告知父母其意图收集可能包含儿童肖像的图像等个人信息。
Section 312.4(d) of the COPPA Rule requires covered operators to post a prominent and clearly labeled link to an online privacy notice in various places, including at each point that Defendant collects personal information from children.
COPPA 规则第312.4(d)节要求涵盖的运营商在多处地方(包括被告收集儿童信息的每个地方)发布醒目且清晰标识出的在线隐私声明链接。
Until at least 2019, Defendant’s Privacy Statement was incomplete. It contained a section entitled “Collection of data from children”; however, this section did not describe what personal information Defendant collected from children or Defendant’s use and disclosure practices for personal information collected from children as required by the COPPA Rule. Instead, the section discussed Defendant’s information practices regarding Microsoft products and children generically.
至少在2019年之前,被告的隐私声明是不完整的。被告的隐私声明包括题为“儿童数据收集”的一节;但是,该节并未按照 COPPA 规则要求描述被告向儿童收集了哪些信息,也没有披露其对收集的儿童信息的处理实践。相反,该节仅包括被告有关 Microsoft 产品和儿童信息实践的一般性内容。
Defendant Retained Personal Information Collected from Children Longer Than Reasonably Necessary for the Purpose for Which It Was Collected
被告保留从儿童处收集的个人信息的时间超过了对收集目的合理必要的时间
Section 312.10 of the COPPA Rule requires thatDefendant retain personal information collected from children for only as long as reasonably necessary to fulfill the purpose for which it was collected. If children’s personal information is collected for the purposes of providing notice and obtaining verifiable parental consent, and if the operator does not obtain parental consent after a reasonable time from the date the information was collected, 16 C.F.R. § 312.5(c)(1) requires the operator to delete the information from its records. From 2015 until at least October 2020, as described in Paragraph 20, Defendant indefinitely retained, in many instances for years, children’s personal information collected during account creation when the account process was not completed.
COPPA 规则第312.10节要求被告仅在实现收集目的合理必要的时间内保留收集的儿童个人信息。如果收集儿童个人信息的目的是为了提供通知并获得可验证的家长同意,且如果运营商没有在收集信息之日起的合理时间内获得家长同意,那么根据16 C.F.R. § 312.5(c)(1),运营商必须从其记录中删除该信息。从2015年至少到2020年10月,在账户创建流程未完成的情况下,被告无限期地保留了在帐户创建过程中收集的儿童个人信息(在许多情况下长达数年)。
(图片来源于网络)
III. Outcome of case 
案件结果
Defendant is ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, twenty million dollars ($20,000,000).
被告被命令通过向美国财政部向原告支付二千万美元($20,000,000)。
In addition to the monetary penalty, Microsoft will be required under the proposed order to:
Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
除了罚款以外,微软还被要求:
告知尚未为孩子创建独立账户的家长,创建独立账户将默认为其子女提供额外的隐私保护;
Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
如果账户持有人仍旧是儿童,则2021年5月之前创建的账户需获得家长同意;
Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected;and 
建立并维护系统,在从儿童收集个人信息的目的是获取父母同意的情况下,在收集日期后两周内,删除所有未获得父母同意的个人信息。在不再需要实现收集目的时删除从儿童收集的所有其他个人数据;并且
Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
在披露来自儿童的个人信息且用户为儿童时通知视频游戏出版商,这将要求出版商对该儿童应用COPPA的保护措施。
原文链接:
https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information
继续阅读
阅读原文
关键词
个人信息
信息
儿童个人信息
规则
用户