Microsoft has agreed to pay a $20 million penalty to settle charges brought by the U.S. Federal Trade Commission (FTC) that the company unlawfully collected and stored data from children who used its Xbox video game console without parental consent. The settlement aims to enhance privacy protections for children and ensure compliance with the Children’s Online Privacy Protection Act (COPPA).
The proposed settlement requires Microsoft to update its account creation process for children, ensuring that data collection is prevented unless parental consent is obtained. If consent is not provided, the collected information must be deleted within two weeks. The privacy safeguards also extend to third-party gaming publishers that receive children’s data from Microsoft. Biometric data and avatars created from children’s faces will be subject to privacy laws as well.
The FTC found that Microsoft violated COPPA by requesting personal information from children under the age of 13, such as their names, email addresses, dates of birth, and phone numbers, until late 2021. The company also shared user data with advertisers by default until 2019, when consenting to Microsoft’s service agreement and advertising policy.
Microsoft’s account creation process allowed data collected from children to be retained for an extended period, even when parents did not complete the signup process. This practice violated U.S. child privacy laws. Additionally, the company generated unique persistent identifiers for underage accounts and shared them with third-party game and app developers. Parents had to opt out to prevent their children from accessing these third-party games and apps on Xbox Live.
In response to the allegations, Xbox stated that it is implementing measures to improve age verification systems and involve parents in the creation of child accounts, but did not provide specific details.
The FTC’s fine against Microsoft follows a similar case involving Fortnite developer Epic Games, which settled with the agency for $520 million over COPPA violations. Microsoft is also facing potential fines of around $425 million from the Irish Data Protection Commission for potential violations of the European Union General Data Protection Regulation.
Recently, the FTC also imposed a total fine of $30.8 million on Amazon due to privacy breaches related to its Alexa assistant and Ring security cameras.
Overall, the settlement between Microsoft and the FTC highlights the importance of protecting children’s privacy online and enforcing compliance with regulations such as COPPA.