Microsoft has been fined by the US Federal Trade Commission (FTC) for illegally collecting and retaining children’s personal data. The company attributed the issue to a technical glitch, but agreed to take steps to improve protection measures for Xbox users.
On June 5, the FTC announced that Microsoft will have to pay $20 million to settle charges related to violating the Children’s Online Privacy Protection Act (COPPA), a federal law aimed at regulating the collection of personal data from kids under 13 years old by US-based companies and protecting children’s privacy.
According to the regulator, Microsoft has been for years collecting personal information from underage Xbox users without notifying their parents or obtaining their parents’ consent. From 2015 to 2020, the company also retained the data, sometimes for years, obtained during the account creation process. It was stored even when a parent failed to complete the process, which is also a COPPA violation.
Until late 2021, kids under 13 years old were asked to provide their phone number and to agree to Microsoft’s service agreement and ad policy. And until 2019, there was also a pre-checked box, which allowed the corporation to share user data with advertisers and send promotional messages.
In addition to the $20 million fine, Microsoft is also required to take certain steps to improve privacy protection measures for underage Xbox users. So the company will have to:
- Inform parents about the importance of creating a separate account for their child;
- Obtain parental consent for accounts created before May 2021;
- Delete all personal data collected from kids before obtaining parental consent within two weeks from the collection date and delete all personal information after it is no longer necessary;
- Notify third-party game publishers with whom Microsoft shares children’s data so that they also comply with COPPA rules.
How did Microsoft react to the FTC order?
- On the official Xbox wesbite, Microsof noted that it had conducted its own investigation and found out that its systems retained account creation data due to a “technical glitch.”
- “Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring,” the statement reads. “The data was never used, shared, or monetized.”
- Microsoft is now also working on the “next-generation identity and age validation” system, which will allow it to provide customized, safe, and age-appropriate services and experiences for different user groups.
Microsoft is not the first video game company that has been fined for collecting children’s personal data. In December 2022, the FTC ordered Epic Games to pay $275 million for violating COPPA and another $245 million to refund users affected by its “dark patterns and billing practices.”