Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission (FTC) charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents’ knowledge or consent.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” FTC’s Samuel Levine said. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
As part of the proposed settlement, which is pending court approval, Redmond has been ordered to update its account creation process for children to prevent the collection and storage of data, including obtaining parental consent and deleting said information within two weeks if approval is not obtained.
The privacy protections also extend to third-party gaming publishers with whom Microsoft shares children’s data, in addition to subjecting biometric information and avatars created from a children’s faces to the privacy laws.
Microsoft, per the FTC, violated COPPA’s consent and data retention requirements by requiring those under 13 to provide their first and last names, email addresses, dates of birth, and phone numbers until late 2021.
Furthermore, the Windows maker is said to have shared the user data with advertisers by default until 2019 when consenting to Microsoft’s service agreement and advertising policy.
“It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent,” the FTC said. “The child’s parent then had to complete the account creation process before the child could get their own account.”
Microsoft, however, chose to retain data collected from children during the account creation step for years even in scenarios where a parent did not complete the signup process, thereby contravening child privacy laws in the U.S.
The company has further been accused of creating a unique persistent identifier for underage accounts and sharing that information with third-party game and app developers and explicitly requiring parents to opt out in order to prevent their children from accessing third-party games and apps in Xbox Live.
Xbox, in response, said it’s taking additional steps to improve its age verification systems and to ensure that parents are involved in the creation of child accounts for the service. It did not disclose the exact specifics of what such a system may be.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join the Session
It also blamed some of the issues to a technical glitch that failed to “delete account creation data for child accounts where the account creation process was started but not completed,” emphasizing that the data was promptly deleted and never “used, shared, or monetized.”
This is not the first time a video game maker has been fined by the FTC over COPPA violations. In December 2022, Fortnite developer Epic Games reached a $520 million settlement with the agency in part for flouting online privacy laws for children.
The fines come as Microsoft disclosed it anticipates fines to the tune of “approximately $425 million” from the Irish Data Protection Commission (DPC) in the fourth quarter of 2023 for potentially violating the European Union General Data Protection Regulation (GDPR) to serve targeted ads to LinkedIn users.
The development also comes close on the heels of the FTC levying Amazon a cumulative $30.8 million fine over a series of privacy lapses regarding its Alexa assistant and Ring security cameras.