Microsoft has agreed to pay $20 million to U.S. regulators for violating the Children’s Online Privacy Protection Act (COPPA).
The breach involved the computer giant collecting and retaining personal information from children who set up an Xbox account prior to obtaining permission from their parents.
As part of the settlement with the Federal Trade Commission (FTC), Microsoft has agreed to enact measures aimed at enhancing privacy protections for children using its Xbox platform, such as rolling out a new account creation process and eliminating a glitch that resulted in data being retained for longer than it should have been.
Commenting on the case, Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said its proposed measures “makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids.”
Levine added: “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
The FTC explained that to access and play games on an Xbox console or use any of the other Xbox Live features, users must first create an account. This requires the submission of personal information including first and last name, email address, and date of birth.
Until late 2021, even if a user indicated that they were under 13 years of age, they were also asked to provide a phone number and to agree to Microsoft’s terms and conditions, which until 2019 included a pre-checked box allowing the tech company to send promotional messages and to share user data with advertisers.
It was only after users gave this personal information that Microsoft required those indicating they were under 13 to ask a parent to finish the account creation process.
“From 2015-2020, Microsoft retained the data — sometimes for years — that it collected from children during the account creation process, even when a parent failed to complete the process,” the FTC said. “COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.”
Responding to the case, Microsoft’s Dave McCarthy, CVP of Xbox Player Services, wrote in an online post: “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”
Microsoft’s settlement follows an even bigger one involving Epic Games at the end of last year, which saw it pay the FTC $275 million over COPPA violations.
It also comes a few days after Amazon agreed to pay the FTC $25 million over allegations that it violated children’s privacy rights by keeping recordings of voice interactions with Alexa for years after they were made, along with location history.
