Microsoft will pay $20 million to settle charges of unlawfully collecting personal information from children without parental consent, the U.S. Federal Trade Commission (FTC) announced.
The FTC stated that Microsoft violated the Children’s Online Privacy Protection Act (COPPA) by gathering personal data from children who signed up for its Xbox gaming system without informing or obtaining consent from their parents. Microsoft retained children’s personal information, which further breached COPPA regulations.
Microsoft is required to implement measures to enhance privacy protections for child users of its Xbox system. The company will also extend COPPA safeguards to third-party gaming publishers with whom it shares children’s data, as specified by the FTC.
A Microsoft spokesperson expressed the company’s commitment to complying with the settlement. They highlighted that the account creation process would be updated, and a data retention glitch within Microsoft’s system would be addressed.
Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, emphasized the significance of the proposed order in facilitating parental protection of children’s privacy on Xbox. Levine clarified that children’s avatars, biometric data, and health information are not exempt from COPPA regulations.
Microsoft retained the data collected from children during the account creation process between 2015 and 2020, even when parental completion of the process was absent. COPPA mandates that online services and websites directed towards children under 13 inform parents about the personal information they collect and obtain verifiable parental consent prior to collecting and using any such information.
This is the Commission’s third COPPA action within the last few weeks, following an announcement in mid-May against ed tech provider Edmodo and one last week involving Amazon.
