Microsoft fined $20M for Xbox collection of kids’ data

The Federal Trade Commission (FTC) has fined Microsoft $20 million in a settlement over the alleged violations of the Childrens’ Online Privacy Protection Act (COPPA).

The FTC said that Microsoft illegally collected and stored the personal information of underage Xbox users as part of their account registration process.

Gamers, including those under 13, were required to provide their email address, their first and last name, their birth date, and, until late 2021, their phone number to sign up.

This was done without first notifying underage users’ parents and getting their consent, according to the FTC.

“Only after gathering that raft of personal data from children did Microsoft get parents involved in the process,” the agency said.

Even if it did not ultimately get parental consent, the company still kept this data for longer than was “reasonably necessary,” which was the case between 2015 and 2020, according to the FTC.

Until 2019, underage Xbox users were also required to consent to the company’s service agreement that included a “pre-checked box allowing Microsoft to send them promotional messages and to share user data with advertisers.”

Microsoft blamed a data retention glitch for the situation and said that it had since been fixed, while the data was “never used, shared, or monetized.” The company said it would comply with the FTC order to bolster privacy protections for kids.

“Regrettably, we did not meet customer expectations,” it said in an Xbox blog post.

In addition to the $20 million fine, Microfost will have to tighten parental controls for child accounts and make additional changes to its sign-up and data collection practises for users under 13.

It will also need to notify video game publishers if they have provided information about an account belonging to a child under 13, and the publisher will then be required to apply COPPA protections to that account.

The settlement agreement also sets a precedent that avatars, biometric data, and health information are not exempt from COPPA regulations, the FTC said.