FTC fines Microsoft $20m for unlawfully gathering kids’s individual details
We may receive compensation if you make a purchase after clicking one of our links. Learn more about how we make editorial decisions here.
As part of its COPPA settlement, Microsoft has pledged to develop a “next-generation identity and age recognition” system.
Sign up for the GI Daily and have the latest and greatest stories sent to your inbox every day.
At a glimpse
- For violating the Children’s Online Privacy Protection Act, Microsoft will pay $20 million.
- Users of Xbox who were younger than 13 years old were prompted to provide personal information before their parents were notified.
- The owner of the platform is contacting all minors who signed up for an account before May 2021 in an effort to verify parental consent.
After an investigation by the FTC found that Microsoft had been illegally collecting personal information of children who used Xbox systems without parental consent, the company was fined $20 million.
According to the FTC, Xbox’s collection and unlawful storage of this data constitutes a violation of the Children’s Online Privacy Protection Act.
The Department of Justice, acting on behalf of the FTC, has presented a proposed order that would punish Microsoft and require it to take steps to improve the Xbox platform’s protection of children’s privacy. This will involve expanding Microsoft’s COPPA protections to include any external publishers with whom the company collaborates.
Even though Microsoft has revealed some of the adjustments it has already made, the order won’t go into effect unless it’s approved by a federal court.
The FTC’s initial complaint centred on the fact that in order to play Xbox games, users must first create an account, during which they are required to provide personal information such as their first and last name, date of birth, and e-mail address. Microsoft revealed the need for an adult grant to complete the operation if the user is under 13 only after this data was considered.
Microsoft revealed it would need players to enter their birthdays as part of the account creation process. If the user is less than 13, parental consent should be obtained before collecting personal information such phone number or email address.
According to the FTC’s complaint, Microsoft kept the data it obtained from children during the account creation process from 2015 until 2020, even if a parent did not finish the process. Individual data may not be kept “for longer than is fairly required to meet the function for which it was gathered,” as stated by the Commission and in accordance with the COPPA.
Microsoft has linked this to a “technical problem” that prevented its systems from wiping data for child accounts that were never created. Microsoft has taken steps to ensure this doesn’t happen again after discovering the issue and erasing the affected data.
The Xbox team further emphasised that this data was “never utilised, shared, or monetised.”
Microsoft has confirmed it will comply with the FTC’s request that it obtain parental consent for any and all child accounts created before to May 2021 for users who are still under the age of 13.
Microsoft has also vowed to improve its infrastructure by creating a “next-generation identity and age recognition” system that is a “practical, secure, one-time procedure.”
In the following months, the platform owner will assess innovative methods for confirming users’ ages and collect input to help improve these systems.
Get the most important news delivered to your inbox every day by subscribing to the GI Daily.