Microsoft to Pay $20 Million Fine for Illegally Collecting Children’s Data on Xbox
Microsoft has agreed to pay a $20 million fine to settle US Federal Trade Commission (FTC) claims that the company illegally collected and stored data on children who signed up to use the Xbox video game console without their parents’ knowledge or consent.
“Our proposed directives make it easier for parents to protect the privacy of their children on Xbox, and limit the information Microsoft can collect and store about children,” Samuel Levine of the FTC said. “The act should also make it clear that children’s avatars, biometric data and health information are not exempt COPPA.”
As part of the proposed settlement, which is pending court approval, Redmond has been ordered to update its account creation process for children to prevent data collection and storage, including obtaining parental consent and deleting such information within two weeks if consent is not obtained.
Privacy protections also extend to third-party game publishers who share children’s data with Microsoft, in addition to being subject to privacy laws and biometric information and avatars created from children’s faces.
Microsoft, according to the FTC, violated COPPA approval and data retention requirements by requiring those under the age of 13 to provide their first and last name, email address, date of birth and telephone number by the end of 2021.
Furthermore, the maker of Windows is said to have shared user data with advertisers by default until 2019 when it agreed to Microsoft’s service agreement and advertising policies.
“Only after a user provides this personal information does Microsoft ask anyone who indicates they are under 13 to involve their parents,” the FTC said. “The child’s parent must then complete the account creation process before the child can get an account of their own.”
However, Microsoft chooses to retain data collected from children during the account creation step for years even in scenarios where parents do not complete the registration process, thereby violating US child privacy laws.
The company is further accused of creating unique persistent identifiers for underage accounts and sharing that information with third-party game and app developers and explicitly asking parents to opt-out of preventing their children from accessing third-party games and apps on Xbox. Life.
Xbox, in response, said it was taking additional steps to improve its age verification system and to ensure that parents were involved in creating a child’s account for the service. It doesn’t reveal specifically what the system looks like.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
It also blamed some of the issues on a technical glitch that failed to “delete account creation data for child accounts where the account creation process was initiated but not completed,” stressing that the data was immediately deleted and was never “used, shared, or monetized.”
This isn’t the first time a video game maker has been fined by the FTC for COPPA violations. In December 2022, Fortnite developer Epic Games reached a $520 million settlement with the agency in part for violating online privacy laws for children.
The fine comes as Microsoft disclosed it anticipates a fine of up to “approximately $425 million” from the Irish Data Protection Commission (DPC) in the fourth quarter of 2023 for potentially violating the European Union’s General Data Protection Regulation (GDPR) to serve targeted ads to LinkedIn users.
This development also led to the FTC levying Amazon a cumulative fine of $30.8 million over a series of privacy breaches regarding the Alexa assistant and Ring’s security cameras.
