Microsoft to pay $20 million for violation of children's privacy on the Internet on Xbox
Microsoft violated the Children's Online Privacy Protection Act (COPPA), a US federal law designed to protect the privacy of children under the age of 13 online. Young gamers were profiled without their parents' consent, and the data was stored for years, even for incomplete accounts.
Microsoft and the Federal Trade Commission (FTC) reached a settlement over COPPA violations on the Xbox platform, as the Redmond-based company collected and stored children's data for years, despite federal protections for underage Internet users. The fine imposed on Microsoft is small (only $20 million), but the US agency said that the settlement could be a "turning point" in COPPA compliance.
Xbox Live is an online gaming network used by millions of gamers, many of whom are under the age of 13, the FTC said. The federal agency investigated Microsoft and found three different ways in which the company violated COPPA: Microsoft collected personal information of underage gamers before notifying their parents and obtaining parental consent; failed to notify parents of the information collected, why it was collected, and that it was disclosed to third parties; and retained children's personal information "for longer than reasonably necessary."
Until 2019, minors who registered on the Xbox online gaming service were asked to confirm (using a pre-filled checkbox) their permission to transfer data to third-party advertisers. According to the FTC, the children's personal data (name, email address, phone number, date of birth, etc.) was collected before the parents completed the account creation process, and it was stored even if the parents ultimately refused to register.
The settlement with the FTC will force Microsoft to notify parents and obtain consent for accounts created before May 2021. The company will also have to create new systems designed to delete children's personal information collected without parental consent, ensuring that such information is deleted when it is no longer needed for Xbox-related online services.
According to the FTC, the proposed settlement with Microsoft ensures that parents will have an easy way to protect their children's privacy on Xbox while limiting the information that Microsoft can collect and store about young gamers. According to Samuel Levin of the FTC's Bureau of Consumer Protection, the agreement should make it clear that children's avatars, biometric data, and medical information "are not excluded from COPPA's protections."