Microsoft has agreed to pay a $20 million fine to settle charges that it illegally collected and retained the personal data of children who used its Xbox gaming system without their parent's consent. The Federal Trade Commission (FTC) announced the settlement on Monday, saying that Microsoft violated the Children's Online Privacy Protection Act (COPPA), which limits data collection on kids under 13.
According to the FTC, Microsoft collected personal information from children who signed up for Xbox accounts, such as their names, dates of birth, email addresses, avatars, biometric data and health information, without notifying their parents or obtaining their verifiable consent.
The FTC also alleged that Microsoft failed to delete the children's data in cases where the account creation process was not completed by the parents, and instead retained the data for up to 14 days.
The settlement requires Microsoft to take steps to improve its privacy protections for child users of Xbox, such as updating its age verification systems, notifying parents about data collection practices and obtaining parental consent before sharing children's data with third-party gaming publishers. Microsoft also has to delete any children's data that it collected and retained in violation of COPPA.
Microsoft's Apology and Commitment to Change
In a blog post, Microsoft's corporate vice president for Xbox Dave McCarthy said the company had identified and fixed a technical glitch that caused the data retention issue and apologized for any inconvenience caused to customers.
“We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we'll remain steadfast in our commitment to safety, privacy, and security for our community.
“COPPA is a federal law that requires online services and websites directed to children under 13 to notify parents about the personal information they collect and to obtain verifiable parental consent before collecting and using any personal information of the children.”