Microsoft to pay $20 million over children's data storage

Microsoft to pay $20 million over children's data storage

Microsoft has agreed to pay $20 million for improperly collecting personal data from Xbox users under the age of 13.

The Department of Justice (DoJ), on behalf of the US Federal Trade Commission (FTC), filed a complaint accusing the company of violating the US Children's Online Privacy Protection Act (COPPA).

The complaint alleges that Microsoft collected and stored children's data, and did so without obtaining consent from their parents.

According to COPPA regulations, for-profit companies must notify parents before storing information on children under the age of 13 "for longer than is reasonably necessary to fulfill the purpose for which it was collected".

Parents must also have the option to prevent the sharing of such information with third parties.

In order to access Xbox games and utilise services like Xbox Live, users are required to create an account and provide personal information such as their full name, place of birth and email address.

The FTC's investigation revealed that between 2015 and 2020, Microsoft only prompted users under the age of 13 to have their parents complete the account creation process after they had provided their personal information.

The company stored such data regardless of whether the parents had completed the registration process. This means that Microsoft retained children's data even without parental consent or completion of the registration process.

The FTC further highlighted that Microsoft combines a user's gamertag with a unique identifier, which it could potentially share with third-party developers, even for accounts owned by users under the age of 13.

FTC orders Microsoft to boost child protection

Microsoft must now implement measures to enhance privacy safeguards for child Xbox users.

As part of the changes, the tech giant will be required to modify its account creation process for underage users.

The company has already updated the process by asking for a user's date of birth before anything else. If necessary, Microsoft will then ask for parental consent before requesting any further identifiable information.

Additionally, Microsoft will ask underage users who created an account prior to May 2021 to have their parents re-verify their account in the coming months.

Microsoft will extend the protections outlined in COPPA to third-party gaming publishers with whom it shares children's data.

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," said Samuel Levine, director of the FTC's Bureau of Consumer Protection.

"This action should also make it abundantly clear that kids' avatars, biometric data and health information are not exempt from COPPA."

A spokesperson from Microsoft said the company is fully committed to complying with the order.

The spokesperson said that the retention of information on users who didn't complete the sign-up process was a "data retention glitch found in our system."

The company is now actively working on developing a new identification and age validation system.

"Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures," Microsoft's Dave McCarthy, CVP of Xbox Player Services, wrote in an Xbox blog post.

The $20 million settlement must be approved by a federal court before it takes effect.

This is just the latest FTC fine involving video game companies and alleged COPPA violations.

Last year, Fortnite developer Epic Games agreed to pay a $520 million FTC fine, $275 million of which related to COPPA violations.

Last week, Amazon agreed to pay the FTC an amount exceeding $30 million, to settle allegations of privacy violations within its Alexa and Ring divisions.