As it currently deals with the US Federal Trade Commission (FTC) regarding its attempted purchase of Activision Blizzard, Microsoft has another problem on its hands. Microsoft has been fined $20 million for illegally collecting the personal data of children via Xbox.
In a statement released by the FTC, Xbox’s sign-up process is in violation of the Children’s Online Privacy Protection Act. The FTC also says Microsoft was “illegally retaining children’s personal information”.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in the announcement of the fine. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
According to the FTC, the issue at hand was taken care of back in 2021. Prior to that, a child under the age of 13 was required to provide personal information such as a phone number. Up until 2019, children were also subject to a “pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers”.
In its response to the fine levied by the FTC, Microsoft says it has a “fundamental commitment” to making sure its players have a secure experience. As far as the specific issue regarding children’s data retention, CVP of Xbox Player Services Dave McCarthy blamed it on a “glitch” in the system.
“During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed,” he said. “During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed.”
In addition to the $20 million fine, Microsoft will have to adhere to the following, per the FTC:
- Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
- Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
- Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
- Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
What do you make of the $20 million fine against Microsoft for illegal data collection on Xbox? For more Insider Gaming, check out Apple’s new Apple Vision Pro AR/VR headset.
