The FTC has announced that it’s imposing a $20 million USD (approximately $30 million AUD) fine on Microsoft for wrongfully collecting the personal information of children through its Xbox user sign-ups without the consent of parents, as well as illegally retaining it, therefore violating the Children’s Online Privacy Protection Act (COPPA).
The order comes as the FTC says that up until 2021, through the Xbox sign-up process, users were asked to begin entering their personal information including their first and last name, email address and their date of birth before the system would identify whether or not they were under 13 and require parental consent to continue creating an account. It also says that prior to 2019 users could even check a box to consent to have this information shared with advertisers, and that between 2015 and 2020 Microsoft was retaining the information entered this way for up to years at a time, even if the parent refused to finalise the account creation.
On top of the fine, Microsoft was also ordered to:
- Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
- Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
- Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
- Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
FTC will require Microsoft to pay $20 million over charges it illegally collected personal information from children who signed up for its Xbox gaming system without their parents’ consent: https://t.co/kgm0wFp2zG /1 #privacy
— FTC (@FTC) June 5, 2023
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
For its part, Microsoft has been remedying the issues laid out in the order since 2021 and has just published a statement on its Xbox Wire portal where it says that its “reimagining the future of safety on Xbox,” which includes having updated its account creation process to a standard that so happens to be more compliant with the FTC orders. It also says that the retention of childrens’ data was a “glitch” and that the information was never shared or used and has since been deleted.
Part of the post reads, “We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”
Microsoft says that above and beyond the changes it made in the flow of its user sign-ups to comply with regulations, it’s working on introducing “next generation” identity and age verification technology. You can read the full statement here.
