The US Federal Trade Commission has announced that Microsoft will pay a $20 million fine to settle issues related to collecting personal information from children on its Xbox consoles and services. According to the FTC, Microsoft violated the Children’s Online Privacy Protection Act by collecting personal information from children on the Xbox service without getting permission from their parents and retaining that personal info,
The FTC's statement says the issues began with Microsoft's Xbox and Xbox Live account setup, which required asking for the user's first and last name, date of birth and email address. It added:
Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint.
The FTC said it was only after all that personal information was collected that Microsoft asked for anyone under 13 years old to involve a parent in the account setup process. It stated:
According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.
In addition to the fine, Microsoft must also perform the following tasks:
- Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
- Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
- Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
- Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
In its own statement about the FTC decision, Microsoft stated:
Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.
The company also claims that "a technical glitch" in its Xbox service was the cause for the personal account data for children under 13 to be retained when the account creation process was started and not completed. Microsoft said the issue was fixed and the account info was deleted. Microsoft said that information was "never used, shared, or monetized."
Microsoft claims it is working on a new version of its account creation service with privacy and safety in mind:
We are innovating on next-generation identity and age validation – a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences. The long-term benefits will be felt by all players, especially children and their families. And while we see this as the future, we anticipate that the entire games industry will as well.
Microsoft says it will be testing these new age verification methods and getting feedback on how they work in the coming months.