Microsoft will pay $20 million to settle an FTC complaint that its Xbox platform illegally collected and retained information about children without their parents’ consent, in violation of the Children’s Online Privacy Protection Act (COPPA).
According to the FTC complaint in the matter, Microsoft’s Xbox account sign-up process asked children under 13 for their name, date of birth, email address, and phone number, all before parents got involved in the sign-up process.
The complaint also alleges that Microsoft did not specifically notify parents that information such as uploaded photos and gameplay data associated with their player ID would be collected and potentially shared with third parties. Instead Microsoft included these specifics in a Privacy Statement, which the FTC says was akin to “sending parents off on what amounted to a DIY errand.”
Even then, until 2019 the Privacy Statement was insufficiently detailed, the FTC says, failing to include “a mandatory explanation for how parents can ask Microsoft to delete their child’s personal information and to stop collecting it in the future.” And Microsoft also allegedly violated COPPA by keeping that information for longer than was necessary, “often for years after the account creation process wasn’t completed.”
As part of the proposed order in the case, Microsoft will have to directly notify parents using the console of the benefits of creating a separate account for their child. Microsoft will also have to start notifying third-party publishers when it shares player data from children, so those publishers also know to adhere to COPPA requirements. The FTC will put a monitoring regime in place to ensure that Microsoft is following these new restrictions.
For context, the $20 million fine represents 0.03% of Microsoft’s total revenue for the most recently reported quarter.