The Federal Trade Commission has fined Microsoft to the tune of $20 million USD for illegally collecting the personal information of children on its Xbox console.
In the statement from the FTC, the government agency states that the Xbox sign-up process violates the Children's Online Privacy Protetcion Act. This is because it collects information without parental consent. Xbox, for their part, agreed to settle the matter, claiming it will "resolve a data retention glitch found" in its system, as well as amend its start up process.
Via the FTC statement:
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
FTC will require Microsoft to pay $20 million over charges it illegally collected personal information from children who signed up for its Xbox gaming system without their parents’ consent: https://t.co/kgm0wFp2zG /1 #privacy
— FTC (@FTC) June 5, 2023
The act the sign-up process violated, the Children's Online Privacy Protection Act, or COPPA, requires children under the age of 13 have their parents notified about any personal information that the digital entity might be collecting. The FTC statement says that even when users listed their birthdates as under 13 years of age, there was no prompt to get a parent involved, at least until 2021.
"It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent. The child’s parent then had to complete the account creation process before the child could get their own account. According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected."
Microsoft in a statement on Xbox Wire claims this was a glitch in their system, something that is rectified.
"We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community."
Since the FTC complaint, Microsoft states that the process has been updated, requiring a date of birth first and then getting a parent involved from there if the date entered is below the age of 13. It will also be retroactively forcing parental consent on any account made prior to 2021 and was under 13.
This isn't the only high-profile case with the FTC Microsoft is working through right now, as the FTC is also suing Microsoft to block its acquisition of Activision Blizzard.