Microsoft has been charged US $20 million by the US Federal Commission (FTC) following the settlement of a legal dispute concerning the illegal storage of data from children using Xbox consoles. Per the FTC, Microsoft had not been adhering to the Children’s Online Privacy Protection Act (COPPA), and instead retained children’s data without the proper parental consent.
Until late 2021, Microsoft reportedly required all Xbox users to provide personal information for an account, including a phone number, full name, and date of birth. They were also required to agree to Microsoft’s terms and conditions – all before an adult’s consent was needed. This was the subject of the FTC’s complaint.
‘From 2015-2020 Microsoft retained the data – sometimes for years – that it collected from children during the account creation process, even when a parent failed to complete the process,’ the FTC claimed. ‘COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfil the purpose for which it was collected.’
Microsoft also reportedly ‘failed to disclose to parents all the information it collected, such as a child’s profile picture.’
To remedy this situation, the FTC has proposed a significant fine, and a new order that would require Microsoft to strengthen its data protections for children, with new bounds set for ensuring kids’ avatars, biometric data, and health information are clearly protected under COPPA.
‘The order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data,’ the FTC announced in a press release. ‘ In addition, the order makes clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data.’
In response to the complaint, Microsoft has claimed the unlawful data retention was a ‘glitch’ and acknowledged the harm this may have caused.
‘Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,’ Dave McCarthy, CVP of Xbox Player Services said in a blog post. ‘We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.’