FTC: Microsoft to pay US $20 million for storing kids’ Xbox data

Microsoft has been ordered to pay a fine for its unlawful collection of children's data.
xbox ftc microsoft

Microsoft has been charged US $20 million by the US Federal Commission (FTC) following the settlement of a legal dispute concerning the illegal storage of data from children using Xbox consoles. Per the FTC, Microsoft had not been adhering to the Children’s Online Privacy Protection Act (COPPA), and instead retained children’s data without the proper parental consent.

Until late 2021, Microsoft reportedly required all Xbox users to provide personal information for an account, including a phone number, full name, and date of birth. They were also required to agree to Microsoft’s terms and conditions – all before an adult’s consent was needed. This was the subject of the FTC’s complaint.

‘From 2015-2020 Microsoft retained the data – sometimes for years – that it collected from children during the account creation process, even when a parent failed to complete the process,’ the FTC claimed. ‘COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfil the purpose for which it was collected.’

Microsoft also reportedly ‘failed to disclose to parents all the information it collected, such as a child’s profile picture.’

Read: Microsoft’s CMA appeal will take place in July 2023

To remedy this situation, the FTC has proposed a significant fine, and a new order that would require Microsoft to strengthen its data protections for children, with new bounds set for ensuring kids’ avatars, biometric data, and health information are clearly protected under COPPA.

‘The order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data,’ the FTC announced in a press release. ‘ In addition, the order makes clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data.’

In response to the complaint, Microsoft has claimed the unlawful data retention was a ‘glitch’ and acknowledged the harm this may have caused.

‘Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,’ Dave McCarthy, CVP of Xbox Player Services said in a blog post. ‘We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.’

Leah J. Williams is a gaming and entertainment journalist who's spent years writing about the games industry, her love for The Sims 2 on Nintendo DS and every piece of weird history she knows. You can find her tweeting @legenette most days.