Tech giant Microsoft has agreed to a $20-million settlement over charges of violating child privacy through its gaming products, the US Federal Trade Commission (FTC) has said.
Microsoft illegally collected personal information of young users without obtaining their parents’ consent, according to the FTC. The company was accused of breaching the Children’s Online Privacy Protection Act (COPPA) by gathering data from underage users who registered for Microsoft’s Xbox gaming system.
Microsoft did not notify the parents about collecting their children’s personal information and retaining it, the FTC says.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
The order obliges Microsoft to step up protective measures to ensure privacy protections for its young Xbox users. These measures will extend to third-party gaming publishers with whom Microsoft shares children’s data.
Moreover, the avatars generated from a child’s image, along with biometric and health information, must be covered by the COPPA Rule when collected with other personal data. The order, however, has to be approved by a federal court before it goes into effect.
A complaint lodged by the US Department of Justice (DOJ) also accused Microsoft of violating the COPPA Rule’s notice, consent and data retention requirements. The Xbox gaming products offer the ability to play games and communicate with other users through Xbox Live. To avail these features, users are required to create an account and provide personal information such as first and last name, email address, and date of birth.
Despite a user indicating their underage status, Microsoft, until late-2021, asked them to provide additional details such as a phone number. Users were also required to agree to Microsoft’s service agreement and advertising policy. Until 2019, these agreements included a pre-checked box enabling Microsoft to send promotional messages and share user data with advertisers.
Xbox made it a requirement for an underage user to involve their parent only after they had provided all personal information to the company. According to the FTC, Microsoft failed to comply with the rules; it did not inform parents about the information it had gathered from young users, including their profile pictures.
Besides the $20-million penalty, Microsoft will be required to obtain parental consent for accounts created before May 2021, if the account holder is still underage. The company will have to delete a child’s personal information gathered for the purpose of obtaining parental consent within two weeks as well.
