The FTC fined Microsoft $20 million for illegally collecting and retaining the data of children when they signed up to its Xbox gaming system. In so doing, Microsoft violated the Children’s Online Privacy Protection Act (COPPA).
The COPPA Rule requires online services to notify parents when personal information is collected about children under the age of 13. When a child signed up for Xbox, they could do so without notifying their parents or obtaining their parents' consent. According to the FTC, Microsoft should have obtained "verifiable parental consent" before collecting any data in this situation, but failed to do so, and therefore violated COPPA Rule’s notice, consent, and data retention requirements.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said,
"Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids ... This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA."
As well as paying the fine, Microsoft must take the following action:
Inform parents that creating a separate account for their child adds additional privacy protections (if they haven't done so already).
Obtain parental consent for accounts created before May 2021 if the account holder is still a child.
Implement a system that deletes the data collected from a child within two weeks if parental consent is not obtained, and delete that data if it is no longer necessary to fill the purpose for which it was collected.
Notify game publishers when disclosed personal data is from a child user.
In a blog post, Microsoft's Dave McCarthy, corporate vice president of Xbox Player Services, confirmed Microsoft had agreed to the FTC's settlement and that, "Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community."
He went on to say that, since the FTC settlement, "we have updated our account creation process, which now requires players to first identify date-of-birth and, if under 13 years old, obtain verified parental consent before providing us with any information such as phone number or email address."
McCarthy also explains how they identified a technical glitch during the investigation which means "our systems did not delete account creation data for child accounts where the account creation process was started but not completed." That glitch has now been fixed, the associated data deleted, and practices implemented to stop it happening again.
Only last week, the FTC fined Amazon $25 million for deceiving parents and violating child privacy law. On the same day, Amazon got hit with a further $5.8 million fine for spying on customers through their Ring cameras.