Microsoft settles U.S. Federal Trade Commission (FTC) complaint alleging it illegally collected and retained data from children signed up to use Xbox video game consoles without parental knowledge or consent agreed to pay a $20 million penalty.
“Our proposed order will make it easier for parents to protect their children’s privacy on Xbox and limit the information Microsoft can collect and retain about their children,” said Samuel Levin of the FTC. rice field. “This action should make it sufficiently clear that the child’s avatar, biometric data and health information are also not exempt from his COPPA.”
As part of the proposed settlement, which is pending court approval, the city of Redmond has been ordered to update its account creation process for children to prevent data collection and storage. This includes obtaining parental consent and deleting the information within two weeks if approval is not obtained. .
Privacy protections apply to biometrics and avatars made from children’s faces, as well as to third-party game publishers with whom Microsoft shares children’s data.
According to the FTC, Microsoft violated COPPA’s consent and data retention requirements by requiring anyone under the age of 13 to provide their name, email address, date of birth and phone number until the end of 2021.
Additionally, until 2019, Windows makers allegedly shared user data with advertisers by default when agreeing to Microsoft’s service agreements and advertising policies.
“Only after users provided this personal information did Microsoft seek parental involvement for anyone who indicated they were under the age of 13,” the FTC said. “In that case, the child’s parent had to complete the account creation process before the child could get their own account.”
However, Microsoft has chosen to retain data collected from children during the account creation step for years, even in scenarios where the parent has not completed the sign-up process, thereby violating U.S. child privacy laws. doing.
The company also creates a unique, persistent identifier for underage accounts and shares that information with third-party game and app developers to prevent children from accessing third-party games and apps on Xbox. has been accused of explicitly requesting a parent to opt-out. live.
In response, Xbox said it would improve its age verification system and take additional steps to ensure parental involvement in creating child accounts on the service. It did not disclose the exact details of what such a system would look like.
🔐 Mastering API Security: Understanding Your True Attack Surface
Uncover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
He also said that part of the problem was due to a technical glitch that prevented him from “deleting account creation data for child accounts whose account creation process was started but not completed,” and that the data was promptly deleted and “used There was no sharing, no monetization,” he said. . “
This isn’t the first time a video game maker has been fined by the FTC for violating COPPA. In December 2022, Fortnite developer Epic Games reached a $520 million settlement with the agency for violating the Children’s Online Privacy Act.
The fine is set by Microsoft in the fourth quarter of 2023 from the Irish Data Protection Commission (DPC) for “approximately 425 million The fine comes after he revealed that he expected to be fined “$”. To LinkedIn users.
The development also comes after the FTC fined Amazon a cumulative $30.8 million for a series of privacy violations involving Alexa Assistant and Ring security cameras.
