Microsoft settles for $20mn over illegal data collection from child gamers

In addition to the fine, the settlement calls for Microsoft to improve child gaming safety measures.

Microsoft has agreed to a $20 million settlement with the US Federal Trade Commission (FTC) following charges of illegal data collection from children who created Xbox accounts.

The company was found to have violated the Children’s Online Privacy Protection Act (COPPA) by improperly obtaining parental consent and retaining data on children under 13 years of age longer than required.

In a statement, the FTC highlighted that Microsoft had neglected to educate parents regarding its data collection practices, which is a mandatory requirement of COPPA. This statute mandates that any online services or websites targeted at children must acquire parental consent and provide transparency about the child’s personal data collection process.

Xbox accounts necessitate the user to provide their full name, email address, and date of birth during the account creation process.

However, Microsoft sought parental permission only after obtaining other personal details, including the child’s phone number. Furthermore, the company had retained data for extended periods, sometimes for years, even when parental approval was incomplete.

The FTC emphasised that Microsoft had also been deficient in informing parents about the breadth of data collection, including profile pictures, and that the data was being shared with third parties.

QIA eyes full acquisition of Cairo’s stake in Vodafone Egypt: reports

Addressing the situation, Dave McCarthy, Microsoft’s CVP of Xbox Player Services, admitted in a blog post, “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” reported the BBC.

He added that Microsoft is committed to doing more for the safety, privacy, and security of its community.

In addition to the fine, the settlement involves Microsoft implementing improved safety measures for child gamers. These measures include maintaining a system to erase all personal data after two weeks if parental consent is not obtained. This order is awaiting approval from a federal judge before it can be put into effect.

This settlement follows a similar case last week in which Amazon was fined $25 million for retaining sensitive data, including voice recordings of children.