Microsoft has agreed to pay US $20 million to settle charges that it violated US law by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent.
The Federal Trade Commission (FTC) has also accused the tech giant of illegally retaining children’s personal information.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, (Director of the FTC’s Bureau of Consumer Protection).
He added that the action should also make it “abundantly clear” that children’s avatars, biometric data, and health information were not exempt from the the Children’s Online Privacy Protection Act (COPPA).
As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will be required to take several steps to strengthen privacy protections for child users of its Xbox system.
The order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. It must be approved by a federal court before it can go into effect.
COPPA requires online services and websites directed to children under 13 to notify parents about the personal information they collect, and to obtain verifiable parental consent before collecting and using any personal information collected from children.
The FTC said that Xbox asked users to create an account that required the provision of personal information.
“Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information − including a phone number − and to agree to Microsoft’s service agreement and advertising policy,” it stated.
“It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent,” the commission added.