Microsoft To Pay $20 Million In Settlement Over Children's Privacy Violations

Microsoft will pay $20 million to resolve charges that it broke the Children’s Online Privacy Protection Act (COPPA). The Federal Trade Commission (FTC) accused Microsoft of collecting personal information from children using Xbox without parental consent or awareness. It also charged the company with unlawfully keeping children's personal information.

The settlement order should give parents more control over their children’s privacy on Xbox, according to Samuel Levine, head of the FTC’s Bureau of Consumer Protection. He stressed that children’s avatars, health details, and biometric data must be protected under COPPA.

The Department of Justice, acting for the FTC, has drafted an order requiring Microsoft to enhance privacy protections for child users on Xbox. The order will extend COPPA protections to third-party game developers with whom Microsoft shares children’s data. It also clarifies that avatars based on a child’s image and biometric and health data are subject to COPPA when collected with other personal data. The order must be approved by a federal court before it becomes effective.

COPPA rules necessitate online services and websites for children under 13 to inform parents about the personal data they collect and to get parental approval before collecting or using any personal information from children. The DOJ’s complaint alleges that Microsoft did not adhere to these COPPA requirements.

To use Microsoft’s Xbox Live service, users have to create an account, providing personal information like their name, email, and date of birth. The complaint says that even when a user was under 13, they were asked to provide a phone number and agree to Microsoft’s service and advertising policies. This agreement allowed Microsoft to send promotional messages and share user data with advertisers.

Microsoft only sought parental involvement after children had provided their personal information. Parents then had to complete the account creation process for their child. From 2015-2020, Microsoft is alleged to have kept the information collected during the account creation process, which is a violation of COPPA rules.

The settlement requires Microsoft to:

Encourage parents to create separate accounts for their children, which offer additional privacy protections by default.
Seek parental consent for accounts created before May 2021 if the account holder is still a child.
Develop systems to erase all personal information collected from children within two weeks if parental consent is not obtained and delete all other personal data once it is no longer needed.
Inform video game publishers when they are receiving personal information from a child user, requiring the publishers to apply COPPA’s protections to that child.

Microsoft has been held accountable for its handling of children’s personal information. This landmark settlement is a reminder to all tech companies that children’s privacy rights must be taken seriously and that COPPA rules must be adhered to.