Microsoft has agreed to pay a hefty fine of $20 million to US federal regulators, following the discovery that the company unlawfully collected data from children who created accounts on their Xbox gaming platform.
The Federal Trade Commission (FTC) reached an agreement with the tech giant on Monday, which also includes enhancing protection measures for child gamers. This follows a similar action taken against Amazon last week over its Echo devices.
Among other violations, the FTC found that Microsoft failed to inform parents about their data collection policies. The tech giant’s actions were in violation of the Children’s Online Privacy Protection Act (COPPA), by not adequately obtaining parental consent and retaining personal data of children under 13 years old for longer than necessary, for accounts created before 2021.
COPPA requires services and websites targeted at children to obtain parental consent and inform them about the data collection process. To use certain services on Xbox, users are required to create an account which necessitates information such as full name, email address, and date of birth as part of the process.
Microsoft obtained parental permission only after collecting personal data, such as the child’s phone number. In a statement, the FTC said Microsoft retained data from 2015 to 2020 “sometimes for years” for created accounts, even when a parent did not complete the process.
The company also failed to inform parents about all the data it was collecting, including user profile pictures, and revealing the data to third parties.
Dave McCarthy, an official at Microsoft and Vice President of Xbox services, posted on the gaming platform’s blog, “Regrettably, we did not meet customer expectations, and we are committed to complying with the order to continue to enhance our safety measures.” He added, “We believe we can and should do more, and we will maintain our commitment to safety, privacy, and security for our community.”
As part of the settlement, Microsoft must also implement new child safety measures, including maintaining a system to delete all personal data after two weeks, unless parental consent is obtained. It needs approval from a federal judge before it can be enforced.
Last week, Amazon agreed to pay a $25 million fine after the FTC found that it retained sensitive data, including voice recordings of children, for years. Ring, Amazon’s home security camera division, agreed to pay $5.8 million after allowing employees unrestricted access to customer data.