It has already changed the Xbox account creation process to prevent data collection from underage users.
Microsoft will have to pay $20 million to settle charges brought by the Federal Trade Commission (FTC) that the company violated the Children’s Online Privacy Protection Act (COPPA). In the complaint filed by the DOJ on behalf of the FTC, the department accused the tech giant of collecting its underage Xbox users’ information and retaining their data even without their parents’ consent. To be able to play Xbox games and use services like Xbox Live, users have to sign up for an account and provide their personal information, including their full name, email address and place of birth.
Until 2021, users were also asked for their phone number and to agree to Microsoft’s advertising policy. The FTC found that Microsoft only asked users under 13 to get their parents to complete their account creation after they had already provided their personal information. And apparently, from 2015 until 2020, Microsoft collected and retained data from underage users, even if their parents didn’t complete the registration process. Under COPPA, online services and websites must obtain verifiable parental consent before using any personal information from children.
The FTC also explained that Microsoft combines a user’s gamertag with a unique persistent identifier that it could share with third-party developers, even for accounts owned by underage users. In a blog post, Dave McCarthy, the CVP Xbox Player Services, said Microsoft didn’t intentionally keep child accounts that weren’t completed by their parents. The company found a technical glitch that caused data retention during its investigation, he said, and its engineering team deleted affected children’s data after fixing the issue. “The data was never used, shared, or monetized,” he added.
In addition to paying $20 million to settle the FTC’s charges, Microsoft will also be required under the DOJ’s proposed order to change its account creation process for underage users. The tech giant has already updated the process so that it asks somebody’s date of birth first and, if needed, ask for parental consent before it requires users to key in any other identifiable information. It will also ask users under the age of 13 who created an account before May 2021 to have their parent reverify their account over the coming months.
The FTC requires Microsoft to establish a system that would delete all the personal information it collects from kids within two weeks if their parents don’t complete their account creation, as well. Plus, it wants the company to notify video game publishers if the personal information shared is from a child, so that it can protected by COPPA. While Microsoft has already implemented changes to its sign-up process, the proposed order must still be approved by a federal court before it can go into effect.