Microsoft is set to pay the Federal Trade Commission (FTC) a $20 million fine after being accused of improperly storing Xbox account data for children, in alleged violation of the Privacy Act. privacy of children online (Children’s Online Privacy Protection Act – COPPA).
A complicated new case
According to a press release, Microsoft kept children’s personal information well beyond the period allowed when creating their accounts.
To comply with FTC requirements, Microsoft will need to make changes, such as requiring parents to be notified that children’s accounts have additional privacy protections, obtaining parental consent for accounts created before 2021, to implement data deletion systems to obtain parental consent for child accounts, and to notify other publishers when children’s personal information is disclosed.
This case marks the latest settlement between the FTC and a video game company for alleged violations of COPPA. In December 2022, Epic Games, the developer of Fortnite, agreed to pay $520 million to the FTC, including $275 million for COPPA violations. Recently, Epic created child accounts for Fortnite, Rocket League, and Fall Guys.
The FTC said Microsoft, through the end of 2021, collected certain personal information when creating accounts without requiring parental involvement of gamers under 13. According to the FTC, Microsoft retained this personal data for sometimes very long periods of time, even if the registration process was not completed, which violates COPPA. Dave McCarthy, Vice President of Xbox Gamer Services, said this in an Xbox blog post:
“Unfortunately, we have not met customer expectations and we are committed to complying with the order in order to continue to improve our security measures. We believe we can and should do more, and we will stay true to our commitment to the safety, privacy, and security of our community. »
McCarthy explained that Microsoft did not delete the child account creation data due to a “technical glitch,” but that issue has since been resolved and the data has been deleted. According to McCarthy, the data has never been used, shared or monetized.