Skip to main content

Microsoft fined $20m for violating online child protection laws

"Regrettably, we did not meet customer expectations."

Microsoft has been fined $20m by the FTC for violating the Children's Online Privacy Protection Act (COPPA).

The fine is in response to the collection of personal information from children via Xbox without parents being notified or giving consent, as well as the illegal retention of that information, the FTC has said.

As a result, Microsoft is required to make a number of changes to improve privacy protection for children on Xbox.

Newscast: After Redfall's launch woes, where next for Xbox?Watch on YouTube

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," said FTC Bureau of Consumer Protection boss Samuel Levine said.

"This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."

In order to play games on an Xbox console, or access Xbox Live features, users must create an account and provide personal information. Until late 2021, even if a user indicated they were under 13, they were asked to provide additional personal information (like a phone number) and agree to Microsoft's service agreement. Only after this would parents be involved to complete the account creation.

According to the complaint, from 2015-2020 Microsoft retained this data, even if a parent failed to complete the process. This was considered a violation of COPPA's rules.

What's more, any information collected after an account is made and a gamertag assigned is combined with a unique persistent identifier which could be shared with third-party game and app developers. Parents were required to take additional steps to opt out of this for children.

Microsoft failed to fully comply with COPPA's notice provisions, according to the complaint.

An Xbox Wire post from Microsoft provides further details on the changes it is now required to make.

The account creation process now requires users to provide date-of-birth first and, if under 13, obtain verified parental consent before other information is requested.

Over the next few months, users under the age of 13 who created an account prior to May 2021 will require parental re-consent.

A technical glitch whereby systems did not delete data for child accounts where the process was started but not completed has now been fixed.

"We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system," reads the blog post.

"Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we'll remain steadfast in our commitment to safety, privacy, and security for our community.

It continues: "We see an opportunity to further advance safe digital experiences that are accessible, simple to use, and benefit all players. We are innovating on next-generation identity and age validation - a convenient, secure, one-time process for all players that will allow us to better deliver customised, safe, age-appropriate experiences. The long-term benefits will be felt by all players, especially children and their families. And while we see this as the future, we anticipate that the entire games industry will as well."

Microsoft will test further validation methods over the coming months.

Read this next