Microsoft settles U.S. Federal Trade Commission (FTC) complaint alleging it illegally collected and retained data from children signed up to use Xbox video game consoles without parental knowledge or consent agreed to pay a $20 million penalty.
“Our proposed order will make it easier for parents to protect their children’s privacy on Xbox and limit the information Microsoft can collect and retain about their children,” said Samuel Levin of the FTC. Said. “This action should make it clear enough that child avatars, biometric data and health information are no exception.” Coppa. “
As part of the proposed settlement, which is pending court approval, the city of Redmond has been ordered to update its account creation process for children to prevent data collection and storage. This includes obtaining parental consent and deleting the information within two weeks if approval is not obtained. .
Privacy protections apply to biometrics and avatars made from children’s faces, as well as to third-party game publishers with whom Microsoft shares children’s data.
According to the FTC, Microsoft violated COPPA’s consent and data retention requirements by requiring anyone under the age of 13 to provide their name, email address, date of birth and phone number until the end of 2021.
Additionally, until 2019, Windows makers allegedly shared user data with advertisers by default when agreeing to Microsoft’s service agreements and advertising policies.
“Only after you provided this personal information did Microsoft seek parental involvement from anyone who indicated they were under the age of 13,” the FTC said. “In that case, the child’s parent had to complete the account creation process before the child could get their own account.”
However, Microsoft has chosen to retain data collected from children during the account creation step for years, even in scenarios where the parent has not completed the sign-up process, thereby violating U.S. child privacy laws. doing.
The company also creates a unique, persistent identifier for underage accounts and shares that information with third-party game and app developers to prevent children from accessing third-party games and apps on Xbox. has been accused of explicitly asking parents to opt out because of live.
Xbox, at responsesaid it was improving its age verification system and taking additional steps to ensure parental involvement in creating child accounts on the service. It did not disclose the exact details of what such a system would look like.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
He also said that part of the problem was due to a technical glitch that prevented him from “deleting account creation data for child accounts whose account creation process was started but not completed,” and that the data was promptly deleted and “used There was no sharing, no monetization,” he said. . “
This isn’t the first time a video game maker has been fined by the FTC for violating COPPA. In December 2022, Fortnite developer Epic Games reached a $520 million settlement with the agency for violating the Children’s Online Privacy Act.
Fines are imposed as Microsoft disclosed In the fourth quarter of 2023, the Irish Data Protection Commission (DPC) announced that “approximately 400 million A fine of $25 million is expected.
The development also comes after the FTC fined Amazon a cumulative $30.8 million for a series of privacy violations involving Alexa Assistant and Ring security cameras.