FTC fines Microsoft $20m for illegally collecting children’s personal information

Legal Microsoft vows to develop “next-generation identity and age validation” system as it addresses violations of COPPA Sign up for the GI Daily here to get the biggest news straight to your inbox At a glance Microsoft to pay $20 million for violating Children’s Online Privacy Protection Act Xbox users under 13 years old were asked to provide personal information before parents were notified Platform holder is reaching out to all child users who created an account before May 2021 to secure parental consent The Federal Trade Commission has ordered Microsoft to pay $20 million after an investigation found that it has been illegally collecting the personal information of children who use its Xbox consoles without parental consent. The FTC said Xbox has violated the Children’s Online Privacy Protection Act by not only gathering this data, but also by illegally retaining it for longer than is necessary. In addition to the fine, a proposed order filed by the Department of Justice on behalf of the FTC will require Microsoft to take steps to improve the privacy protection for child users on Xbox. This will include extending COPPA protections to any third-party publishers with whom Microsoft shares data. This order must be approved by a federal court before it can go into effect, although Microsoft has detailed some of the changes it has already made in its own blog post. The issues raised by the FTC’s original complaint includes the fact that the process of creating an Xbox account, which all users must complete in order to play games, involves providing personal information including the user’s first name, last name, date of birth and email address. It was only after this data was given that Microsoft indicated the need for parental consent to complete the process if the user was under 13 years old. Microsoft said it has updated its account creation process, which will now requires players to provide their date of birth first. If the user is younger than 13, parental consent must be obtained before they are asked for a phone number and email address. The FTC’s complaint also observed that from 2015 to 2020, Microsoft retained the data it collected from children during the account creation process, even if a parent failed to complete it
Game Industry source