What just happened? Microsoft violated the Children's Online Privacy Protection Act (COPPA), the US federal law conceived to protect the online privacy of children under the age of 13. Younger gamers were profiled without their parents' consent, and data was retained for years, even for uncompleted accounts.
Microsoft and the Federal Trade Commission (FTC) have reached an agreement about a COPPA law violation on the Xbox platform, as the Redmond company had been collecting and storing children's data for years despite the federal protection granted to underage online users. The fine imposed on Microsoft is puny (just $20 million), but the US agency said the settlement can be a "game changer" for COPPA compliance.
Xbox Live is an online gaming network used by millions of gamers, many of whom are under 13, the FTC said. The federal agency investigated Microsoft's actions and found three different ways in which the company violated COPPA: Redmond collected personal information from underage gamers before notifying their parents and getting parental consent; it failed to tell parents about the information collected, why it was collecting that information, and the fact that it was being disclosed to third parties; it retained kids' personal information for "longer than is reasonably necessary."
Until 2019, minors signing up to Xbox online gaming service were asked to confirm (through a pre-filled checkbox) data sharing authorization with third-party advertisers. Children's personal data (name, email address, phone number, date of birth etc.) were collected before asking for a parent to complete the account creation process, the FTC said, and they were stored even if said parent had ultimately abandoned the sign-up procedure.
The settlement with the FTC will force Microsoft to notify parents and obtain consent for accounts created before May 2021. The company will also have to create new systems designed to delete children's personal information collected without parental consent, ensuring that such information is removed when it's no longer needed for Xbox-related online services.
According to the FTC, the proposed settlement with Microsoft will ensure that parents will have an easy way to protect their children's privacy on Xbox, while limiting the information Microsoft can collect and retain about younger gamers at the same time. The action should make it "abundantly clear" that kids' avatars, biometric data, and health information are "not exempt from COPPA" protection, FTC's Bureau of Consumer Protection Samuel Levine said.
Microsoft acknowledged the agreement with the FTC, stating that the company "did not meet customer expectations" and is now committed to complying with the order to continue improving upon its safety measures. Redmond is however stating that the unwanted data retention during kids' account creation was just a result of an unspecified "technical glitch," and not because of company malice.