The FTC has announced that Microsoft will be paying $20 million to settle charges that it violated the Children’s Online Privacy Protection Act (COPPA) by “collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.” According to the original complaint, which was filed by the Department of Justice on June 5, 2023, Microsoft collected information from users even if they had explicitly told the company that they were under 13. Players who are under the age of 13 will now need to ask their parents to reverify their accounts, Xbox explained in a blog post about how it’s “reimagining the future of safety on Xbox.”
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
From an FTC blog post:
Where does the FTC say Microsoft went wrong? You’ll want to read the complaint for details, but it started with the initial sign-up procedure. To play, users needed a Microsoft account. At the outset, Microsoft required them to provide their email address, their first and last name, and their date of birth. Until late 2021, Microsoft also asked for their phone number. What’s more, Microsoft required them to consent to the company’s service agreement, which until 2019 included a pre-checked box allowing Microsoft to send them promotional messages and to share user data with advertisers. The sequence of events is important here because Microsoft asked for all that information even from users who had just told the company they were under 13. Only after gathering that raft of personal data from children did Microsoft get parents involved in the process. And that’s at the crux of the FTC’s allegation that the company violated COPPA.
From an Xbox Wire post:
Since the FTC settlement, we have updated our account creation process, which now requires players to first identify date-of-birth and, if under 13 years old, obtain verified parental consent before providing us with any information such as phone number or email address. This updated process ensures that we can identify potential child accounts immediately and make clear to parents and caregivers the next steps to protect their children’s data and play safely on our network.
Over the coming months, players who are under the age of 13 and created an account prior to May 2021 will require parental reconsent – meaning a parent will be prompted to reverify the account and grant permission for their child to continue gameplay and activity on Xbox. We are committed to making this process as seamless as possible. We are working hard to ensure that when parents are prompted to reconsent, they will have the information needed to proceed without disruptions to their child’s access. To learn more about setting up a child account, please visit here.
During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed. This was inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetized.