Microsoft has agreed to pay a $20 million settlement to the Federal Trade Commission (FTC) for violating the Children’s Online Privacy Protection Act (COPPA). The company was charged with collecting personal information from children who signed up for its Xbox gaming system without parental notification or consent and illegally retaining children’s personal data.
The settlement comes as part of a proposed order filed by the Department of Justice on behalf of the FTC. The order requires Microsoft to strengthen privacy protections for child users of its Xbox system. One significant provision of the order is the extension of COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. It also clarifies that avatars generated from a child’s image and biometric and health information are covered by the COPPA Rule when collected alongside other personal data. However, a federal court must still approve the order before it takes effect.
Under the COPPA Rule, online services and websites directed towards children under 13 must inform parents about the personal information they collect and obtain verifiable parental consent before collecting and using any data from children. The complaint filed by the Department of Justice alleges that Microsoft violated the COPPA Rule’s notice, consent, and data retention requirements.
Microsoft’s Xbox gaming products allow users to play games and communicate with other players via Xbox Live. To access games or use other features, users must create an account, providing personal information such as their name, email address, and date of birth. Even if a user indicated they were under 13, until late 2021, they were asked for additional personal information, including a phone number. Furthermore, Microsoft’s service agreement and advertising policy, which included a pre-checked box for promotional messages and data sharing with advertisers, further compounded the issue until 2019.
The complaint reveals that Microsoft did not require parental involvement until after users provided personal information. Only then were parents asked to complete the account creation process. Between 2015 and 2020, Microsoft retained data it collected from children during the account creation process, even when parents failed to complete it. COPPA strictly prohibits retaining personal information about children beyond what is reasonably necessary for the original purpose of collection.
Once an account was created, children could create a profile with a Gamertag, upload a picture, or include an avatar. Microsoft combined this information with a unique persistent identifier for each account holder, including children, and shared it with third-party game and app developers. Microsoft also allowed all users, including children, to play third-party games and apps by default, requiring parents to opt-out if they wished to restrict access.
The complaint states that Microsoft failed to fully disclose its collected information, such as a child’s profile picture, thereby violating COPPA’s notice provisions.
In addition to the monetary penalty, the proposed order mandates that Microsoft must inform parents about the additional privacy protections provided when creating separate accounts for their children. Parental consent must be obtained for accounts created before May 2021 if the account holder is still a child. Microsoft must also establish systems to promptly delete personal information collected from children if parental consent is not obtained and delete all other personal data once it is no longer necessary. Furthermore, the company must notify video game publishers when disclosing personal information from children, prompting publishers to apply COPPA’s protections.
The FTC voted unanimously to refer the complaint and proposed order to the Department of Justice, which subsequently filed the complaint and stipulated order in the U.S. District Court for the Western District of Washington state.