Microsoft to pay $20 million settlement after FTC found it illegally collected and retained data from child users of Xbox Live gaming service
Microsoft is to pay $20 million (£16m) to settle allegations by the US Federal Trade Commission (FTC) that it illegally collected and retained the data of children who used its Xbox Live service.
The settlement, announced late on Monday, also includes additional protections for children using the service.
Microsoft required people using Xbox Live to sign up for accounts and provide their name, email address and age information.
But even when the company was aware users were under the age of 13 it continued to collect and retain data on them in violation of a US child safety law called the Children’s Online Privacy Protection Act (COPPA), the FTC said.
The regulator said Microsoft had, amongst other things, failed to inform parents of its data policies and obtain their consent as required by the law.
Not until after obtaining personal information on a child, such as a phone number, did Microsoft ask for parental consent.
From 2015 to 2020 Microsoft retained data “sometimes for years” from the account, even when a parent failed to complete the process, the FTC said.
Microsoft also failed to inform parents about all the data that was being collected, including the child’s profile photo, and that data was being distributed to third parties.
‘Data retention glitch’
Microsoft called the problem a “data retention glitch” and said it would improve its systems.
“In addition to our existing multifacted safety strategy, we also plan to develop next-generation identity and age validation — a convenient, secure, one-time process for all players,” the company said in a statement.
The new measures under the settlement include a system to delete data after two weeks if parental consent is not obtained.
The order must be approved by a federal judge before it can go into effect.
Last week Amazon agreed to pay $25m after the FTC found it had retained sensitive data on children, including voice recordings, for years.
Under the settlement Amazon’s doorbell camera unit Ring agreed to pay $5.8m after giving employees unrestricted access to customers’ data.
Google and TikTok are amongst the other companies that have also been hit by FTC penalties for collecting data on children without parental consent, while last December Epic Games agreed to a record-breaking $520m settlement with the FTC for COPPA violations.