Microsoft agreed a $20 million settlement with the Federal Trade Commission (FTC) for allegedly collecting and retaining children’s personal data from its Xbox gaming service without parental consent.
In a statement, the FTC asserted Microsoft had failed to fully comply with the Children’s Online Privacy Protection Act (COPPA) by gathering health and biometric information, avatars and other personal data of Xbox users, including those under the age of 13.
FTC found Microsoft guilty of retaining data from children during the account creation process from 2015 to 2020, even “when a parent failed to complete the process”.
As well as the $20 million settlement, Microsoft has been ordered to bolster privacy rules for children using the gaming service going forward.
The order requires Microsoft to obtain parental consent for children’s accounts created before 2021, notify third-party publishers when disclosing a child’s personal information, inform parents of privacy measures associated with account creation and establish a system to delete children’s data gathered without parental consent.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” commented Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
In recent weeks, the FTC stated it had also charged Amazon and EdTech platform Edmodo for similar mishandling of children’s data.