Microsoft has earned the ire of the US Federal Trade Commission and has been slapped with a $20M fine by the government agency for taking the personal information of children 13 years of age and younger via Xbox registration and keeping the data for longer than is needed.
The FTC points out that players who want to play games on the Xbox console have to first register by providing a name, date of birth, and email address; that’s part and parcel for most people nowadays, but the problem is that the console asked for parental consent to continue after this information was provided. In addition, the FTC says that Microsoft retained the data collected from children from 2015 to 2020 even if a parent failed to complete the process. Both of these are violations of the Children’s Online Privacy Protection Act (COPPA).
On top of the fine, Microsoft is being court-ordered to take measures to improve privacy protections for younger Xbox users, including extending COPPA protections to any third-party publishers that get user data from Microsoft. This order has to be approved by a federal judge before it goes into effect.
The settlement and FTC orders have prompted Microsoft to pen a fluffy blog post that notes players now have to provide their date of birth before registering on Xbox along with the promise to “test new methods to validate age and take feedback from our customers’ experience.” As for the noted saving of children’s data, the company attributes that to a “technical glitch” that has since been corrected and safeguarded against.