The Department of Justice (DOJ) has filed a proposed order on behalf of the Federal Trade Commission (FTC) that will require Microsoft to pay $20 million to settle a breach of the Children's Online Privacy Protection Act (COPPA).
The FTC claims Microsoft violated the COPPA by collecting and retaining the personal information of children who signed up to use its Xbox platform without notifying their parents or obtaining their consent.
The COPPA requires online services and websites directed at children under 13 to notify parents about the personal information that's being collected, while also obtaining verifiable parental consent before gathering and using that data.
According to a complaint filed by the DOJ, Microsoft violated those requirements by asking anybody (including children) seeking to access and play games on an Xbox console, or use other services such as Xbox Live, to create an account by providing personal information such as their first and last name, email address, and date of birth.
"Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft's service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint," adds the FTC.
The FTC wants better protections for children on Xbox
Notably, those under 13 were only asked to involve their parents in that process after their personal information had been handed over, resulting in Microsoft retaining data even when a parent failed to complete the process.
"According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process," notes the FTC, which also highlighted issues with how Microsoft handled information provided by Xbox Live users.
"After a child makes an account, they can create a profile that will include their 'gamertag,' which is the primary identifier visible to the user and other Xbox Live users, and can also upload a picture or include an avatar, which is a figure or image that represents the user," it continued.
"According to the complaint, Microsoft combined this information with a unique persistent identifier it creates for each account holder, even children, and could share this information with third-party game and app developers. Microsoft allowed—by default—all users, including children to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt out if they don’t want their children to access them."
In addition to the settlement penalty, the FTC will require Microsoft to bolster protections for children using its platform by obtaining parental consent for accounts created before May 2021 if the account holder is still a child; establishing and maintaining systems to delete, within two weeks, all personal information it collects from children for the purposes of obtaining parental consent; notifying game publishers when it discloses personal information from children so they can apply COPPA protections; and ensuring parents are aware about the additional privacy protections they can access by creating a separate account for their child.
"Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids," said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA."
Game Developer has reached out to Microsoft for comment.