Microsoft to pay $20M to settle charges of misusing children's data
Microsoft has been ordered to pay $20 million to settle U.S. charges that the company illegally collected personal information of children.
The Federal Trade Commission accused the tech giant of collecting and retaining the data of kids who signed up to use Microsoft's Xbox gaming system without consent from their parents. The FTC claimed those actions were a violation of the Children's Online Privacy Protection Act (COPPA).
"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."
As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will be required to take additional steps to strengthen privacy protections for children who use its Xbox system. Additionally, the company will have to obtain parental consent for children's accounts that were created before May 2021. If Microsoft does not obtain consent, the company must delete all of the account holder's personal information within two weeks.
SEE MORE: Facebook users can get a piece of its $725 million privacy payout
In a blog post Monday, Microsoft corporate vice president for Xbox Dave McCarthy outlined steps the company is already taking to improve its age verification systems and ensure parents are aware of what information Microsoft is collecting from their children.
"We want all parents, caregivers, and families to know that, more than anything else, we have their children's safety and privacy top of mind," McCarthy wrote. "We will continue to communicate the changes we are making to our practices and the data we collect so we can better protect children using our platform. We also continue to explore creative ways to educate players about online safety."
McCarthy also noted that the company identified a technical glitch in its systems that failed to delete children's accounts within 14 days that had not received parental consent. Microsoft initially held users' data for two weeks to make it easier for them to continue account creation if they were interrupted during the process. McCarthy says the glitch is fixed and no data was ever used, shared, or monetized.
The FTC says the proposed settlement must still be approved by a federal court before it can be finalized.