The Federal Trade Commission (FTC) has required Microsoft to pay a $20 million fine for violating the Children’s Online Privacy Protection Act (COPPA). According to the press release, the FTC found that Microsoft violated COPPA by allegedly collecting and illegally retaining personal information from children through creating an Xbox Live Service account, without obtaining parental consent from 2015 to 2020. COPPA requires online services directed to children under 13 to “notify parents about the personal information they collect and to obtain verifiable parental consent before collecting and using any personal information collected from children.”
Additionally, the Department of Justice filed a proposed order on behalf of the FTC to require Microsoft to take several steps to strengthen privacy protections for its child users. The proposed order would require the company to:
- Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
- Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
- Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
- Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
The press release continues, stating that the order will also extend to “third-party gaming publishers with whom Microsoft shares children’s data.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, gave a statement on the FTC’s order and his hope on what it could bring to protect children on Microsoft services.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Levine. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
Dave McCarthy, Microsoft’s CVP of Xbox Player Service, gave a statement about the FTC’s order in a recent blog post, promising that Microsoft is “committed to complying with the order” to improve their safety measures. This is the latest in the FTC’s efforts in fining tech companies for violating the COPPA Act. Just last week the FTC filed a COPPA action against Amazon.