The Federal Trade Commission just announced that Microsoft has been fined $20 million “over charges it illegally collected personal information from children who signed up for its Xbox gaming system without their parents’ consent”.
The ruling follows a larger one from December 2022, when Epic Games, developers of Fortnite, were hit with a $550 million fine for using “privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children”.
In this instance, the FTC says the issue centred around the creation of children’s accounts on an Xbox console, a process that until late 2021 would allow a child to enter a certain amount of personal information before requiring a parent’s assistance and permission. Microsoft had been keeping that data (sometimes for “years”), even if the account wasn’t created, which is a violation of the Children’s Online Privacy Protection Rule (COPPA).
Microsoft have already responded to the ruling with a post on the official Xbox blog, with Dave McCarthy, CVP Xbox Player Services, saying the violation was a result of a “glitch”, and that Microsoft will “continue improving” going forwards:
We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.
McCarthy goes on to explain the details of this “glitch”, and how it led to retention of children’s data despite this being “inconsistent with our policy to save that information for only 14 days”:
During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed. This was inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetized.
The FTC’s statement, meanwhile, says:
Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will be required to take several steps to bolster privacy protections for child users of its Xbox system. For example, the order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. In addition, the order makes clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data. The order must be approved by a federal court before it can go into effect.