Microsoft to pay $20m for child privacy violations
Microsoft will pay $20m (£16m) to US federal regulators after it was found to have illegally collected data on children who had started Xbox accounts.
The Federal Trade Commission (FTC) reached a settlement with the company on Monday, which also includes increased protections for child gamers.
Among other violations, the FTC found that Microsoft failed to inform parents about its data collection policies.
It follows a similar action against Amazon last week over its Echo devices.
The FTC said Microsoft violated the Children’s Online Privacy Protection Act by not properly getting parental consent and by retaining personal data on children under 13 for longer than necessary for accounts created before 2021.
The law requires online services and websites directed towards children to obtain a parent’s consent and to inform the parent about personal data being collected about their child.
Xbox users must create an account to use certain services. Information such as full name, email address and date of birth are collected as part of the set up.
Not until after obtaining personal information, such as the child’s phone number, did Microsoft ask for a parent to provide permission.
From 2015 to 2020 Microsoft retained data “sometimes for years” from the account set up, even when a parent failed to complete the process, the FTC said in a statement.
The company also failed to inform parents about all the data it was collecting, including the user’s profile picture and that data was being distributed to third parties.
“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” Microsoft’s Dave McCarthy, CVP of Xbox Player Services, wrote in an Xbox blog post.
“We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”
As part of the settlement, Microsoft must also institute new safety protections for children. That includes maintaining a system to delete all personal data after two weeks if no parental consent is obtained.
The order must be approved by a federal judge before it can go into effect.
Last week, Amazon agreed to pay $25m after the FTC found that it had retained sensitive data, including voice recordings of children, for years.
Amazon’s doorbell camera unit Ring also agreed to pay out $5.8m after giving employees unrestricted access to customers’ data.