Microsoft fined $20 million over children's data privacy violations

Microsoft has agreed to a settlement with the Federal Trade Commission (FTC) following an investigation into the illegal collection of data on children who had created Xbox accounts.

The company has been ordered to pay a hefty fine of $20 million and implement enhanced protections for child gamers.

The FTC's probe revealed various violations committed by Microsoft, including the failure to notify parents about its data collection policies. According to the Children's Online Privacy Protection Act, online services and websites catering to children must obtain parental consent and provide clear information on the collection of personal data pertaining to minors.

As part of the account setup process for Xbox, users are required to provide information such as their full name, email address and date of birth. However, the investigation uncovered that Microsoft had been negligent in obtaining parental consent, waiting until after collecting personal information, such as a child's phone number, before seeking permission.

Microsoft was found to have retained data from accounts created between 2015 and 2020, even if parents had not completed the consent process. The FTC highlighted that this data was sometimes stored for years. Furthermore, the company failed to disclose to parents the extent of the data being collected, which included users' profile pictures and the fact that such data was being shared with third parties.

In response to the settlement, Dave McCarthy, Corporate Vice President of Xbox Player Services at Microsoft, expressed regret and commitment to meeting customer expectations. In an Xbox blog post, McCarthy stated, "Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we'll remain steadfast in our commitment to safety, privacy and security for our community."

Apart from the financial penalty, Microsoft has been directed to implement additional safeguards for the protection of children. This includes establishing a system to delete all personal data within two weeks if parental consent is not obtained. However, the settlement order is subject to approval by a federal judge before it can take effect.

This recent settlement with Microsoft follows a similar action taken by the FTC against Amazon, which resulted in a $25 million fine for the retail giant. Amazon was found to have retained sensitive data, including voice recordings of children, for an extended period. Additionally, Amazon's subsidiary, Ring, agreed to a $5.8 million payout for allowing employees unrestricted access to customer data.