Microsoft fined by the FTC for violating COPPA, mismanagement of child user data

Microsoft Fight Court Thumbnail

Microsoft has received a hefty $20 million USD fine from the Federal Trade Commission after the organization found that Microsoft had violated the Children’s Online Privacy Protection Act (COPPA).

The exact violating includes new Xbox users under the age of 13 who were required to input personal information such as their phone number when registering an account. While Xbox does have the usual spiel about “Agree if you’re over 13 or have a guardian agree”, this consent check at the time did not appear until some personal information had already been collected by the company. Microsoft even allegedly retained this data after the account was created.

Microsoft’s Xbox gaming products allow users to play and chat with other players through its Xbox Live service. To access and play games on an Xbox console or use any of the other Xbox Live features, users must create an account, which requires users to provide personal information including their first and last name, email address and their date of birth. Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint.

 

It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent. The child’s parent then had to complete the account creation process before the child could get their own account. According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.

According to the FTC, this oversight had seemingly been fixed by late 2021. However the damage was done and from 2015 to 2020 Microsoft allegedly had access to child user data without the informed consent of the user. Not only that, but the company could have sold or done anything they wanted with the data. The FTC press release doesn’t go into detail what (if anything) Microsoft did with the data.

, ,

About

A basement-dwelling ogre, Brandon's a fan of indie games and slice of life anime. Has too many games and not enough time.


Where'd our comments go? Subscribe to become a member to get commenting access and true free speech!