FTC Fines Microsoft $20 Million for Illegally Collecting Children's Data

pcmag.com:

The FTC fined Microsoft $20 million for illegally collecting and retaining the data of children when they signed up to its Xbox gaming system. In so doing, Microsoft violated the Children’s Online Privacy Protection Act (COPPA).

The COPPA Rule requires online services to notify parents when personal information is collected about children under the age of 13. When a child signed up for Xbox, they could do so without notifying their parents or obtaining their parents' consent. According to the FTC, Microsoft should have obtained "verifiable parental consent" before collecting any data in this situation, but failed to do so(Opens in a new window), and therefore violated COPPA Rule’s notice, consent, and data retention requirements.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said,

"Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids ... This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA."

As well as paying the fine, Microsoft must take the following action:

Inform parents that creating a separate account for their child adds additional privacy protections (if they haven't done so already).

Obtain parental consent for accounts created before May 2021 if the account holder is still a child.

Implement a system that deletes the data collected from a child within two weeks if parental consent is not obtained, and delete that data if it is no longer necessary to fill the purpose for which it was collected.

Notify game publishers when disclosed personal data is from a child user.

In a blog post(Opens in a new