Microsoft fined $20m for violating online child protection laws

eurogamer.net:

Microsoft has been fined $20m by the FTC for violating the Children's Online Privacy Protection Act (COPPA).

The fine is in response to the collection of personal information from children via Xbox without parents being notified or giving consent, as well as the illegal retention of that information, the FTC has said.

As a result, Microsoft is required to make a number of changes to improve privacy protection for children on Xbox.

«Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids,» said FTC Bureau of Consumer Protection boss Samuel Levine said.

«This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA.»

In order to play games on an Xbox console, or access Xbox Live features, users must create an account and provide personal information. Until late 2021, even if a user indicated they were under 13, they were asked to provide additional personal information (like a phone number) and agree to Microsoft's service agreement. Only after this would parents be involved to complete the account creation.

According to the complaint, from 2015-2020 Microsoft retained this data, even if a parent failed to complete the process. This was considered a violation of COPPA's rules.

What's more, any information collected after an account is made and a gamertag assigned is combined with a unique persistent identifier which could be shared with third-party game and app developers. Parents were required to take additional steps to opt out of this for children.

Microsoft failed to fully comply with COPPA's notice provisions, according to the complaint.

An