Microsoft logo

Microsoft has agreed to pay a $20 million fine and change data privacy procedures for children to settle Federal Trade Commission (FTC) charges over Children's Online Privacy Protection Act (COPPA) violations.

COPPA is a U.S. federal law designed to protect the privacy of children under the age of 13 on the internet by requiring parental consent, the ability to review and ask for the deletion of the child's personal information, the ability to refuse data collection, implement security protections for the collected information, and more when registering online accounts.

"COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age," explains the COPPA rule.

According to the consumer protection agency, Microsoft allegedly collected and retained the personal information of children who had signed up for the Xbox Live service without requesting their parents' consent or even notifying them.

In some confirmed cases between 2015 and 2020, the FTC says Microsoft stored children's data in its servers for several years.

Court documents reveal that from January 2017 to December 2021, roughly 218,000 U.S.-based Xbox console users created Microsoft accounts by entering birth dates that indicated they were younger than 13 years old.

Despite this constituting a straightforward element to help confirm which Xbox users are protected by COPPA, the FTC alleges Microsoft did not take the appropriate actions proposed by the legislation, breaching multiple sections of the law.

"Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information, including a phone number, and to agree to Microsoft's service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint," reads an FTC press release.

More details on the COPPA violations and collected evidence can be found in the complaint submitted by the U.S. Department of Justice submitted on behalf of the FTC to the U.S. District Court of the Western District of Washington.

Apart from the monetary penalty, the FTC has proposed measures that the tech giant must adopt to ensure compliance with COPPA.

More specifically, Microsoft will now have to implement the following practices:

  • Inform parents of the additional privacy protections provided by creating a separate account for their child.
  • Obtain parental consent for accounts created before May 2021 if the account holder is still a child.
  • Delete all personal data of COPPA-protected users if it is no longer needed for providing the services that dictated the original collection.
  • Delete all user data stored on its systems that it collected without acquiring parental consent.
  • Delete COPPA-protected user data within two weeks from the collection date.
  • Extend COPPA protections to third-party gaming publishers who receive user data from Microsoft.
  • Extend COPPA protections to biometric and health information collected for creating avatars if that collection is combined with personally identifiable information.

While both parties have agreed to this settlement, it still awaits the Court to approve it.

FTC has recently taken action to highlight the importance of tech companies adhering to data privacy regulations, especially those dealing with sensitive underage user data.

Last week, the agency fined Amazon $25 million for ignoring parents' requests to delete their children's data and continuing to use sensitive user information for training machine learning algorithms.

Related Articles:

Marriott settles with FTC, to pay $52 million over data breaches

Ireland fines LinkedIn €310 million over targeted advertising

CISA proposes new security requirements to protect govt, personal data

UK nuclear site Sellafield fined $440,000 for cybersecurity shortfalls

Verkada to pay $2.95 million for alleged CAN-SPAM Act violations