Microsoft is being fined $20 million by the US Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally gathering kids’ personal information and retaining it without parental consent.
Along with paying the rather small fine (slightly more than a tenth of a percent of Microsoft’s most recent quarterly profit), the FTC is also requiring the company to update its account creation process for children to prevent collection and storage of data, and extend those responsibilities to third-party publishers that Microsoft shares such data with.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said FTC Bureau of Consumer Protection director Samuel Levine. The order will now be sent to a federal court for review and approval.
How Microsoft got the COPPA cops on its tail
According to the FTC, which is also currently prosecuting a case against Microsoft to quash its $69 billion bid to buy Activision Blizzard, Microsoft was mishandling children’s data from the moment they tried to sign up for an Xbox account.
Creating an Xbox account requires potential players to provide their first and last names, an email address, and a birth date. Phone numbers were also requested, even from those who indicated they were under 13, and until 2019 the sign up form “included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers,” the FTC said.
Xbox users trying to create an account weren’t asked to involve a parent until after Microsoft collected all of that personally identifiable information. To make matters worse, the FTC alleged Microsoft didn’t follow COPPA rules prohibiting the storage of that information “for longer than is reasonably necessary to fulfill the purpose for which it was collected” when it failed to delete stored data if a parent didn’t finish the account creation process.
For children who did complete the process, Microsoft combined their gamertag and avatar into a unique persistent identifier that it could share with third parties, again in violation of COPPA. Microsoft also failed to comply with notice provisions in COPPA that required it to disclose to parents that such information was collected.
We fixed the glitch
Microsoft’s statement on the settlement includes a tacit admission that “we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” Xbox Player Services CVP Dave McCarthy wrote.
McCarthy said Microsoft has updated its account creation process as required by the FTC settlement, and now requires players to first provide a date of birth, and receive parental permission to proceed as necessary, before providing any additional PII.
Microsoft is also going to retroactively require parental consent for children’s accounts created before May 2021, provided the account holder is still a minor. As to why it retained account creation data for children whose parents never finalized their accounts, Microsoft claimed is was due to a glitch.
“We identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed. This was inconsistent with our policy to save that information for only 14 days,” McCarthy said. Microsoft said it fixed the glitch when it was discovered, and that none of the data was used, shared or monetized.
Microsoft is planning additional age validation technologies that will be rolled out over the coming months to “test new methods to validate age and take feedback from our customers’ experience,” McCarthy said.
Microsoft didn’t provide any details in its statement about what those new age verification methods may be. We have asked but were told it has nothing further to add. ®