Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their consent.
The proposed order aims to make it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and retain about kids. Microsoft will be required to take several steps to bolster privacy protections for child users of its Xbox system, such as extending COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. The order must be approved by a federal court before it can go into effect.
The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and to obtain verifiable parental consent before collecting and using any personal information collected from children. Microsoft violated the COPPA Rule’s notice, consent, and data retention requirements by not involving parents in the account creation process and retaining data for years.
Microsoft will be required under the proposed order to inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default, obtain parental consent for accounts created before May 2021 if the account holder is still a child, establish and maintain systems to delete all personal information collected from children within two weeks from the collection date, and notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.