Microsoft has reached a settlement with the Federal Trade Commission (FTC) regarding charges of violating the Children’s Online Privacy Protection Act (COPPA), agreeing to pay a $20 million fine and make changes to its data privacy procedures for children.
The FTC accused Microsoft of collecting and retaining personal information from children who signed up for Xbox Live without parental consent or notification, with some cases dating back to 2015. The court documents reveal that approximately 218,000 underage users created Microsoft accounts between January 2017 and December 2021. The FTC alleges that Microsoft did not take the necessary actions required by COPPA, breaching multiple sections of the law.
The COPPA law aims to protect the online privacy of children under 13 years old, requiring parental consent, the ability to review and delete personal information, and implementing security measures when registering for online accounts.
Microsoft’s alleged violations involved not seeking parental consent for children’s accounts and storing their data for an extended period without justification. The company also asked underage users for additional personal information, such as phone numbers, while including a pre-checked box to allow promotional messages and data sharing with advertisers. The FTC press release highlighted these issues.
As part of the settlement, Microsoft will implement new practices, including informing parents about separate accounts for children, obtaining parental consent for underage accounts created before May 2021, and deleting unnecessary personal data of COPPA-protected users.
Additionally, all user data collected without parental consent will be deleted, and COPPA protections will be extended to third-party gaming publishers receiving user data from Microsoft.
The settlement agreement is awaiting approval from the Court. This case further underscores the FTC’s recent efforts to emphasize the importance of tech companies complying with data privacy regulations, especially when it involves sensitive information from underage users.
