Microsoft, the owner of the popular Xbox gaming brand, has agreed to pay the U.S. Federal Trade Commission (FTC) $20 million to settle charges that they violated the Children’s Online Privacy Protection Act (COPPA).
In a statement, the FTC said that the tech company violated children’s privacy rights when it collected the personal information of kids who had signed up for its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and illegally retained children’s personal information.
The FTC also required Microsoft to strengthen protections for children.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“The action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA,” he added.
Xbox, meanwhile, said that they were committed to complying with the order and that they have updated their account creation process and resolved a data retention glitch in their system.
Players must now identify their date of birth, and those below 13 years old must obtain verified parental consent before providing any information such as phone numbers or email addresses. Players under 13 years who had created an account before May 2021 will also be required to obtain parental reconsent to continue playing.
“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” wrote David McCarthy, CVP of Xbox Player Services, in a blog post, adding that the collected data was never monetized or shared.
Over the coming months, Xbox will also test new methods to validate a user’s age and gather customers’ feedback to inform advancements in their player identity systems, McCarthy said.
Microsoft is not the first company to settle with the FTC over alleged COPPA violations. In December 2022, developer Epic Games agreed to pay $275 million over concerns related to children’s privacy in Fortnite.
In response to increasing concerns over cybersecurity, particularly children’s safety in the digital world, Microsoft also launched an Xbox Gaming Safety Toolkit in May.
