Share this article on:
US technology giant Microsoft has been slapped with a $30 million fine after it was found harvesting the data of children via their Xbox accounts illegally.
The US Federal Trade Commission (FTC) announced the US$20 million (roughly $30 million) fine, saying that Microsoft violated the Children’s Online Privacy Act (COPPA) by not obtaining parental approval for the collection of Xbox account data for accounts of users under 13.
The issue arose in the account creation section of Xbox Live, the online Xbox service that allows users to play and chat with friends and requires them to provide personal information such as emails, first and last names, and dates of birth.
For those over 13, it would also request a phone number and for users to agree to Microsoft’s advertising policy and service agreement.
In the case of Microsoft, under 13-year-old children were also asked.
“Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information, including a phone number, and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint,” FTC said.
Only after this step were parents required for the account to be completed.
The FTC said that complaints notified them of the issue, which led them to find that data collected between 2015 and 2020 was held by Microsoft for years in some cases.
As a result, the FTC ruled that Microsoft was in breach of COPPA and issued the fine.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and retain about kids,” said the FTC’s Bureau of Consumer Protection director Samuel Levine.
“This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
In addition to the fine, the FTC has said that Microsoft will “be required to take several steps to bolster privacy protections for child users of its Xbox system”.
Microsoft will be required to notify parents who have not created a separate child account for their children that doing so will provide them with additional protections, and obtain consent from parents for accounts that were affected if the account holder is still under 13.
The company will also be required to develop a data deletion program that maintains and deletes data that was obtained to gain parental consent if consent was not granted, within two weeks of the collection date, and to also delete all personal data collected once it is no longer needed to fulfil its purpose.
Third-party video game publishers will also be required to apply COPPA’s protections to any child whose data is granted to them by Microsoft.