Governance & Risk Management
,
Privacy
FTC Says Violations Stem From Xbox Live Registration Process
Microsoft will pay $20 million to settle a U.S. federal investigation into whether the computing giant violated children’s privacy protections during the Xbox Live registration process.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Federal Trade Commission accused the company of a slew of infractions including, until 2019, automatically opting children’s accounts into accepting Microsoft promotional offers during the new account setup process before reaching a prompt for obtaining parental permission.
Until August 2021, the video game console registration process also asked children to enter additional information such as a telephone number before reaching the parental notification prompt. The agency says approximately 218,000 Xbox users in the United States self-identified as younger than 13 during the five-year period that ended in December 2021.
Microsoft until October 2020 also indefinitely retained personal information, including from children, of approximately 10 million individuals collected from new account registration processes not fully completed, the federal complaint states.
Online users younger than the age of 13 are subject to the Children’s Online Privacy Protection Rule, or COPPA, a 1998 law that requires companies to obtain parental consent before companies can collect data.
A proposed settlement that requires approval by a federal judge calls on Microsoft to delete children’s information from the account registration process within two weeks unless it has obtained parental consent.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and retain about kids,” said Sam Levine, director of the FTC’s Bureau of Consumer Protection.
Within 60 days of the settlement going into effect, the company must also obtain parental consent for children’s accounts. The FTC says Microsoft’s disclosure notices to parents until April 2021 did not fully reveal all the information the computing giant intended to collect, including potentially images of children to display in their accounts.
The settlement also calls for Microsoft to delete all information collected from children within one year of an account suspension.
In an emailed statement, Microsoft said it is committed to complying with the settlement terms. “In addition to our existing multifaceted safety strategy, we also plan to develop next-generation identity and age validation – a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences,” a company spokesperson said.*
*Update June 6, 2023 2:00 UTC: Adds statement from Microsoft.