The FTC has fined Microsoft $20 million for doing something illegal with Xbox

Microsoft and the U.S. Federal Trade Commission (FTC) will soon argue over the purchase of Activision Blizzard, but first they have to resolve another pending dispute. In a statement, the regulator announced that it fined Microsoft $20 million dollars for violating an important child protection law.

The FTC blames the tech giant for collecting information from children through Xbox. The problem is that the company did it for years without the consent of the users' parents and, in addition, illegally retained the information.

Microsoft violated child protection law with Xbox

According to the details, Microsoft violated the Children’s Online Privacy Protection Act (COPPA) by collecting and maintaining the information of minors who registered in the Xbox ecosystem.

COPPA requires services and sites that target children under 13 to notify parents and guardians about the information being collected. The problem for Microsoft arose with Xbox accounts, as at the time of creating them a user must provide their personal information and agree to a service agreement.

The issue is that, until the end of 2021, Microsoft required such data from all users, even those who indicated that they were under 13 years old. Moreover, it was until later that the company required adult supervision to create an account.

On the other hand, we know that Microsoft collected and retained minors' information at least between 2015 and 2020. This conflicted with another company practice: sharing its users' information with third-party app and game developers.

FTC will require Microsoft to pay $20 million over charges it illegally collected personal information from children who signed up for its Xbox gaming system without their parents’ consent: https://t.co/kgm0wFp2zG /1 #privacy

— FTC (@FTC) June 5, 2023

FTC demands changes to Xbox data handling

In addition to the fine, Microsoft will have to make a few adjustments to the handling of minors' data in the Xbox ecosystem. For starters, it will have to inform parents or guardians about the ability to create dedicated accounts for minors that will provide additional privacy measures.

The company will also have to get parental consent for all accounts created before May 2021 if the account holder is still a minor. On the other hand, it will have to implement a system to delete minors' information within 2 weeks of collection.

Finally, it will have to be transparent when sharing information with third parties and clarify that the data are of minors. In this way, the company's partners will also adhere to COPPA.